Merge remote-tracking branch 'origin/2pcjn0j-files-format-vulnerability' into dev

2025-02-20 14:54:15 +01:00 · 2022-08-01 18:18:06 +02:00 · 2022-08-01 18:18:06 +02:00 · 68dc18a68d
commit 68dc18a68d
parent 549a719413 9bc2d4f96c
15 changed files with 44 additions and 25 deletions
--- a/app/models/user_avatar.rb
+++ b/app/models/user_avatar.rb
@ -3,5 +3,5 @@
 # UserAvatar is the profile picture for an User
 class UserAvatar < Asset
  include ImageValidatorConcern
-  mount_uploader :attachment, ProfilImageUploader
+  mount_uploader :attachment, UserAvatarUploader
 end
--- a/app/uploaders/concerns/content_type_validation_from_file_content.rb
+++ b/app/uploaders/concerns/content_type_validation_from_file_content.rb
@ -0,0 +1,26 @@
 module ContentTypeValidationFromFileContent
  extend ActiveSupport::Concern
  # overrides carrierwave methods to do a REAL mime type check based on content and not based on extension
  included do
    private
      def check_content_type_whitelist!(new_file)
        content_type = Marcel::MimeType.for Pathname.new(new_file.file)
        if content_type_whitelist && content_type && !whitelisted_content_type?(content_type)
          raise CarrierWave::IntegrityError,
                I18n.translate(:'errors.messages.content_type_whitelist_error',
                              content_type: content_type,
                              allowed_types: Array(content_type_whitelist).join(', '))
        end
      end
      def whitelisted_content_type?(content_type)
        Array(content_type_whitelist).any? do |item|
          item = Regexp.quote(item) if item.class != Regexp
          content_type =~ /#{item}/
        end
      end
  end
 end
--- a/app/uploaders/custom_assets_uploader.rb
+++ b/app/uploaders/custom_assets_uploader.rb
@ -8,6 +8,7 @@ class CustomAssetsUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/event_file_uploader.rb
+++ b/app/uploaders/event_file_uploader.rb
@ -6,6 +6,7 @@ class EventFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/event_image_uploader.rb
+++ b/app/uploaders/event_image_uploader.rb
@ -7,6 +7,7 @@ class EventImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/machine_file_uploader.rb
+++ b/app/uploaders/machine_file_uploader.rb
@ -6,6 +6,7 @@ class MachineFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/machine_image_uploader.rb
+++ b/app/uploaders/machine_image_uploader.rb
@ -7,6 +7,7 @@ class MachineImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/plan_file_uploader.rb
+++ b/app/uploaders/plan_file_uploader.rb
@ -6,6 +6,7 @@ class PlanFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/project_cao_uploader.rb
+++ b/app/uploaders/project_cao_uploader.rb
@ -4,6 +4,7 @@
 # This file defines the parameters for these uploads
 class ProjectCaoUploader < CarrierWave::Uploader::Base
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
@ -29,24 +30,4 @@ class ProjectCaoUploader < CarrierWave::Uploader::Base
  def content_type_whitelist
    Setting.get('allowed_cad_mime_types').split(' ')
  end
  private
  def check_content_type_whitelist!(new_file)
    content_type = Marcel::MimeType.for Pathname.new(new_file.file)
    if content_type_whitelist && content_type && !whitelisted_content_type?(content_type)
      raise CarrierWave::IntegrityError,
            I18n.translate(:'errors.messages.content_type_whitelist_error',
                           content_type: content_type,
                           allowed_types: Array(content_type_whitelist).join(', '))
    end
  end
  def whitelisted_content_type?(content_type)
    Array(content_type_whitelist).any? do |item|
      item = Regexp.quote(item) if item.class != Regexp
      content_type =~ /#{item}/
    end
  end
 end
--- a/app/uploaders/project_image_uploader.rb
+++ b/app/uploaders/project_image_uploader.rb
@ -5,6 +5,7 @@
 class ProjectImageUploader < CarrierWave::Uploader::Base
  include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/proof_of_identity_file_uploader.rb
+++ b/app/uploaders/proof_of_identity_file_uploader.rb
@ -8,6 +8,7 @@ class ProofOfIdentityFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/space_file_uploader.rb
+++ b/app/uploaders/space_file_uploader.rb
@ -6,6 +6,7 @@ class SpaceFileUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  # include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/space_image_uploader.rb
+++ b/app/uploaders/space_image_uploader.rb
@ -7,6 +7,7 @@ class SpaceImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/training_image_uploader.rb
+++ b/app/uploaders/training_image_uploader.rb
@ -7,6 +7,7 @@ class TrainingImageUploader < CarrierWave::Uploader::Base
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent
  # Choose what kind of storage to use for this uploader:
  storage :file
--- a/app/uploaders/profil_image_uploader.rb
+++ b/app/uploaders/profil_image_uploader.rb
@ -2,11 +2,12 @@
 # CarrierWave uploader for user's avatar.
 # This file defines the parameters for these uploads.
-class ProfilImageUploader < CarrierWave::Uploader::Base
+class UserAvatarUploader < CarrierWave::Uploader::Base
  # Include RMagick or MiniMagick support:
  # include CarrierWave::RMagick
  include CarrierWave::MiniMagick
  include UploadHelper
  include ContentTypeValidationFromFileContent 
  # Choose what kind of storage to use for this uploader:
  storage :file
@ -59,7 +60,7 @@ class ProfilImageUploader < CarrierWave::Uploader::Base
  end
  def content_type_whitelist
-    [%r{image/}]
+    %w[image/jpeg image/gif image/png]
  end
  # Override the filename of the uploaded files: