From 5a15640d0aa8f6374843f6612f848cbd40d3cfd9 Mon Sep 17 00:00:00 2001 From: texpert Date: Sun, 15 Sep 2024 14:03:50 +0300 Subject: [PATCH] Fix uploads to AWS S3 folder --- app/helpers/camaleon_cms/uploader_helper.rb | 2 +- app/uploaders/camaleon_cms_local_uploader.rb | 7 ++++++ app/uploaders/camaleon_cms_uploader.rb | 4 ++-- spec/helpers/uploader_helper_spec.rb | 23 ++++++++++++++++---- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/app/helpers/camaleon_cms/uploader_helper.rb b/app/helpers/camaleon_cms/uploader_helper.rb index f8b830a8..f22e279c 100644 --- a/app/helpers/camaleon_cms/uploader_helper.rb +++ b/app/helpers/camaleon_cms/uploader_helper.rb @@ -76,7 +76,7 @@ def upload_file(uploaded_io, settings = {}) res = { error: nil } # guard against path traversal - return { error: 'Invalid file path' } unless cama_uploader.class.valid_folder_path?(settings[:folder]) + return { error: 'Invalid file path' } unless cama_uploader.valid_folder_path?(settings[:folder]) # formats validations return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format( diff --git a/app/uploaders/camaleon_cms_local_uploader.rb b/app/uploaders/camaleon_cms_local_uploader.rb index 0e61e6f2..c2e811b6 100644 --- a/app/uploaders/camaleon_cms_local_uploader.rb +++ b/app/uploaders/camaleon_cms_local_uploader.rb @@ -130,4 +130,11 @@ def delete_file(key) def parse_key(file_path) file_path.sub(@root_folder, '').cama_fix_media_key end + + def valid_folder_path?(path) + return false unless super + return false if File.absolute_path?(path) + + true + end end diff --git a/app/uploaders/camaleon_cms_uploader.rb b/app/uploaders/camaleon_cms_uploader.rb index 2703989d..a8e7c910 100644 --- a/app/uploaders/camaleon_cms_uploader.rb +++ b/app/uploaders/camaleon_cms_uploader.rb @@ -125,10 +125,10 @@ def self.validate_file_format(key, valid_formats = '*') valid_formats.include?(File.extname(key).sub('.', '').split('?').first.try(:downcase)) end - def self.valid_folder_path?(path) + def valid_folder_path?(path) return true if path == '/' - return false if path.include?('..') || File.absolute_path?(path) || path.include?('://') + return false if path.include?('..') || path.include?('://') true end diff --git a/spec/helpers/uploader_helper_spec.rb b/spec/helpers/uploader_helper_spec.rb index 206d0630..c5d4fab6 100644 --- a/spec/helpers/uploader_helper_spec.rb +++ b/spec/helpers/uploader_helper_spec.rb @@ -56,16 +56,31 @@ end describe 'file upload with invalid path' do - it 'upload a local file with invalid path of a path traversal try' do + it "doesn't upload a local file with invalid path of a path traversal try" do expect(upload_file(File.open(@path), { folder: '../../config/initializers' }).keys.include?(:error)).to be(true) end - it 'upload a local file with invalid URI-like path' do + it "doesn't upload a local file with invalid URI-like path" do expect(upload_file(File.open(@path), { folder: 'file:///config/initializers' }).keys.include?(:error)).to be(true) end - it 'upload a local file with an absolute path' do - expect(upload_file(File.open(@path), { folder: '/tmp/config/initializers' }).keys.include?(:error)).to be(true) + context 'with local server' do + before { current_site.set_option('filesystem_type', 'local') } + + it "doesn't upload a local file with an absolute path" do + expect(upload_file(File.open(@path), { folder: '/tmp/config/initializers' }).keys.include?(:error)).to be(true) + end + end + + context 'with AWS server' do + before do + current_site.set_option('filesystem_type', 's3') + allow_any_instance_of(CamaleonCmsAwsUploader).to receive(:add_file).and_return({}) + end + + it 'uploads a local file with an absolute path' do + expect(upload_file(File.open(@path), { folder: '/tmp/config/initializers' }).keys.include?(:error)).to be(false) + end end end