Parse cached attachment URLs with remote storages

In commit 5a4921a1a we replaced `URI.parse` with `URI.open` due to some issues during our tests with S3. However, there are some security issues with `URI.open` [1], since it might allow some users to execute code on the server. So we're using `URI.parse#open` instead. [1] https://docs.rubocop.org/rubocop/cops_security.html#securityopen
2021-11-10 23:18:37 +01:00
parent e5fbd34eac
commit 5519518cfb
3 changed files with 36 additions and 2 deletions
--- a/spec/controllers/proposals_controller_spec.rb
+++ b/spec/controllers/proposals_controller_spec.rb
@@ -8,4 +8,38 @@ describe ProposalsController do
      expect { get :index }.to raise_exception(FeatureFlags::FeatureDisabled)
    end
  end
+
+  describe "PUT update" do
+    let(:file) { Rails.root.join("spec/hacked") }
+
+    before do
+      File.delete(file) if File.exist?(file)
+      InvisibleCaptcha.timestamp_enabled = false
+    end
+
+    after { InvisibleCaptcha.timestamp_enabled = true }
+
+    it "ignores malicious cached attachments with remote storages" do
+      allow_any_instance_of(Image).to receive(:filesystem_storage?).and_return(false)
+      user = create(:user)
+      proposal = create(:proposal, author: user)
+      sign_in user
+
+      begin
+        put :update, params: {
+          id: proposal,
+          proposal: {
+            image_attributes: {
+              title: "Hacked!",
+              user_id: user.id,
+              cached_attachment: "| touch #{file}"
+            }
+          }
+        }
+      rescue StandardError
+      ensure
+        expect(file).not_to exist
+      end
+    end
+  end
 end