Parse cached attachment URLs with remote storages

In commit 5a4921a1a we replaced `URI.parse` with `URI.open` due to some
issues during our tests with S3.

However, there are some security issues with `URI.open` [1], since it
might allow some users to execute code on the server.

So we're using `URI.parse#open` instead.

[1] https://docs.rubocop.org/rubocop/cops_security.html#securityopen

app/models/concerns/attachable.rb

@@ -37,7 +37,7 @@ module Attachable
     if filesystem_storage?
       File.open(cached_attachment) { |file| self.attachment = file }
     else
-      self.attachment = URI.open(cached_attachment)
+      self.attachment = URI.parse(cached_attachment).open
     end
   end
 

lib/tasks/active_storage.rake

@@ -88,7 +88,7 @@ namespace :active_storage do
       source_file = if paperclip_storage == :filesystem
                       paperclip_attachment.path
                     else
-                      URI.open(paperclip_attachment.url, &:read)
+                      URI.parse(paperclip_attachment.url).open.read
                     end
 
       logger.info "Copying #{paperclip_attachment.url} to active storage"

spec/controllers/proposals_controller_spec.rb

@@ -8,4 +8,38 @@ describe ProposalsController do
       expect { get :index }.to raise_exception(FeatureFlags::FeatureDisabled)
     end
   end
+
+  describe "PUT update" do
+    let(:file) { Rails.root.join("spec/hacked") }
+
+    before do
+      File.delete(file) if File.exist?(file)
+      InvisibleCaptcha.timestamp_enabled = false
+    end
+
+    after { InvisibleCaptcha.timestamp_enabled = true }
+
+    it "ignores malicious cached attachments with remote storages" do
+      allow_any_instance_of(Image).to receive(:filesystem_storage?).and_return(false)
+      user = create(:user)
+      proposal = create(:proposal, author: user)
+      sign_in user
+
+      begin
+        put :update, params: {
+          id: proposal,
+          proposal: {
+            image_attributes: {
+              title: "Hacked!",
+              user_id: user.id,
+              cached_attachment: "| touch #{file}"
+            }
+          }
+        }
+      rescue StandardError
+      ensure
+        expect(file).not_to exist
+      end
+    end
+  end
 end