handle dangerous extensions

1 month ago · 354bccd6e8
parent 6806772346
commit 354bccd6e8
5 changed files with 53 additions and 11 deletions
--- a/app/controllers/api/active_storage_blobs_proxy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb
@ -11,6 +11,7 @@ module Api
    before_action :set_noindex_headers
    before_action :set_security_headers

+    # rubocop:disable Metrics
    def show
      blob_uuid, purp, exp = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])

@ -22,6 +23,12 @@ module Api

      blob = ActiveStorage::Blob.find_by!(uuid: blob_uuid)

+      if Submitters::DANGEROUS_EXTENSIONS.include?(blob.filename.extension.to_s.downcase)
+        Rollbar.error('Dangerous extension') if defined?(Rollbar)
+
+        return head :unprocessable_content
+      end
+
      attachment = blob.attachments.take

      @record = attachment.record
@ -46,6 +53,7 @@ module Api
        end
      end
    end
+    # rubocop:enable Metrics

    private

--- a/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
@ -19,6 +19,12 @@ module Api

      return head :not_found unless blob

+      if Submitters::DANGEROUS_EXTENSIONS.include?(blob.filename.extension.to_s.downcase)
+        Rollbar.error('Dangerous extension') if defined?(Rollbar)
+
+        return head :unprocessable_content
+      end
+
      is_permitted = blob.attachments.any? do |a|
        (current_user && a.record.account.id == current_user.account_id) ||
          a.record.account.account_configs.any? { |e| e.key == 'legacy_blob_proxy' } ||
--- a/app/controllers/user_initials_controller.rb
+++ b/app/controllers/user_initials_controller.rb
@ -11,6 +11,12 @@ class UserInitialsController < ApplicationController

    return redirect_to settings_profile_index_path, notice: I18n.t('unable_to_save_initials') if file.blank?

+    extension = File.extname(file.original_filename).delete_prefix('.').downcase
+
+    if Submitters::DANGEROUS_EXTENSIONS.include?(extension)
+      raise Submitters::MaliciousFileExtension, "File type '.#{extension}' is not allowed."
+    end
+
    blob = ActiveStorage::Blob.create_and_upload!(io: file.open,
                                                  filename: file.original_filename,
                                                  content_type: file.content_type)
--- a/app/controllers/user_signatures_controller.rb
+++ b/app/controllers/user_signatures_controller.rb
@ -11,6 +11,12 @@ class UserSignaturesController < ApplicationController

    return redirect_to settings_profile_index_path, notice: I18n.t('unable_to_save_signature') if file.blank?

+    extension = File.extname(file.original_filename).delete_prefix('.').downcase
+
+    if Submitters::DANGEROUS_EXTENSIONS.include?(extension)
+      raise Submitters::MaliciousFileExtension, "File type '.#{extension}' is not allowed."
+    end
+
    blob = ActiveStorage::Blob.create_and_upload!(io: file.open,
                                                  filename: file.original_filename,
                                                  content_type: file.content_type)
--- a/lib/submitters/normalize_values.rb
+++ b/lib/submitters/normalize_values.rb
@ -212,8 +212,8 @@ module Submitters
        elsif type.in?(%w[signature initials]) && value.length < 60
          find_or_create_blob_from_text(account, value, type)
        elsif (data = Base64.decode64(value.sub(BASE64_PREFIX_REGEXP, ''))) &&
-              Marcel::MimeType.for(data).exclude?('octet-stream')
-          find_or_create_blob_from_base64(account, data, type)
+              (mime_type = Marcel::MimeType.for(data)).exclude?('octet-stream')
+          find_or_create_blob_from_base64(account, data, type, mime_type:)
        elsif type == 'image' && (value.starts_with?('<html>') || value.starts_with?('<!DOCTYPE'))
          raise InvalidDefaultValue, "Invalid #{type} value" unless purpose == :api

@ -236,15 +236,27 @@ module Submitters
      raise InvalidDefaultValue, "HTML content is not allowed: #{value.first(200)}..."
    end

-    def find_or_create_blob_from_base64(account, data, type)
+    def find_or_create_blob_from_base64(account, data, type, mime_type: nil)
      checksum = Digest::MD5.base64digest(data)

      blob = find_blob_by_checksum(checksum, account)

-      blob || ActiveStorage::Blob.create_and_upload!(
-        io: StringIO.new(data),
-        filename: "#{type}.png"
-      )
+      return blob if blob
+
+      mime_type ||= Marcel::MimeType.for(data)
+
+      detected_extensions = Marcel::TYPE_EXTS[mime_type].to_a.map(&:downcase)
+
+      if detected_extensions.any? { |e| Submitters::DANGEROUS_EXTENSIONS.include?(e) }
+        raise InvalidDefaultValue, "File type '.#{detected_extensions.first}' is not allowed."
+      end
+
+      extension = detected_extensions.first
+      extension = 'png' if extension.blank? && type.in?(%w[signature initials stamp image])
+
+      filename = extension.present? ? "#{type}.#{extension}" : type
+
+      ActiveStorage::Blob.create_and_upload!(io: StringIO.new(data), filename:)
    end

    def find_or_create_blob_from_text(account, text, type)
@ -261,6 +273,13 @@ module Submitters
    end

    def find_or_create_blob_from_url(account, url)
+      filename = Addressable::URI.parse(url).path.split('/').last.to_s
+      extension = File.extname(filename).delete_prefix('.').downcase
+
+      if Submitters::DANGEROUS_EXTENSIONS.include?(extension)
+        raise InvalidDefaultValue, "File type '.#{extension}' is not allowed."
+      end
+
      cache_key = [account.id, url].join(':')
      checksum = CHECKSUM_CACHE_STORE.fetch(cache_key)

@ -276,10 +295,7 @@ module Submitters

      blob = find_blob_by_checksum(checksum, account)

-      blob || ActiveStorage::Blob.create_and_upload!(
-        io: StringIO.new(data),
-        filename: Addressable::URI.parse(url).path.split('/').last
-      )
+      blob || ActiveStorage::Blob.create_and_upload!(io: StringIO.new(data), filename:)
    end

    def find_blob_by_checksum(checksum, account)