active_storage_svg_sanitizer 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.md +26 -0
- data/Rakefile +34 -0
- data/app/assets/config/active_storage_svg_sanitizer_manifest.js +1 -0
- data/app/assets/stylesheets/active_storage_svg_sanitizer/application.css +15 -0
- data/app/controllers/active_storage_svg_sanitizer/application_controller.rb +7 -0
- data/app/helpers/active_storage_svg_sanitizer/application_helper.rb +6 -0
- data/app/jobs/active_storage_svg_sanitizer/application_job.rb +6 -0
- data/app/jobs/active_storage_svg_sanitizer/sanitize_svg_job.rb +39 -0
- data/app/mailers/active_storage_svg_sanitizer/application_mailer.rb +8 -0
- data/app/models/active_storage_svg_sanitizer/application_record.rb +7 -0
- data/app/views/layouts/active_storage_svg_sanitizer/application.html.erb +15 -0
- data/config/initializers/active_storage_svg_sanitizer.rb +9 -0
- data/config/routes.rb +4 -0
- data/lib/active_storage_svg_sanitizer.rb +7 -0
- data/lib/active_storage_svg_sanitizer/engine.rb +7 -0
- data/lib/active_storage_svg_sanitizer/svg_sanitizer.rb +19 -0
- data/lib/active_storage_svg_sanitizer/version.rb +5 -0
- data/lib/tasks/active_storage_svg_sanitizer_tasks.rake +6 -0
- metadata +132 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 2fe3665fa7b4bdfe831a8c1e84167eacfc92edf82d3a0f70e4b26ab776880a4d
|
|
4
|
+
data.tar.gz: 8b38e96d5c423146d69a3c37fe607577019292c1bebf5d0730ae44771f17e68c
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 17bb4d3d8f96a4ba91fdcd52dbd8026eb62a819311d2062a13c4f8ee397877eb50aa1005bcf750b856b48bc20deccfacdf99c79dcb27a8b13518481b613ade83
|
|
7
|
+
data.tar.gz: 2bde5ecab52134656464b75d6b0f274725c8e49e7406298d6fbb761e87680bf3177c239b0d177a866848773a403f7d1b6dce1019c5c0240b82d925a17c877cfc
|
data/MIT-LICENSE
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Copyright 2019 Nathan Hopkins
|
|
2
|
+
|
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
4
|
+
a copy of this software and associated documentation files (the
|
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
9
|
+
the following conditions:
|
|
10
|
+
|
|
11
|
+
The above copyright notice and this permission notice shall be
|
|
12
|
+
included in all copies or substantial portions of the Software.
|
|
13
|
+
|
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# ActiveStorageSvgSanitizer
|
|
2
|
+
|
|
3
|
+
A small library that sanitizes ActiveStorage SVG uploads by stripping any embedded `script` tags.
|
|
4
|
+
|
|
5
|
+
## Installation
|
|
6
|
+
|
|
7
|
+
Add this line to your application's Gemfile:
|
|
8
|
+
|
|
9
|
+
```ruby
|
|
10
|
+
gem 'active_storage_svg_sanitizer'
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Usage
|
|
14
|
+
|
|
15
|
+
This libary uses ActiveJob to perform sanization tasks in the background.
|
|
16
|
+
|
|
17
|
+
Simply including this gem will ensure your svg uploads are sanitized.
|
|
18
|
+
|
|
19
|
+
If you'd like to render uploaded svg images in your application, add an initializer that unregisters `svg` as a binary file type.
|
|
20
|
+
|
|
21
|
+
```ruby
|
|
22
|
+
ActiveStorage::Engine.config.active_storage.content_types_to_serve_as_binary.delete "image/svg+xml"
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
## License
|
|
26
|
+
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
begin
|
|
4
|
+
require "bundler/setup"
|
|
5
|
+
rescue LoadError
|
|
6
|
+
puts "You must `gem install bundler` and `bundle install` to run rake tasks"
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
require "rdoc/task"
|
|
10
|
+
|
|
11
|
+
RDoc::Task.new(:rdoc) do |rdoc|
|
|
12
|
+
rdoc.rdoc_dir = "rdoc"
|
|
13
|
+
rdoc.title = "ActiveStorageSvgSanitizer"
|
|
14
|
+
rdoc.options << "--line-numbers"
|
|
15
|
+
rdoc.rdoc_files.include("README.md")
|
|
16
|
+
rdoc.rdoc_files.include("lib/**/*.rb")
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
|
|
20
|
+
load "rails/tasks/engine.rake"
|
|
21
|
+
|
|
22
|
+
load "rails/tasks/statistics.rake"
|
|
23
|
+
|
|
24
|
+
require "bundler/gem_tasks"
|
|
25
|
+
|
|
26
|
+
require "rake/testtask"
|
|
27
|
+
|
|
28
|
+
Rake::TestTask.new(:test) do |t|
|
|
29
|
+
t.libs << "test"
|
|
30
|
+
t.pattern = "test/**/*_test.rb"
|
|
31
|
+
t.verbose = false
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
task default: :test
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
//= link_directory ../stylesheets/active_storage_svg_sanitizer .css
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* This is a manifest file that'll be compiled into application.css, which will include all the files
|
|
3
|
+
* listed below.
|
|
4
|
+
*
|
|
5
|
+
* Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
|
|
6
|
+
* or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
|
|
7
|
+
*
|
|
8
|
+
* You're free to add application-wide styles to this file and they'll appear at the bottom of the
|
|
9
|
+
* compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
|
|
10
|
+
* files in this directory. Styles in this file should be added after the last require_* statement.
|
|
11
|
+
* It is generally better to create a new file per style scope.
|
|
12
|
+
*
|
|
13
|
+
*= require_tree .
|
|
14
|
+
*= require_self
|
|
15
|
+
*/
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveStorageSvgSanitizer
|
|
4
|
+
class SanitizeSvgJob < ApplicationJob
|
|
5
|
+
def perform(blob)
|
|
6
|
+
return unless blob.svg?
|
|
7
|
+
return if blob.metadata[:sanitized]
|
|
8
|
+
|
|
9
|
+
sanitized = sanitize(blob.download)
|
|
10
|
+
Tempfile.open([blob.filename.base, blob.filename.extension]) do |file|
|
|
11
|
+
file.print sanitized
|
|
12
|
+
file.rewind
|
|
13
|
+
blob.upload file
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
blob.metadata[:sanitized] = true
|
|
17
|
+
blob.save
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
private
|
|
21
|
+
|
|
22
|
+
def sanitize(unsafe_xml)
|
|
23
|
+
unsafe_xml = unsafe_xml.to_s
|
|
24
|
+
unsafe_xml.force_encoding "UTF-8"
|
|
25
|
+
return Loofah.xml_document(unsafe_xml).scrub!(scrubber).to_s if document?(unsafe_xml)
|
|
26
|
+
Loofah.xml_fragment(unsafe_xml).scrub!(scrubber).to_s
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def scrubber
|
|
30
|
+
Loofah::Scrubber.new do |node|
|
|
31
|
+
node.remove if node.name == "script"
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def document?(unsafe)
|
|
36
|
+
unsafe.include?("<?xml") || unsafe.include?("<!DOCTYPE")
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
<!DOCTYPE html>
|
|
2
|
+
<html>
|
|
3
|
+
<head>
|
|
4
|
+
<title>Active storage svg sanitizer</title>
|
|
5
|
+
<%= csrf_meta_tags %>
|
|
6
|
+
<%= csp_meta_tag %>
|
|
7
|
+
|
|
8
|
+
<%= stylesheet_link_tag "active_storage_svg_sanitizer/application", media: "all" %>
|
|
9
|
+
</head>
|
|
10
|
+
<body>
|
|
11
|
+
|
|
12
|
+
<%= yield %>
|
|
13
|
+
|
|
14
|
+
</body>
|
|
15
|
+
</html>
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "active_storage_svg_sanitizer/svg_sanitizer"
|
|
4
|
+
|
|
5
|
+
# ActiveStorage::Engine.config.active_storage.content_types_to_serve_as_binary.delete "image/svg+xml"
|
|
6
|
+
|
|
7
|
+
Rails.application.config.to_prepare do
|
|
8
|
+
ActiveStorage::Blob.send :include, ActiveStorageSvgSanitizer::SvgSanitizer
|
|
9
|
+
end
|
data/config/routes.rb
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module ActiveStorageSvgSanitizer
|
|
4
|
+
module SvgSanitizer
|
|
5
|
+
extend ActiveSupport::Concern
|
|
6
|
+
|
|
7
|
+
included do
|
|
8
|
+
after_create_commit :sanitize_svg, if: :svg?
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def svg?
|
|
12
|
+
filename.extension == "svg"
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def sanitize_svg
|
|
16
|
+
ActiveStorageSvgSanitizer::SanitizeSvgJob.set(wait: 10.seconds).perform_later self
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: active_storage_svg_sanitizer
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.1.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Nathan Hopkins
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2019-09-09 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rails
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '5.2'
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '5.2'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: sqlite3
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - ">="
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '0'
|
|
34
|
+
type: :development
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ">="
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: pry
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ">="
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '0'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ">="
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: pry-nav
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - ">="
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '0'
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - ">="
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '0'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: standardrb
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - ">="
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '0'
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - ">="
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '0'
|
|
83
|
+
description: Sanitize SVG images after ActiveStorage upload
|
|
84
|
+
email:
|
|
85
|
+
- natehop@gmail.com
|
|
86
|
+
executables: []
|
|
87
|
+
extensions: []
|
|
88
|
+
extra_rdoc_files: []
|
|
89
|
+
files:
|
|
90
|
+
- MIT-LICENSE
|
|
91
|
+
- README.md
|
|
92
|
+
- Rakefile
|
|
93
|
+
- app/assets/config/active_storage_svg_sanitizer_manifest.js
|
|
94
|
+
- app/assets/stylesheets/active_storage_svg_sanitizer/application.css
|
|
95
|
+
- app/controllers/active_storage_svg_sanitizer/application_controller.rb
|
|
96
|
+
- app/helpers/active_storage_svg_sanitizer/application_helper.rb
|
|
97
|
+
- app/jobs/active_storage_svg_sanitizer/application_job.rb
|
|
98
|
+
- app/jobs/active_storage_svg_sanitizer/sanitize_svg_job.rb
|
|
99
|
+
- app/mailers/active_storage_svg_sanitizer/application_mailer.rb
|
|
100
|
+
- app/models/active_storage_svg_sanitizer/application_record.rb
|
|
101
|
+
- app/views/layouts/active_storage_svg_sanitizer/application.html.erb
|
|
102
|
+
- config/initializers/active_storage_svg_sanitizer.rb
|
|
103
|
+
- config/routes.rb
|
|
104
|
+
- lib/active_storage_svg_sanitizer.rb
|
|
105
|
+
- lib/active_storage_svg_sanitizer/engine.rb
|
|
106
|
+
- lib/active_storage_svg_sanitizer/svg_sanitizer.rb
|
|
107
|
+
- lib/active_storage_svg_sanitizer/version.rb
|
|
108
|
+
- lib/tasks/active_storage_svg_sanitizer_tasks.rake
|
|
109
|
+
homepage: https://github.com/hopsoft/active_storage_svg_sanitizer
|
|
110
|
+
licenses:
|
|
111
|
+
- MIT
|
|
112
|
+
metadata: {}
|
|
113
|
+
post_install_message:
|
|
114
|
+
rdoc_options: []
|
|
115
|
+
require_paths:
|
|
116
|
+
- lib
|
|
117
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
118
|
+
requirements:
|
|
119
|
+
- - ">="
|
|
120
|
+
- !ruby/object:Gem::Version
|
|
121
|
+
version: '0'
|
|
122
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
123
|
+
requirements:
|
|
124
|
+
- - ">="
|
|
125
|
+
- !ruby/object:Gem::Version
|
|
126
|
+
version: '0'
|
|
127
|
+
requirements: []
|
|
128
|
+
rubygems_version: 3.0.3
|
|
129
|
+
signing_key:
|
|
130
|
+
specification_version: 4
|
|
131
|
+
summary: Sanitize SVG images after ActiveStorage upload
|
|
132
|
+
test_files: []
|