html-pipeline-gitlab 0.1.5 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b597cdd10f4cb7b8ea744b576726c7de44a9af3d
-  data.tar.gz: e6d97da0ae3f3e21075d0be916a33854602e9ecf
+  metadata.gz: c7665f2aba698a1f7b7c3c8194f572fb1bdc4bfc
+  data.tar.gz: 90460359d1b82321483bd0fca1ab9088507f6532
 SHA512:
-  metadata.gz: c2cb57b0e1c926ebb6f5bda9b3f91599819757f611b3b90f92643bd07b09ef9a9d0a8b3c93a3611b284f14b1de049e5191abc6295bc5ec7ed7912c13a414bdbc
-  data.tar.gz: 802c35fc82d1e0ea4e4805eafbfe1184b6ed58f77f87a9c738b9a52b3e60e2ba480414dd7831b56d8a0ea6477dfca4f471d4f74e2e10669e6becd567e2ad357f
+  metadata.gz: cdce34f98a7100bbea473e5ad46237ebb52d4eaafa71dec4d1c480f1711a94fde3ba218a7002fa418e8ac2c64f352fe3b5b0305f402b4644100a287fec995915
+  data.tar.gz: 07b1cef40313ae90d8fba3989dc0cab60f44ac8fd419b8ab9ee83fbe020689b2bdaee465dcb87c1e7504eb27d89357a915c3e9b0fd6b63856bd0d20cc4f94072

data/.gitignore

@@ -12,3 +12,4 @@
 *.o
 *.a
 mkmf.log
+vendor/bundle/*

data/README.md

@@ -38,7 +38,8 @@ bundle exec rake test
 ## Filters
 
 * `GitlabEmojiFilter` - replaces emoji references with images from
-[PhantomOpenEmoji](https://github.com/Genshin/PhantomOpenEmoji)
+[PhantomOpenEmoji](https://github.com/Genshin/PhantomOpenEmoji)  
+* `GitlabEmailImageFilter` - replaces linked images that were uploaded as attachments with inline images
 
 ## Contributing
 

data/html-pipeline-gitlab.gemspec

@@ -26,4 +26,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'gitlab_emoji', '~> 0.0.1'
   spec.add_runtime_dependency 'sanitize', '~> 2.1'
   spec.add_runtime_dependency 'actionpack', '~> 4'
+  spec.add_runtime_dependency 'rmagick'
 end

data/lib/html/pipeline/gitlab.rb

@@ -9,6 +9,7 @@ module HTML
 
       # Custom filter implementations
       autoload :GitlabEmojiFilter, 'html/pipeline/gitlab/gitlab_emoji_filter'
+      autoload :GitlabEmailImageFilter, 'html/pipeline/gitlab/gitlab_email_image_filter'
 
       def initialize(filters)
         @filters = filters.flatten.freeze

data/lib/html/pipeline/gitlab/gitlab_email_image_filter.rb

@@ -0,0 +1,65 @@
+require 'base64'
+require 'RMagick'
+require 'html/pipeline/filter'
+require 'uri'
+
+module HTML
+  class Pipeline
+    class Gitlab
+      # HTML filter that replaces linked images with inline images in emails.
+      class GitlabEmailImageFilter < Filter
+        def call
+          doc.search('img').each do |img|
+            next if img['src'].nil?
+
+            src = img['src'].strip
+            next unless src.start_with?(context[:base_url])
+
+            file_path =
+              get_file_path(src, context[:upload_path], context[:base_url])
+            next unless File.file?(file_path)
+            encoded_image = base64_encode_image(file_path)
+            next unless encoded_image.present?
+
+            img['src'] = encoded_image
+          end
+
+          doc
+        end
+
+        def base64_encode_image(file_path)
+          img = Magick::Image.read(file_path).first
+          # Strip profiles and comments from file
+          img.strip!
+          if img.filesize > 100_000
+            img.format = 'JPG'
+            # Resize it to be maximum 600px * 600px.
+            img.resize_to_fit!(600, 600)
+            encoded_image = Base64.encode64(img.to_blob { self.quality = 60 })
+          else
+            encoded_image = Base64.encode64(img.to_blob)
+          end
+
+          "data:image/jpg;base64,#{encoded_image}"
+        end
+
+        def get_file_path(url, upload_path, base_url)
+          # replace base url with location in file system
+          url.gsub!(base_url, '')
+          file_path = prevent_path_traversal(url)
+          File.join(upload_path, file_path)
+        end
+
+        def prevent_path_traversal(file_path)
+          # decode the url. We don't want encoded chars in our file path
+          file_path = URI.decode(file_path).to_s
+          # remove all occurences of ".." from the url
+          # to prevent path traversing
+          file_path = file_path.gsub('..', '')
+          # replace unnecessary double slashes
+          file_path.gsub('//', '/')
+        end
+      end
+    end
+  end
+end

data/lib/html/pipeline/gitlab/version.rb

@@ -1,7 +1,7 @@
 module Html
   module Pipeline
     module Gitlab
-      VERSION = '0.1.5'
+      VERSION = '0.1.6'
     end
   end
 end

data/test/html/pipeline/gitlab_email_image_filter_test.rb

@@ -0,0 +1,53 @@
+require 'test_helper'
+require 'html/pipeline/gitlab'
+require 'uri'
+
+# Test for the GitlabEmailImageFilter class
+class HTML::Pipeline::GitlabEmailImageFilterTest < Minitest::Test
+  GitlabEmailImageFilter = HTML::Pipeline::Gitlab::GitlabEmailImageFilter
+
+  def test_prevent_path_traversal
+    context = {
+      base_url: 'https://foo.com/namespace/project/uploads',
+      upload_path: '/opt/gitlab/public/uploads/namespace/project'
+    }
+
+    filter =
+      GitlabEmailImageFilter.new(
+        '<img src="https://foo.com/namespace/project/uploads/1234/test.jpg" />',
+        context)
+
+    {
+      '/..' => '/', '/a/../b' => '/a/b', '/a/../b/' => '/a/b/',
+      '/%2e.' => '/', '/a/%2E%2e/b' => '/a/b', '/a%2f%2E%2e%2Fb/' => '/a/b/',
+      '//' => '/', '/%2fetc%2Fpasswd' => '/etc/passwd'
+    }.each do |a, b|
+      filtered_a = filter.prevent_path_traversal(a)
+      assert_match filtered_a, b
+    end
+  end
+
+  def test_file_path
+    context = {
+      base_url: 'https://foo.com/namespace/project/uploads',
+      upload_path: '/opt/gitlab/public/uploads/namespace/project'
+    }
+
+    img_src =
+      'https://foo.com/namespace/project/uploads/1234/test.jpg'
+
+    filter =
+      GitlabEmailImageFilter.new(
+        '<img src="https://foo.com/namespace/project/uploads/1234/test.jpg" />',
+        context)
+
+    file_path =
+      filter.get_file_path(img_src,
+                           context[:upload_path],
+                           context[:base_url])
+    expected_file_path =
+      '/opt/gitlab/public/uploads/namespace/project/1234/test.jpg'
+
+    assert_match file_path, expected_file_path
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: html-pipeline-gitlab
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.6
 platform: ruby
 authors:
 - Robert Schilling
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-10 00:00:00.000000000 Z
+date: 2015-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -109,6 +109,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '4'
+- !ruby/object:Gem::Dependency
+  name: rmagick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Extension filters for html-pipeline used by GitLab
 email:
 - schilling.ro@gmail.com
@@ -124,8 +138,10 @@ files:
 - Rakefile
 - html-pipeline-gitlab.gemspec
 - lib/html/pipeline/gitlab.rb
+- lib/html/pipeline/gitlab/gitlab_email_image_filter.rb
 - lib/html/pipeline/gitlab/gitlab_emoji_filter.rb
 - lib/html/pipeline/gitlab/version.rb
+- test/html/pipeline/gitlab_email_image_filter_test.rb
 - test/html/pipeline/gitlab_gemoji_filter_test.rb
 - test/test_helper.rb
 homepage: https://gitlab.com/gitlab-org/html-pipeline-gitlab
@@ -153,5 +169,7 @@ signing_key:
 specification_version: 4
 summary: Extension filters for html-pipeline used by GitLab
 test_files:
+- test/html/pipeline/gitlab_email_image_filter_test.rb
 - test/html/pipeline/gitlab_gemoji_filter_test.rb
 - test/test_helper.rb
+has_rdoc: