image_vise 0.1.3 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/image_vise.gemspec +2 -2
- data/lib/image_vise/image_request.rb +6 -1
- data/lib/image_vise/render_engine.rb +3 -4
- data/lib/image_vise.rb +1 -1
- data/spec/image_vise/render_engine_spec.rb +9 -6
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 93c443e8b8b6c60e3b86d1d5bfccd4d49222c793
|
4
|
+
data.tar.gz: 41c91138bea11c4e76452634f6ff16a56cd6041c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 044ddadc1b490096a3be67d766bd91e7c053603a05626e5c8023ee285f665d3032074fd64f04191baac62348788521ce3a665bd7870fc4433f2d849144b44852
|
7
|
+
data.tar.gz: dfc2a1727d89434bc2765e76b5db1dd5978d8150efada47f24f60f3aee6491e0cac0f45f8326f988318918cad56a3eb0dfb7239eabbfc8f84aee548661c2d00b
|
data/image_vise.gemspec
CHANGED
@@ -2,11 +2,11 @@
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
|
-
# stub: image_vise 0.1.
|
5
|
+
# stub: image_vise 0.1.4 ruby lib
|
6
6
|
|
7
7
|
Gem::Specification.new do |s|
|
8
8
|
s.name = "image_vise"
|
9
|
-
s.version = "0.1.
|
9
|
+
s.version = "0.1.4"
|
10
10
|
|
11
11
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
12
12
|
s.require_paths = ["lib"]
|
@@ -10,6 +10,9 @@ class ImageVise::ImageRequest < Ks.strict(:src_url, :pipeline)
|
|
10
10
|
base64_encoded_params = qs_params.fetch(:q) rescue qs_params.fetch('q')
|
11
11
|
given_signature = qs_params.fetch(:sig) rescue qs_params.fetch('sig')
|
12
12
|
|
13
|
+
# Unmask slashes and equals signs (if they are present)
|
14
|
+
base64_encoded_params = base64_encoded_params.tr('-', '/').tr('_', '+')
|
15
|
+
|
13
16
|
# Check the signature before decoding JSON (since we will be creating symbols)
|
14
17
|
unless valid_signature?(base64_encoded_params, given_signature, secrets)
|
15
18
|
raise SignatureError, "Invalid or missing signature"
|
@@ -30,7 +33,9 @@ class ImageVise::ImageRequest < Ks.strict(:src_url, :pipeline)
|
|
30
33
|
end
|
31
34
|
|
32
35
|
def to_path_params(signed_with_secret)
|
33
|
-
|
36
|
+
qs = to_query_string_params(signed_with_secret)
|
37
|
+
q_masked = qs.fetch(:q).tr('/', '-').tr('+', '_')
|
38
|
+
'/%s/%s' % [q_masked, qs[:sig]]
|
34
39
|
end
|
35
40
|
|
36
41
|
def to_query_string_params(signed_with_secret)
|
@@ -105,10 +105,9 @@ class ImageVise::RenderEngine
|
|
105
105
|
bail(400, 'Query strings are not supported') if rack_request.params.any?
|
106
106
|
|
107
107
|
# Extract the tail (signature) and the front (the Base64-encoded request).
|
108
|
-
#
|
109
|
-
#
|
110
|
-
sig_from_path = rack_request.path_info
|
111
|
-
q_from_path = rack_request.path_info[/\/?(.+)\/[^\/]+$/, 1]
|
108
|
+
# Slashes within :q are masked by ImageRequest already, so we don't have
|
109
|
+
# to worry about them.
|
110
|
+
*, q_from_path, sig_from_path = rack_request.path_info.split('/')
|
112
111
|
|
113
112
|
# Raise if any of them are empty or blank
|
114
113
|
nothing_recovered = [q_from_path, sig_from_path].all?{|v| v.nil? || v.empty? }
|
data/lib/image_vise.rb
CHANGED
@@ -154,21 +154,24 @@ describe ImageVise::RenderEngine do
|
|
154
154
|
expect(parsed_image.columns).to eq(10)
|
155
155
|
end
|
156
156
|
|
157
|
-
it 'properly decodes the image request if its Base64 representation contains slashes' do
|
157
|
+
it 'properly decodes the image request if its Base64 representation contains masked slashes and plus characters' do
|
158
158
|
ImageVise.add_secret_key!("this is fab")
|
159
|
-
|
159
|
+
sig = '64759d9ea610d75d9138bfa3ea01595d343ca8994261ae06fca8e6490222f140'
|
160
|
+
q = 'eyJwaXBlbGluZSI6W1sic2hhcnBlbiIseyJyYWRpdXMiO' +
|
160
161
|
'jAuNSwic2lnbWEiOjAuNX1dXSwic3JjX3VybCI6InNoYWRl' +
|
161
|
-
'cmljb246L0NQR1BfRmlyZWJhbGw
|
162
|
+
'cmljb246L0NQR1BfRmlyZWJhbGw-Yz1kOWM4ZTMzO'+
|
162
163
|
'TZmNjMwYzM1MjM0MTYwMmM2YzJhYmQyZjAzNTcxMTF'+
|
163
|
-
'jIn0
|
164
|
-
|
164
|
+
'jIn0'
|
165
|
+
params = {q: q, sig: sig}
|
166
|
+
req = ImageVise::ImageRequest.from_params(qs_params: params, secrets: ['this is fab'])
|
167
|
+
|
165
168
|
# We do a check based on the raised exception - the request will fail
|
166
169
|
# at the fetcher lookup stage. That stage however takes place _after_ the
|
167
170
|
# signature has been validated, which means that the slash within the
|
168
171
|
# Base64 payload has been taken into account
|
169
172
|
expect(app).to receive(:raise_exceptions?).and_return(true)
|
170
173
|
expect {
|
171
|
-
get
|
174
|
+
get req.to_path_params('this is fab')
|
172
175
|
}.to raise_error(/No fetcher registered for shadericon/)
|
173
176
|
end
|
174
177
|
|