image_vise 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 493e78593a4399614a6db7dc12b6718941e4de04
-  data.tar.gz: 31e96d402674418e02c1a3bc9a88810889af16c8
+  metadata.gz: 13cb5031151e501b48add64f3082fa22a154dd62
+  data.tar.gz: fee7a59c9576786ecf2532db3e81a0cfea2f7a05
 SHA512:
-  metadata.gz: 7a14f2987b638ec2cead4ac87e269ad131fd1d1409834b5b0b0efddbd464a3e434e6a24bad127249b6173ccd655e2957fc23d48b4f5490564e4833c93dbb2181
-  data.tar.gz: 67d3fc0181b7935f24c9a48afb5ff90afc813e6abc5fc2e627c41c0c51f0f4dc45326ec300fab03114647d98e8950ca64f42ac3a4bf4b5640c6c127621030c9b
+  metadata.gz: c437c64f50ed44356f1d72b198d503c7ec562dc34e240cf6a4551fdbd8a713102b282b4e2962b7bdaeebeaa07653e6a0fdd7cd9c619d87425ee860d7b242ff0b
+  data.tar.gz: 0c2979889f495b9cce1ae6388b25b6e5e780efae0f6d7dbdd195da880ff5d6791b197aa2e6971fb952ca508a3d1a874c44c5b955cece414c009a019740edea07

data/README.md

@@ -47,6 +47,9 @@ def thumb_url(source_image_url)
 end
 ```
 
+To preserve your sanity, make the route to the ImageVise engine terminal and do _not_ perform rewrites
+on it in your webserver configuration - for instance, Base64 permits slashes.
+
 ## Using ImageVise within a Rack application
 
 Mount ImageVise under a script name in your `config.ru`:
@@ -75,6 +78,11 @@ def thumb_url(source_image_url)
   '/images' + path
 end
 ```
+## Path decoding and SCRIPT_NAME
+
+`ImageVise::RenderEngine` _must_ be mounted under a `SCRIPT_NAME` (using either `mount` in Rails
+or using `map` in Rack). That is so since we may have more than 1 path component that we have to
+decode (when the Base64 payload contains slashes).
 
 ## Processing files on the local filesystem instead of remote ones
 

data/image_vise.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: image_vise 0.1.2 ruby lib
+# stub: image_vise 0.1.3 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "image_vise"
-  s.version = "0.1.2"
+  s.version = "0.1.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Julik Tarkhanov"]
-  s.date = "2016-10-26"
+  s.date = "2016-10-29"
   s.description = "Image processing via URLs"
   s.email = "me@julik.nl"
   s.extra_rdoc_files = [

data/lib/image_vise/render_engine.rb

@@ -104,8 +104,11 @@ class ImageVise::RenderEngine
     # Prevent cache bypass DOS attacks by only permitting :sig and :q
     bail(400, 'Query strings are not supported') if rack_request.params.any?
     
-    # Extract the last two path components
-    *, q_from_path, sig_from_path = rack_request.path_info.split('/')
+    # Extract the tail (signature) and the front (the Base64-encoded request).
+    # The Base64-encoded string may contain slashes, that is why recovering one path component
+    # is not enough.
+    sig_from_path = rack_request.path_info[/\/([^\/]+)$/, 1]
+    q_from_path = rack_request.path_info[/\/?(.+)\/[^\/]+$/, 1]
 
     # Raise if any of them are empty or blank
     nothing_recovered = [q_from_path, sig_from_path].all?{|v| v.nil? || v.empty? }

data/lib/image_vise.rb

@@ -8,7 +8,7 @@ require 'base64'
 require 'rack'
 
 class ImageVise
-  VERSION = '0.1.2'
+  VERSION = '0.1.3'
   S_MUTEX = Mutex.new
   private_constant :S_MUTEX
   

data/spec/image_vise/image_request_spec.rb

@@ -46,8 +46,6 @@ describe ImageVise::ImageRequest do
   end
 
   describe 'fails with an invalid signature' do
-    it 'when the sig param is missing'
-    it 'when the sig param is empty'
     it 'when the sig is invalid' do
       img_params = {src_url: 'http://bucket.s3.aws.com/image.jpg',
           pipeline: [[:crop, {width: 10, height: 10, gravity: 's'}]]}

data/spec/image_vise/render_engine_spec.rb

@@ -137,7 +137,7 @@ describe ImageVise::RenderEngine do
       expect(last_response.status).to eq(304)
     end
     
-    it 'when all goes well responds with an image that passes through all the processing steps' do
+    it 'responds with an image that passes through all the processing steps' do
       uri = Addressable::URI.parse(public_url)
       ImageVise.add_allowed_host!(uri.host)
       ImageVise.add_secret_key!('l33tness')
@@ -154,6 +154,24 @@ describe ImageVise::RenderEngine do
       expect(parsed_image.columns).to eq(10)
     end
 
+    it 'properly decodes the image request if its Base64 representation contains slashes' do
+      ImageVise.add_secret_key!("this is fab")
+      request_path = '/eyJwaXBlbGluZSI6W1sic2hhcnBlbiIseyJyYWRpdXMiO' +
+       'jAuNSwic2lnbWEiOjAuNX1dXSwic3JjX3VybCI6InNoYWRl' +
+       'cmljb246L0NQR1BfRmlyZWJhbGw/Yz1kOWM4ZTMzO'+
+       'TZmNjMwYzM1MjM0MTYwMmM2YzJhYmQyZjAzNTcxMTF'+
+       'jIn0/64759d9ea610d75d9138bfa3ea01595d343ca8994261ae06fca8e6490222f140'
+
+      # We do a check based on the raised exception - the request will fail
+      # at the fetcher lookup stage. That stage however takes place _after_ the
+      # signature has been validated, which means that the slash within the
+      # Base64 payload has been taken into account
+      expect(app).to receive(:raise_exceptions?).and_return(true)
+      expect {
+        get request_path
+      }.to raise_error(/No fetcher registered for shadericon/)
+    end
+
     it 'calls all of the internal methods during execution' do
       uri = Addressable::URI.parse(public_url)
       ImageVise.add_allowed_host!(uri.host)
@@ -165,6 +183,7 @@ describe ImageVise::RenderEngine do
 
       expect(app).to receive(:parse_env_into_request).and_call_original
       expect(app).to receive(:process_image_request).and_call_original
+      expect(app).to receive(:extract_params_from_request).and_call_original
       expect(app).to receive(:image_rack_response).and_call_original
       expect(app).to receive(:source_file_type_permitted?).and_call_original
       expect(app).to receive(:output_file_type_permitted?).and_call_original
@@ -187,8 +206,6 @@ describe ImageVise::RenderEngine do
       expect(last_response.headers['Content-Type']).to eq('image/jpeg')
     end
 
-    it 'expands and forbids a path outside of the permitted sources'
-
     it 'URI-decodes the path in a file:// URL for a file with a Unicode path' do
       utf8_file_path = File.dirname(test_image_path) + '/картинка.jpg'
       FileUtils.cp_r(test_image_path, utf8_file_path)

data/spec/image_vise_spec.rb

@@ -9,9 +9,8 @@ describe ImageVise do
   end
   
   context 'ImageVise.allowed_hosts' do
-    xit 'returns the allowed hosts' do
-      expect(described_class.allowed_hosts).not_to be_empty
-      expect(described_class.allowed_hosts).to include('wetransfer-unittests.s3.amazonaws.com')
+    it 'returns the allowed hosts and is empty by default' do
+      expect(described_class.allowed_hosts).to be_empty
     end
     
     it 'allows add_allowed_host! and reset_allowed_hosts!' do

data/spec/spec_helper.rb

@@ -55,6 +55,11 @@ RSpec.configure do | config |
     TestServer.start(nil, ssl=false, port=9001)
   end
 
+  config.after :each do
+    ImageVise.reset_allowed_hosts!
+    ImageVise.reset_secret_keys!
+  end
+
   config.after :suite do
     sleep 2
     FileUtils.rm_rf(TEST_RENDERS_DIR)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: image_vise
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Julik Tarkhanov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-26 00:00:00.000000000 Z
+date: 2016-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: patron