image_vise 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +8 -0
- data/image_vise.gemspec +3 -3
- data/lib/image_vise/render_engine.rb +5 -2
- data/lib/image_vise.rb +1 -1
- data/spec/image_vise/image_request_spec.rb +0 -2
- data/spec/image_vise/render_engine_spec.rb +20 -3
- data/spec/image_vise_spec.rb +2 -3
- data/spec/spec_helper.rb +5 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 13cb5031151e501b48add64f3082fa22a154dd62
|
4
|
+
data.tar.gz: fee7a59c9576786ecf2532db3e81a0cfea2f7a05
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c437c64f50ed44356f1d72b198d503c7ec562dc34e240cf6a4551fdbd8a713102b282b4e2962b7bdaeebeaa07653e6a0fdd7cd9c619d87425ee860d7b242ff0b
|
7
|
+
data.tar.gz: 0c2979889f495b9cce1ae6388b25b6e5e780efae0f6d7dbdd195da880ff5d6791b197aa2e6971fb952ca508a3d1a874c44c5b955cece414c009a019740edea07
|
data/README.md
CHANGED
@@ -47,6 +47,9 @@ def thumb_url(source_image_url)
|
|
47
47
|
end
|
48
48
|
```
|
49
49
|
|
50
|
+
To preserve your sanity, make the route to the ImageVise engine terminal and do _not_ perform rewrites
|
51
|
+
on it in your webserver configuration - for instance, Base64 permits slashes.
|
52
|
+
|
50
53
|
## Using ImageVise within a Rack application
|
51
54
|
|
52
55
|
Mount ImageVise under a script name in your `config.ru`:
|
@@ -75,6 +78,11 @@ def thumb_url(source_image_url)
|
|
75
78
|
'/images' + path
|
76
79
|
end
|
77
80
|
```
|
81
|
+
## Path decoding and SCRIPT_NAME
|
82
|
+
|
83
|
+
`ImageVise::RenderEngine` _must_ be mounted under a `SCRIPT_NAME` (using either `mount` in Rails
|
84
|
+
or using `map` in Rack). That is so since we may have more than 1 path component that we have to
|
85
|
+
decode (when the Base64 payload contains slashes).
|
78
86
|
|
79
87
|
## Processing files on the local filesystem instead of remote ones
|
80
88
|
|
data/image_vise.gemspec
CHANGED
@@ -2,16 +2,16 @@
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
|
-
# stub: image_vise 0.1.
|
5
|
+
# stub: image_vise 0.1.3 ruby lib
|
6
6
|
|
7
7
|
Gem::Specification.new do |s|
|
8
8
|
s.name = "image_vise"
|
9
|
-
s.version = "0.1.
|
9
|
+
s.version = "0.1.3"
|
10
10
|
|
11
11
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
12
12
|
s.require_paths = ["lib"]
|
13
13
|
s.authors = ["Julik Tarkhanov"]
|
14
|
-
s.date = "2016-10-
|
14
|
+
s.date = "2016-10-29"
|
15
15
|
s.description = "Image processing via URLs"
|
16
16
|
s.email = "me@julik.nl"
|
17
17
|
s.extra_rdoc_files = [
|
@@ -104,8 +104,11 @@ class ImageVise::RenderEngine
|
|
104
104
|
# Prevent cache bypass DOS attacks by only permitting :sig and :q
|
105
105
|
bail(400, 'Query strings are not supported') if rack_request.params.any?
|
106
106
|
|
107
|
-
# Extract the
|
108
|
-
|
107
|
+
# Extract the tail (signature) and the front (the Base64-encoded request).
|
108
|
+
# The Base64-encoded string may contain slashes, that is why recovering one path component
|
109
|
+
# is not enough.
|
110
|
+
sig_from_path = rack_request.path_info[/\/([^\/]+)$/, 1]
|
111
|
+
q_from_path = rack_request.path_info[/\/?(.+)\/[^\/]+$/, 1]
|
109
112
|
|
110
113
|
# Raise if any of them are empty or blank
|
111
114
|
nothing_recovered = [q_from_path, sig_from_path].all?{|v| v.nil? || v.empty? }
|
data/lib/image_vise.rb
CHANGED
@@ -46,8 +46,6 @@ describe ImageVise::ImageRequest do
|
|
46
46
|
end
|
47
47
|
|
48
48
|
describe 'fails with an invalid signature' do
|
49
|
-
it 'when the sig param is missing'
|
50
|
-
it 'when the sig param is empty'
|
51
49
|
it 'when the sig is invalid' do
|
52
50
|
img_params = {src_url: 'http://bucket.s3.aws.com/image.jpg',
|
53
51
|
pipeline: [[:crop, {width: 10, height: 10, gravity: 's'}]]}
|
@@ -137,7 +137,7 @@ describe ImageVise::RenderEngine do
|
|
137
137
|
expect(last_response.status).to eq(304)
|
138
138
|
end
|
139
139
|
|
140
|
-
it '
|
140
|
+
it 'responds with an image that passes through all the processing steps' do
|
141
141
|
uri = Addressable::URI.parse(public_url)
|
142
142
|
ImageVise.add_allowed_host!(uri.host)
|
143
143
|
ImageVise.add_secret_key!('l33tness')
|
@@ -154,6 +154,24 @@ describe ImageVise::RenderEngine do
|
|
154
154
|
expect(parsed_image.columns).to eq(10)
|
155
155
|
end
|
156
156
|
|
157
|
+
it 'properly decodes the image request if its Base64 representation contains slashes' do
|
158
|
+
ImageVise.add_secret_key!("this is fab")
|
159
|
+
request_path = '/eyJwaXBlbGluZSI6W1sic2hhcnBlbiIseyJyYWRpdXMiO' +
|
160
|
+
'jAuNSwic2lnbWEiOjAuNX1dXSwic3JjX3VybCI6InNoYWRl' +
|
161
|
+
'cmljb246L0NQR1BfRmlyZWJhbGw/Yz1kOWM4ZTMzO'+
|
162
|
+
'TZmNjMwYzM1MjM0MTYwMmM2YzJhYmQyZjAzNTcxMTF'+
|
163
|
+
'jIn0/64759d9ea610d75d9138bfa3ea01595d343ca8994261ae06fca8e6490222f140'
|
164
|
+
|
165
|
+
# We do a check based on the raised exception - the request will fail
|
166
|
+
# at the fetcher lookup stage. That stage however takes place _after_ the
|
167
|
+
# signature has been validated, which means that the slash within the
|
168
|
+
# Base64 payload has been taken into account
|
169
|
+
expect(app).to receive(:raise_exceptions?).and_return(true)
|
170
|
+
expect {
|
171
|
+
get request_path
|
172
|
+
}.to raise_error(/No fetcher registered for shadericon/)
|
173
|
+
end
|
174
|
+
|
157
175
|
it 'calls all of the internal methods during execution' do
|
158
176
|
uri = Addressable::URI.parse(public_url)
|
159
177
|
ImageVise.add_allowed_host!(uri.host)
|
@@ -165,6 +183,7 @@ describe ImageVise::RenderEngine do
|
|
165
183
|
|
166
184
|
expect(app).to receive(:parse_env_into_request).and_call_original
|
167
185
|
expect(app).to receive(:process_image_request).and_call_original
|
186
|
+
expect(app).to receive(:extract_params_from_request).and_call_original
|
168
187
|
expect(app).to receive(:image_rack_response).and_call_original
|
169
188
|
expect(app).to receive(:source_file_type_permitted?).and_call_original
|
170
189
|
expect(app).to receive(:output_file_type_permitted?).and_call_original
|
@@ -187,8 +206,6 @@ describe ImageVise::RenderEngine do
|
|
187
206
|
expect(last_response.headers['Content-Type']).to eq('image/jpeg')
|
188
207
|
end
|
189
208
|
|
190
|
-
it 'expands and forbids a path outside of the permitted sources'
|
191
|
-
|
192
209
|
it 'URI-decodes the path in a file:// URL for a file with a Unicode path' do
|
193
210
|
utf8_file_path = File.dirname(test_image_path) + '/картинка.jpg'
|
194
211
|
FileUtils.cp_r(test_image_path, utf8_file_path)
|
data/spec/image_vise_spec.rb
CHANGED
@@ -9,9 +9,8 @@ describe ImageVise do
|
|
9
9
|
end
|
10
10
|
|
11
11
|
context 'ImageVise.allowed_hosts' do
|
12
|
-
|
13
|
-
expect(described_class.allowed_hosts).
|
14
|
-
expect(described_class.allowed_hosts).to include('wetransfer-unittests.s3.amazonaws.com')
|
12
|
+
it 'returns the allowed hosts and is empty by default' do
|
13
|
+
expect(described_class.allowed_hosts).to be_empty
|
15
14
|
end
|
16
15
|
|
17
16
|
it 'allows add_allowed_host! and reset_allowed_hosts!' do
|
data/spec/spec_helper.rb
CHANGED
@@ -55,6 +55,11 @@ RSpec.configure do | config |
|
|
55
55
|
TestServer.start(nil, ssl=false, port=9001)
|
56
56
|
end
|
57
57
|
|
58
|
+
config.after :each do
|
59
|
+
ImageVise.reset_allowed_hosts!
|
60
|
+
ImageVise.reset_secret_keys!
|
61
|
+
end
|
62
|
+
|
58
63
|
config.after :suite do
|
59
64
|
sleep 2
|
60
65
|
FileUtils.rm_rf(TEST_RENDERS_DIR)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: image_vise
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Julik Tarkhanov
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-10-
|
11
|
+
date: 2016-10-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: patron
|