mountable_file_server 0.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9eca97072a7e354d3523e099982afc7cf4234516
-  data.tar.gz: 938444d589b364fb81bb16ab26244425601ba4eb
+  metadata.gz: 06ba105404c99a412b676531f8e1cf413dcef90e
+  data.tar.gz: 4b2a1588e17a8dc4ce720b9b88267e8a93f4fced
 SHA512:
-  metadata.gz: 09226be2ad7e5f2ccfac19be367b42f44d94e9570a91a2046f541468a1aaca317eae56baf4829455e450814c831e30f3147897ee344f842f245ca846a812d45b
-  data.tar.gz: 9f5d940813c63c26497be28472b5e12175ca4be1bec7903f8f5f21fe6412f89cdddaf26e75be3e2e3b4de40a628f898030e33b8f2b509c312625781edcd8067c
+  metadata.gz: 0f8109f98d14e82c53933a7e01a7fe7ef96ac4c321d03d57f075de188afef8432d9964126c1a838f4f6916a73de84446365d4a278c4fd7f97572bd4eaf68adb2
+  data.tar.gz: 759a235787657eeeecfdca45a6637b66686b3ca41bc8eac2c3e1018537c1fc7b5e99f117cca7c700bf648ef4ece6b55be0f51dced14e70f074384b3903456fa1

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 2.0.0
+* Remove HTTP endpoints for moving and deleting uploads due to security concerns.
+* Return 404 for unknown or malformed FIDs.
+
 # 0.0.2 - 24.08.2015
 * Internal refactorings.
 * Introduce `Adapter` class to have one point of contact.

data/README.md

@@ -53,7 +53,7 @@ end
 ~~~
 
 ## Configuration
-As seen in the previous section there is a global configuration at `MountableFileServer.configuration` available.  
+As seen in the previous section there is a global configuration at `MountableFileServer.configuration` available.
 This is an instance of the `MountableFileServer::Configration` class. The global configuration is a default argument for all classes that require access to the configuration. In situations where you have multiple endpoints with different settings you can pass in you own configuration objects instead.
 
 The global configuration can be configured through a block.
@@ -81,36 +81,41 @@ The `files` argument is an array of `File` objects or an `FileList` object. Thes
 
 Following events will be dispatched on the element that was passed to `uploadFiles`. When you are listening to one of these events you can access the described attributes on the `event.detail` object.
 
-`upload:start` is dispatched when the upload starts.  
+`upload:start` is dispatched when the upload starts.
 It has the attributes `uploadId` and `file`. The `uploadId` is local and can be used to identify events in a scenario where multiple files are uploaded. The `file` attribute is the original `File` object and useful for showing a preview or other information about the file.
 
-`upload:progress` is continuously dispatched while the upload is happening.  
+`upload:progress` is continuously dispatched while the upload is happening.
 It has the attributes `uploadId` and `progress`. The `progress` attribute is the original [ProgressEvent](https://developer.mozilla.org/en-US/docs/Web/API/ProgressEvent) object of the AJAX request.
 
-`upload:success` is dispatched when the upload succeeded.  
+`upload:success` is dispatched when the upload succeeded.
 It has the attributes `uploadId`, `uid` and `wasLastUpload`. The `uid` attribute is the unique identifier generated by the MountableFileServer. You will want to add it to your form and store it along your other data. The `wasLastUpload` attribute indicates if this was the last upload in progress.
 
 ## Ruby API
 The `MountableFileServer::Adapter` class allows you to interact with uploaded files. It takes a `MountableFileServer::Configuration` instance as argument and uses `MountableFileServer.configuration` by default.
 
-`MountableFileServer::Adapter#store_temporary(input, type, extension)`  
+`MountableFileServer::Adapter#store_temporary(input, type, extension)`
 Stores the input as file in the temporary storage and returns the `uid` of the file. `input` can be a path to a file or an [IO](http://ruby-doc.org/core-2.2.2/IO.html) object. `type` can be `public` or `private` and the `extension` argument specifies the extension the file should have.
 
-`MountableFileServer::Adapter#store_permanent(input, type, extension)`  
+`MountableFileServer::Adapter#store_permanent(input, type, extension)`
 Stores the input as file in the permanent storage and returns the `uid` of the file. `input` can be a path to a file or an [IO](http://ruby-doc.org/core-2.2.2/IO.html) object. `type` can be `public` or `private` and the `extension` argument specifies the extension the file should have.
 
-`MountableFileServer::Adapter#move_to_permanent_storage(uid)`  
+`MountableFileServer::Adapter#move_to_permanent_storage(uid)`
 Moves a file from the temporary storage to the permanent one. This is mostly used in a scenario where users upload files. A file uploaded through the endpoint is initially only stored in the temporary storage. The application has to move it explicitly to the permanent storage. For example after all validations passed.
 
-`MountableFileServer::Adapter#remove_from_permanent_storage(uid)`  
+`MountableFileServer::Adapter#remove_from_permanent_storage(uid)`
 Removes the file from the permanent storage.
 
-`MountableFileServer::Adapter#url_for(uid)`  
+`MountableFileServer::Adapter#url_for(uid)`
 Returns the URL for an uploaded file. Only works for public files, if you pass the `uid` of a private file an error will be raised.
 
-`MountableFileServer::Adapter#pathname_for(id)`  
+`MountableFileServer::Adapter#pathname_for(id)`
 Returns a [Pathname](http://ruby-doc.org/stdlib-2.2.2/libdoc/pathname/rdoc/Pathname.html) object for the uploaded file. The pathname will always point to the file on disk independent from the files type or current storage location.
 
+# Development
+Run the migrations of the Ruby on Rails dummy application to make sure you can run the tests: `cd test/rails-dummy && RAILS_ENV=test bundle exec rake db:migrate`.
+
+Run tests with `bundle exec rake test`.
+
 # Publish on RubyGems.org
 
 1. Increment `lib/mountable_image_server/version.rb` to your liking.

data/lib/mountable_file_server/server.rb

@@ -25,25 +25,13 @@ module MountableFileServer
     end
 
     get '/:fid' do |fid|
-      adapter = Adapter.new
-      pathname = adapter.pathname_for(fid)
-      send_file pathname
-    end
-
-    post '/:fid/store-permanent' do |fid|
-      adapter = Adapter.new
-      adapter.move_to_permanent_storage(fid)
-
-      content_type :json
-      status 200
-    end
-
-    delete '/:fid' do |fid|
-      adapter = Adapter.new
-      adapter.remove_from_storage(fid)
-
-      content_type :json
-      status 200
+      begin
+        adapter = Adapter.new
+        pathname = adapter.pathname_for(fid)
+        send_file pathname
+      rescue MissingFile, MalformedIdentifier
+        status 404
+      end
     end
   end
 end

data/lib/mountable_file_server/unique_identifier.rb

@@ -2,11 +2,14 @@ require 'securerandom'
 
 module MountableFileServer
   UnknownType = Class.new(ArgumentError)
+  MalformedIdentifier = Class.new(ArgumentError)
 
   class UniqueIdentifier < String
     attr_reader :type, :filename
 
     def initialize(string)
+      raise MalformedIdentifier.new unless /(\w+)-(.+)$/.match(string)
+
       @type, @filename = /(\w+)-(.+)$/.match(string).captures
 
       raise UnknownType.new(type) unless known_type?

data/lib/mountable_file_server/version.rb

@@ -1,3 +1,3 @@
 module MountableFileServer
-  VERSION = "0.1.0"
+  VERSION = "2.0.0"
 end

data/mountable_file_server.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rack-test", "~> 0.6.3"
   spec.add_development_dependency "webmock", "~> 2.1.0"
 
-  spec.add_runtime_dependency "sinatra", "~> 2.0.0.rc1"
+  spec.add_runtime_dependency "sinatra", "~> 2.0.0"
   spec.add_runtime_dependency "dry-configurable", "~> 0.1.6"
   spec.add_runtime_dependency "dimensions", "~> 1.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mountable_file_server
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - David Strauß
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-10 00:00:00.000000000 Z
+date: 2018-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -142,14 +142,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0.rc1
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0.rc1
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: dry-configurable
   requirement: !ruby/object:Gem::Requirement