rack-secure-upload 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d0ba9f53bce6aa9b457f8e3b239d6a4d3bc3ffaf
-  data.tar.gz: ebd770e5e8bb8a5043f0ab6c7a1305a790471f67
+  metadata.gz: b036f4ac41ac68592044502068e7988049f23991
+  data.tar.gz: 840e4c8358d2dbb268f0487076b43de84a4bf32a
 SHA512:
-  metadata.gz: a05f9640d310478531800cb2ffe6661e1badb469d95eabe720e24d1211056edf2ee6a96ecdd09f94bdf78c515b88ea2ca4376608c912aedd1754d756c4591727
-  data.tar.gz: 6643d906405bff3ab54651a8fc2f2f9513981fb9adf2a1e8d99f2857a957b3bb9b391698b088494b3c74db4c8999d1b6afb08cdf9cf3eaaf909776d5de792b79
+  metadata.gz: 514c477f9022a3df886c57568bb8a737f98a7fd93f71b4c9cf922a7b9d8f2050e32de72795f1abcdf2b22477c9f27c9f794a4dbf00ad6eae6b8bc1ee3ced0d24
+  data.tar.gz: f71b8efc4bfa183ea50b97e48d72f86489464f20fa56a4e49b751a27a2a7b799086a78e826a71731136bc3cb75cd60c46b69a63c05978b03a313a16d809602d1

data/README.md

@@ -29,7 +29,7 @@ In `config/application.rb`
 ```ruby
 module MyApp
   class Application < Rails::Application
-    config.middleware.use Rack::DevMark::Middleware, :fsecure
+    config.middleware.insert_before ActionDispatch::ParamsParser, Rack::SecureUpload::Middleware, :avast
   end 
 end
 ```

data/lib/rack/secure_upload/middleware.rb

@@ -7,8 +7,9 @@ module Rack
     class Middleware
       include Utility
 
-      def initialize(app, scanners)
+      def initialize(app, scanners, options = {})
         @app = app
+        @options = options
         @scanners = [scanners].flatten.map { |scanner| scanner.is_a?(Symbol) ? Rack::SecureUpload::Scanner.const_get(camelize(scanner.to_s)).new : scanner }
         @scanners.each do |scanner|
           scanner.setup
@@ -19,9 +20,20 @@ module Rack
         params = Rack::Multipart.parse_multipart(env)
 
         if params && !params.empty?
-          traverse(params) do |value|
-            next unless [Tempfile, File].any?{ |klass| value.is_a?(klass) }
-            scan value.path
+          begin
+            traverse(params) do |value|
+              next unless [Tempfile, File].any?{ |klass| value.is_a?(klass) }
+              scan value.path
+            end
+          rescue InsecureFileError => e
+            fallback = @options[:fallback]
+            if fallback.respond_to?(:call)
+              return fallback.call(env, params, e)
+            elsif fallback.to_s == 'raise'
+              raise
+            else
+              return [406, {'content-type' => 'text/plain; charset=UTF-8'}, ['Insecure File(s) are found!']]
+            end
           end
         end
 

data/lib/rack/secure_upload/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module SecureUpload
-    VERSION = "0.1.0"
+    VERSION = "0.1.1"
   end
 end

data/spec/rack/secure_upload/middleware_spec.rb

@@ -1,33 +1,63 @@
 require "spec_helper"
 
 describe Rack::SecureUpload::Middleware do
-  let(:env) { Rack::MockRequest.env_for('/') }
+  let(:env) { Rack::MockRequest.env_for('/', method: :post, params: {foo: file}) }
   let(:file) { Rack::Multipart::UploadedFile.new(__FILE__) }
   let(:scanner) { double setup: true, scan: true }
-  subject { Rack::SecureUpload::Middleware.new(->env { ":)" }, scanner) }
+  let(:options) { {} }
+  subject { Rack::SecureUpload::Middleware.new(->env { ":)" }, scanner, options) }
 
-  context "with uploaded file" do
-    let(:env) { Rack::MockRequest.env_for('/', method: :post, params: {foo: file}) }
+  it "scans" do
+    expect(scanner).to receive(:scan).once.and_return(true)
+    expect(subject.call(env)).to eq(":)")
+  end
+  it "returns 406" do
+    expect(scanner).to receive(:scan).and_return(false)
+    expect(subject.call(env)).to match_array([406, hash_including, match_array([//])])
+  end
+
+  context "with multiple uploaded files" do
+    let(:env) { Rack::MockRequest.env_for('/', method: :post, params: {foo: file, bar: file, zoo: file}) }
 
-    it "scans" do
-      expect(scanner).to receive(:scan)
-      subject.call(env)
+    it "scans multiple times" do
+      expect(scanner).to receive(:scan).exactly(3).times
+      expect(subject.call(env)).to eq(":)")
     end
+  end
+  context "without uplaod file" do
+    let(:env) { Rack::MockRequest.env_for('/') }
 
-    context "with multiple uploaded files" do
-      let(:env) { Rack::MockRequest.env_for('/', method: :post, params: {foo: file, bar: file, zoo: file}) }
+    it "does not scan" do
+      expect(scanner).not_to receive(:scan)
+      expect(subject.call(env)).to eq(":)")
+    end
+  end
+  context "fallback option" do
+    context "fallback is a proc" do
+      let(:fallback) { proc {} }
+      let(:options) { {fallback: fallback} }
 
-      it "scans" do
-        expect(scanner).to receive(:scan).exactly(3).times
+      it "calls fallback" do
+        expect(fallback).to receive(:call)
+        allow(scanner).to receive(:scan).and_return(false)
         subject.call(env)
       end
     end
-  end
+    context "fallback is raise" do
+      let(:options) { {fallback: :raise} }
 
-  context "without uplaod file" do
-    it "does not scan" do
-      expect(scanner).not_to receive(:scan)
-      subject.call(env)
+      it "raises an exception" do
+        allow(scanner).to receive(:scan).and_return(false)
+        expect { subject.call(env) }.to raise_error(Rack::SecureUpload::InsecureFileError)
+      end
+    end
+    context "fallback is other value" do
+      let(:options) { {fallback: 'foo'} }
+
+      it "returns 406" do
+        allow(scanner).to receive(:scan).and_return(false)
+        expect(subject.call(env)).to match_array([406, hash_including, match_array([//])])
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-secure-upload
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Daisuke Taniwaki