rack-secure-upload 0.1.1 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +17 -0
- data/lib/rack/secure_upload/middleware.rb +14 -16
- data/lib/rack/secure_upload/version.rb +1 -1
- data/spec/rack/secure_upload/middleware_spec.rb +2 -2
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b4b1eeae9fa091e56c7c3c2779f4528be8293df0
|
|
4
|
+
data.tar.gz: f132b4749d2b2c70723a33fb3a5d53e9581a0b09
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ef3981f9f1b939c21b5a4a27bff38b680bfa45b15034249e31e5cd54af48164c041b324d069731a9a1542afce754c7f548b2c5a54897b1cfc9d1045240ed1ff
|
|
7
|
+
data.tar.gz: 0d5e0f6fddd51c324497ad14ab0394b9d7e95b6350ab5adbb72948c14d9d177c7a9e212e49d488013b61f939efe54d51bb95fb17dedf3a1bab9eea12cd3d728e
|
data/README.md
CHANGED
|
@@ -34,6 +34,23 @@ module MyApp
|
|
|
34
34
|
end
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## Options
|
|
38
|
+
|
|
39
|
+
You can add some options like below.
|
|
40
|
+
|
|
41
|
+
```ruby
|
|
42
|
+
use Rack::SecureUpload::Middleware, :fsecure, {foo: :bar}
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
### fallback
|
|
46
|
+
|
|
47
|
+
- `proc { |env, params, path| }`
|
|
48
|
+
- use return value of proc
|
|
49
|
+
- `:raise`
|
|
50
|
+
- raise `Rack::SecureUpload::InsecureFileError` |
|
|
51
|
+
- else
|
|
52
|
+
- return `406`
|
|
53
|
+
|
|
37
54
|
## AntiVirus Softwares
|
|
38
55
|
|
|
39
56
|
### Avast
|
|
@@ -9,30 +9,29 @@ module Rack
|
|
|
9
9
|
|
|
10
10
|
def initialize(app, scanners, options = {})
|
|
11
11
|
@app = app
|
|
12
|
-
@options = options
|
|
13
12
|
@scanners = [scanners].flatten.map { |scanner| scanner.is_a?(Symbol) ? Rack::SecureUpload::Scanner.const_get(camelize(scanner.to_s)).new : scanner }
|
|
14
13
|
@scanners.each do |scanner|
|
|
15
14
|
scanner.setup
|
|
16
15
|
end
|
|
16
|
+
@options = options
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def call(env)
|
|
20
20
|
params = Rack::Multipart.parse_multipart(env)
|
|
21
21
|
|
|
22
22
|
if params && !params.empty?
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
return [406, {'content-type' => 'text/plain; charset=UTF-8'}, ['Insecure File(s) are found!']]
|
|
23
|
+
traverse(params) do |value|
|
|
24
|
+
next unless [Tempfile, File].any?{ |klass| value.is_a?(klass) }
|
|
25
|
+
|
|
26
|
+
unless scan value.path
|
|
27
|
+
fallback = @options[:fallback]
|
|
28
|
+
if fallback.respond_to?(:call)
|
|
29
|
+
return fallback.call(env, params, value.path)
|
|
30
|
+
elsif fallback.to_s == 'raise'
|
|
31
|
+
raise InsecureFileError, "The uploaded file \"#{value.path}\" is insecure!"
|
|
32
|
+
else
|
|
33
|
+
return [406, {'content-type' => 'text/plain; charset=UTF-8'}, ['Insecure File(s) are found!']]
|
|
34
|
+
end
|
|
36
35
|
end
|
|
37
36
|
end
|
|
38
37
|
end
|
|
@@ -43,13 +42,12 @@ module Rack
|
|
|
43
42
|
private
|
|
44
43
|
|
|
45
44
|
def scan(path)
|
|
46
|
-
|
|
45
|
+
@scanners.any? do |scanner|
|
|
47
46
|
unless res = scanner.scan(path)
|
|
48
47
|
Rack::SecureUpload.logger.warn "#{scanner} found an insecure file: #{path}"
|
|
49
48
|
end
|
|
50
49
|
res
|
|
51
50
|
end
|
|
52
|
-
raise InsecureFileError, "The uploaded file \"#{path}\" is insecure!" unless secure
|
|
53
51
|
end
|
|
54
52
|
end
|
|
55
53
|
end
|
|
@@ -38,9 +38,9 @@ describe Rack::SecureUpload::Middleware do
|
|
|
38
38
|
let(:options) { {fallback: fallback} }
|
|
39
39
|
|
|
40
40
|
it "calls fallback" do
|
|
41
|
-
expect(fallback).to receive(:call)
|
|
41
|
+
expect(fallback).to receive(:call).and_return('yay')
|
|
42
42
|
allow(scanner).to receive(:scan).and_return(false)
|
|
43
|
-
subject.call(env)
|
|
43
|
+
expect(subject.call(env)).to eq('yay')
|
|
44
44
|
end
|
|
45
45
|
end
|
|
46
46
|
context "fallback is raise" do
|