refile 0.5.2 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d93614e14a47419b97ee9062afbbe4d1df8fbdeb
-  data.tar.gz: 352d8c297f223caeddd1bc9b2fe0381ae8f2ce80
+  metadata.gz: 6797e0c960a77817f75d9f5a6c5b48e7e4f3b363
+  data.tar.gz: 430f42e462d044897740dad2fb9dd21db6b707d9
 SHA512:
-  metadata.gz: ecbafbc35dc7a1fac5fbd9d0bd92681362bc09f188dd494e7e76d2a2d5a4fb2c2538c19c64bf167c508f1ed62d853e0ad64f6dfbd5cf99a94b1ca236ca7c6eef
-  data.tar.gz: 7f1e0714723dcabd5d884d3e031664a2153d987d464df0a43547aaba94de10d68fc761de7a87e2075abca911cfce4db5b2d527120ba4323f01bd9a5a0bf72214
+  metadata.gz: 7e1560a7e9a3ff8e13e628f1e77c1d135e0828dd1eb451b8702092122bf90575c4f11d77dc6f526787a6d7eeeb6818ae602007a5276acfccc51dc7f88d3e770e
+  data.tar.gz: d99149310b57a8a766f448361cb46bf9e7d5d4699ed624422985d418cd3bc8529a86c425e87b8b367f5f5371ce2398241d90cbdac9065d3e504e7a7258429549

data/.rubocop.yml

@@ -55,8 +55,14 @@ Style/AccessModifierIndentation:
 Style/SignalException:
   Enabled: false
 
+Style/IndentationWidth:
+  Enabled: false
+
 Lint/EndAlignment:
   AlignWith: variable
 
+Lint/DefEndAlignment:
+  Enabled: false
+
 Lint/HandleExceptions:
   Enabled: false

data/History.md

@@ -1,3 +1,10 @@
+# 0.5.3
+
+Release date: 2015-01-18
+
+- [FIXED] More stringent checks for ID validity.
+- [CHANGED] `Refile.attachment_url` not uses `Refile.mount_point` as the prefix by default.
+
 # 0.5.2
 
 Release date: 2015-01-13

data/lib/refile.rb

@@ -8,6 +8,9 @@ module Refile
   # @api private
   class Invalid < StandardError; end
 
+  # @api private
+  class InvalidID < Invalid; end
+
   # @api private
   class Confirm < StandardError
     def message
@@ -166,27 +169,6 @@ module Refile
       yield self
     end
 
-    # Verify that the given uploadable is indeed a valid uploadable. This
-    # method is used by backends as a sanity check, you should not have to use
-    # this method unless you are writing a backend.
-    #
-    # @param [IO] uploadable    The uploadable object to verify
-    # @param [Fixnum] max_size  The maximum size of the uploadable object
-    # @raise [ArgumentError]    If the uploadable is not an IO-like object
-    # @raise [Refile::Invalid]  If the uploadable's size is too large
-    # @return [true]            Always returns true if it doesn't raise
-    def verify_uploadable(uploadable, max_size)
-      [:size, :read, :eof?, :close].each do |m|
-        unless uploadable.respond_to?(m)
-          raise ArgumentError, "does not respond to `#{m}`."
-        end
-      end
-      if max_size and uploadable.size > max_size
-        raise Refile::Invalid, "#{uploadable.inspect} is too large"
-      end
-      true
-    end
-
     # Extract the filename from an uploadable object. If the filename cannot be
     # determined, this method will return `nil`.
     #
@@ -254,6 +236,7 @@ module Refile
       return unless file
 
       host ||= Refile.host
+      prefix ||= Refile.mount_point
       filename ||= attacher.basename || name.to_s
       format ||= attacher.extension
 
@@ -271,6 +254,7 @@ module Refile
   require "refile/version"
   require "refile/signature"
   require "refile/type"
+  require "refile/backend_macros"
   require "refile/attacher"
   require "refile/attachment"
   require "refile/random_hasher"

data/lib/refile/backend/file_system.rb

@@ -7,6 +7,8 @@ module Refile
     #   file = backend.upload(StringIO.new("hello"))
     #   backend.read(file.id) # => "hello"
     class FileSystem
+      extend Refile::BackendMacros
+
       # @return [String] the directory where files are stored
       attr_reader :directory
 
@@ -30,9 +32,7 @@ module Refile
       #
       # @param [IO] uploadable      An uploadable IO-like object.
       # @return [Refile::File]      The uploaded file
-      def upload(uploadable)
-        Refile.verify_uploadable(uploadable, @max_size)
-
+      verify_uploadable def upload(uploadable)
         id = @hasher.hash(uploadable)
         IO.copy_stream(uploadable, path(id))
 
@@ -47,7 +47,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [Refile::File]      The retrieved file
-      def get(id)
+      verify_id def get(id)
         Refile::File.new(self, id)
       end
 
@@ -55,7 +55,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [void]
-      def delete(id)
+      verify_id def delete(id)
         FileUtils.rm(path(id)) if exists?(id)
       end
 
@@ -64,7 +64,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [IO]                An IO object containing the file contents
-      def open(id)
+      verify_id def open(id)
         ::File.open(path(id), "rb")
       end
 
@@ -72,7 +72,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [String]            The file's contents
-      def read(id)
+      verify_id def read(id)
         ::File.read(path(id)) if exists?(id)
       end
 
@@ -80,7 +80,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [Integer]           The file's size
-      def size(id)
+      verify_id def size(id)
         ::File.size(path(id)) if exists?(id)
       end
 
@@ -88,7 +88,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [Boolean]
-      def exists?(id)
+      verify_id def exists?(id)
         ::File.exist?(path(id))
       end
 
@@ -110,7 +110,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [String]
-      def path(id)
+      verify_id def path(id)
         ::File.join(@directory, id)
       end
     end

data/lib/refile/backend/s3.rb

@@ -15,6 +15,8 @@ module Refile
     #   file = backend.upload(StringIO.new("hello"))
     #   backend.read(file.id) # => "hello"
     class S3
+      extend Refile::BackendMacros
+
       attr_reader :access_key_id, :max_size
 
       # Sets up an S3 backend with the given credentials.
@@ -44,9 +46,7 @@ module Refile
       #
       # @param [IO] uploadable      An uploadable IO-like object.
       # @return [Refile::File]      The uploaded file
-      def upload(uploadable)
-        Refile.verify_uploadable(uploadable, @max_size)
-
+      verify_uploadable def upload(uploadable)
         id = @hasher.hash(uploadable)
 
         if uploadable.is_a?(Refile::File) and uploadable.backend.is_a?(S3) and uploadable.backend.access_key_id == access_key_id
@@ -66,7 +66,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [Refile::File]      The retrieved file
-      def get(id)
+      verify_id def get(id)
         Refile::File.new(self, id)
       end
 
@@ -74,7 +74,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [void]
-      def delete(id)
+      verify_id def delete(id)
         object(id).delete
       end
 
@@ -83,7 +83,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [IO]                An IO object containing the file contents
-      def open(id)
+      verify_id def open(id)
         Kernel.open(object(id).url_for(:read))
       end
 
@@ -91,7 +91,7 @@ module Refile
       #
       # @param [String] id           The id of the file
       # @return [String]             The file's contents
-      def read(id)
+      verify_id def read(id)
         object(id).read
       rescue AWS::S3::Errors::NoSuchKey
         nil
@@ -101,7 +101,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [Integer]           The file's size
-      def size(id)
+      verify_id def size(id)
         object(id).content_length
       rescue AWS::S3::Errors::NoSuchKey
         nil
@@ -111,7 +111,7 @@ module Refile
       #
       # @param [Sring] id           The id of the file
       # @return [Boolean]
-      def exists?(id)
+      verify_id def exists?(id)
         object(id).exists?
       end
 
@@ -139,7 +139,7 @@ module Refile
         Signature.new(as: "file", id: id, url: signature.url.to_s, fields: signature.fields)
       end
 
-      def object(id)
+      verify_id def object(id)
         @bucket.objects[[*@prefix, id].join("/")]
       end
     end

data/lib/refile/backend_macros.rb

@@ -0,0 +1,37 @@
+module Refile
+  # Macros which make it easier to write secure backends.
+  #
+  # @api private
+  module BackendMacros
+    def verify_id(method)
+      mod = Module.new do
+        define_method(method) do |id|
+          id = id.to_s
+          if id =~ /\A[a-z0-9]+\z/i
+            super(id)
+          else
+            raise Refile::InvalidID
+          end
+        end
+      end
+      prepend mod
+    end
+
+    def verify_uploadable(method)
+      mod = Module.new do
+        define_method(method) do |uploadable|
+          [:size, :read, :eof?, :close].each do |m|
+            unless uploadable.respond_to?(m)
+              raise ArgumentError, "does not respond to `#{m}`."
+            end
+          end
+          if max_size and uploadable.size > max_size
+            raise Refile::Invalid, "#{uploadable.inspect} is too large"
+          end
+          super(uploadable)
+        end
+      end
+      prepend mod
+    end
+  end
+end

data/lib/refile/rails/attachment_helper.rb

@@ -23,7 +23,7 @@ module Refile
     # @param [String, nil] host            Override the host
     # @return [String, nil]                The generated URL
     def attachment_url(record, name, *args, **opts)
-      Refile.attachment_url(record, name, *args, prefix: main_app.refile_app_path, **opts)
+      Refile.attachment_url(record, name, *args, **opts)
     end
 
     # Generates an image tag for the given attachment, adding appropriate

data/lib/refile/version.rb

@@ -1,3 +1,3 @@
 module Refile
-  VERSION = "0.5.2"
+  VERSION = "0.5.3"
 end

data/spec/refile/backend_examples.rb

@@ -67,6 +67,10 @@ RSpec.shared_examples_for :backend do
 
       expect(backend.get(file.id).exists?).to be_falsy
     end
+
+    it "raises error when called with invalid ID" do
+      expect { backend.delete("/evil") }.to raise_error(Refile::InvalidID)
+    end
   end
 
   describe "#read" do
@@ -83,6 +87,10 @@ RSpec.shared_examples_for :backend do
       file = backend.upload(uploadable)
       expect(file.read).to eq("hello")
     end
+
+    it "raises error when called with invalid ID" do
+      expect { backend.read("/evil") }.to raise_error(Refile::InvalidID)
+    end
   end
 
   describe "#size" do
@@ -99,6 +107,10 @@ RSpec.shared_examples_for :backend do
       file = backend.upload(uploadable)
       expect(file.size).to eq(5)
     end
+
+    it "raises error when called with invalid ID" do
+      expect { backend.size("/evil") }.to raise_error(Refile::InvalidID)
+    end
   end
 
   describe "#exists?" do
@@ -115,6 +127,10 @@ RSpec.shared_examples_for :backend do
       expect(backend.upload(uploadable).exists?).to eq(true)
       expect(backend.get("nosuchfile").exists?).to eq(false)
     end
+
+    it "raises error when called with invalid ID" do
+      expect { backend.exists?("/evil") }.to raise_error(Refile::InvalidID)
+    end
   end
 
   describe "#clear!" do

data/spec/refile/backend_macros_spec.rb

@@ -0,0 +1,62 @@
+RSpec.describe Refile::BackendMacros do
+  let(:klass) do
+    Class.new do
+      extend Refile::BackendMacros
+
+      attr_accessor :max_size
+
+      verify_uploadable def upload(uploadable)
+        uploadable
+      end
+
+      verify_id def get(id)
+        id
+      end
+    end
+  end
+  let(:instance) { klass.new }
+
+  describe "#verify_uploadable" do
+    let(:io) { StringIO.new("hello") }
+
+    it "works if it conforms to required API" do
+      expect(instance.upload(double(size: 444, read: io, eof?: true, close: nil))).to be_truthy
+    end
+
+    it "raises ArgumentError if argument does not respond to `size`" do
+      expect { instance.upload(double(read: io, eof?: true, close: nil)) }.to raise_error(ArgumentError)
+    end
+
+    it "raises ArgumentError if argument does not respond to `read`" do
+      expect { instance.upload(double(size: 444, eof?: true, close: nil)) }.to raise_error(ArgumentError)
+    end
+
+    it "raises ArgumentError if argument does not respond to `eof?`" do
+      expect { instance.upload(double(size: 444, read: true, close: nil)) }.to raise_error(ArgumentError)
+    end
+
+    it "raises ArgumentError if argument does not respond to `close`" do
+      expect { instance.upload(double(size: 444, read: true, eof?: true)) }.to raise_error(ArgumentError)
+    end
+
+    it "returns true if size is respeced" do
+      instance.max_size = 8
+      expect(instance.upload(Refile::FileDouble.new("hello"))).to be_truthy
+    end
+
+    it "raises Refile::Invalid if size is exceeded" do
+      instance.max_size = 8
+      expect { instance.upload(Refile::FileDouble.new("hello world")) }.to raise_error(Refile::Invalid)
+    end
+  end
+
+  describe "#verify_id" do
+    it "works if it has a valid ID" do
+      expect(instance.get("1234aBCde123aee")).to be_truthy
+    end
+
+    it "raises ArgumentError if argument does not respond to `size`" do
+      expect { instance.get("ev/il") }.to raise_error(Refile::InvalidID)
+    end
+  end
+end

data/spec/refile_spec.rb

@@ -1,38 +1,6 @@
 require "refile"
 
 RSpec.describe Refile do
-  let(:io) { StringIO.new("hello") }
-
-  describe ".verify_uploadable" do
-    it "works if it conforms to required API" do
-      expect(Refile.verify_uploadable(double(size: 444, read: io, eof?: true, close: nil), nil)).to be_truthy
-    end
-
-    it "raises ArgumentError if argument does not respond to `size`" do
-      expect { Refile.verify_uploadable(double(read: io, eof?: true, close: nil), nil) }.to raise_error(ArgumentError)
-    end
-
-    it "raises ArgumentError if argument does not respond to `read`" do
-      expect { Refile.verify_uploadable(double(size: 444, eof?: true, close: nil), nil) }.to raise_error(ArgumentError)
-    end
-
-    it "raises ArgumentError if argument does not respond to `eof?`" do
-      expect { Refile.verify_uploadable(double(size: 444, read: true, close: nil), nil) }.to raise_error(ArgumentError)
-    end
-
-    it "raises ArgumentError if argument does not respond to `close`" do
-      expect { Refile.verify_uploadable(double(size: 444, read: true, eof?: true), nil) }.to raise_error(ArgumentError)
-    end
-
-    it "returns true if size is respeced" do
-      expect(Refile.verify_uploadable(Refile::FileDouble.new("hello"), 8)).to be_truthy
-    end
-
-    it "raises Refile::Invalid if size is exceeded" do
-      expect { Refile.verify_uploadable(Refile::FileDouble.new("hello world"), 8) }.to raise_error(Refile::Invalid)
-    end
-  end
-
   describe ".extract_filename" do
     it "extracts filename from original_filename" do
       name = Refile.extract_filename(double(original_filename: "/foo/bar/baz.png"))
@@ -84,6 +52,7 @@ RSpec.describe Refile do
 
     before do
       allow(Refile).to receive(:host).and_return(nil)
+      allow(Refile).to receive(:mount_point).and_return(nil)
     end
 
     context "with file" do
@@ -109,6 +78,11 @@ RSpec.describe Refile do
         expect(Refile.attachment_url(instance, :document, prefix: "moo")).to eq("/moo/cache/#{id}/document")
       end
 
+      it "takes prefix from Refile.mount_point" do
+        allow(Refile).to receive(:mount_point).and_return("attachments")
+        expect(Refile.attachment_url(instance, :document)).to eq("/attachments/cache/#{id}/document")
+      end
+
       it "adds an escaped filename" do
         expect(Refile.attachment_url(instance, :document, filename: "test.png")).to eq("/cache/#{id}/test.png")
         expect(Refile.attachment_url(instance, :document, filename: "tes/t.png")).to eq("/cache/#{id}/tes%2Ft.png")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: refile
 version: !ruby/object:Gem::Version
-  version: 0.5.2
+  version: 0.5.3
 platform: ruby
 authors:
 - Jonas Nicklas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-13 00:00:00.000000000 Z
+date: 2015-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -291,6 +291,7 @@ files:
 - lib/refile/attachment/active_record.rb
 - lib/refile/backend/file_system.rb
 - lib/refile/backend/s3.rb
+- lib/refile/backend_macros.rb
 - lib/refile/custom_logger.rb
 - lib/refile/file.rb
 - lib/refile/image_processing.rb
@@ -308,6 +309,7 @@ files:
 - spec/refile/backend/file_system_spec.rb
 - spec/refile/backend/s3_spec.rb
 - spec/refile/backend_examples.rb
+- spec/refile/backend_macros_spec.rb
 - spec/refile/custom_logger_spec.rb
 - spec/refile/features/direct_upload_spec.rb
 - spec/refile/features/normal_upload_spec.rb
@@ -370,6 +372,7 @@ test_files:
 - spec/refile/backend/file_system_spec.rb
 - spec/refile/backend/s3_spec.rb
 - spec/refile/backend_examples.rb
+- spec/refile/backend_macros_spec.rb
 - spec/refile/custom_logger_spec.rb
 - spec/refile/features/direct_upload_spec.rb
 - spec/refile/features/normal_upload_spec.rb