remote_image_fetch 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 98ff838124f739e14ba9688f2fc8ead8f789e576
+  data.tar.gz: 85638d680340fb1a9dc46ab26bbfd84084dabc78
+SHA512:
+  metadata.gz: aeb135e6059806159abc2a7fa71afc0d63fbcaa8227f42f249c6bfdea59db74b2e9af23513e9cbbfa353f3794ceb1f56ea2a2bd097ec20f098a37e7f90401cf6
+  data.tar.gz: b513de536e94d762dad68eaa85d6a6e0836b71cf5600340c67c5554f2e26df329726ea2ea478b7ddf9026274808aec5cd86cb1a37af53943c3fc327bd6effa43

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.1.10
+before_install: gem install bundler -v 1.14.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in remote_image_fetch.gemspec
+gemspec

data/README.md

@@ -0,0 +1,50 @@
+# RemoteImageFetch
+
+[![Build Status](https://travis-ci.org/livelink/remote_image_fetch.svg?branch=master)](https://travis-ci.org/livelink/remote_image_fetch)
+
+Use Curl::Multi with support for filterable Location: redirects.  
+
+The intended use is fetching user specified URIs with libcurl from an application server, while blocking access to local hosts.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'remote_image_fetch'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install remote_image_fetch
+
+## Usage
+
+```ruby
+downloader = RemoteImageFetch.new(ip_blacklist: /^(127\.0\.0|10|192\.168)\./)
+
+downloader.download(raw_url) do |result|
+  if result.ok?
+    # process download
+  else
+    # handle error?
+  end
+end
+
+downloader.run
+```
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/livelink/remote_image_fetch.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "remote_image_fetch"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/remote_image_fetch.rb

@@ -0,0 +1,96 @@
+require 'curl'
+
+require 'remote_image_fetch/version'
+require 'remote_image_fetch/download_result'
+require 'remote_image_fetch/curl_error'
+require 'remote_image_fetch/curl_wrap'
+require 'remote_image_fetch/uri_restrictions'
+
+# RemoteImageFetch
+class RemoteImageFetch
+  attr_reader :success, :failures
+
+  def initialize(options = {})
+    @max_parallel  = options[:max_parallel]  || 16
+    @max_redirects = options[:max_redirects] || 4
+
+    @uri_restrictions = RemoteImageFetch::UriRestrictions.new(options)
+
+    @change_flagged = false
+    @core = Curl::Multi.new
+    @downloads = []
+
+    @success  = 0
+    @failures = 0
+  end
+
+  def download(url, *args, &callback)
+    curl = CurlWrap.new(url)
+    curl.setup self
+    curl.args = args
+    curl.callback = callback
+    downloads.push(curl)
+    curl
+  end
+
+  def run
+    auto_queue!
+    core.perform
+  end
+
+  def report_done(curl, *_args)
+    @change_flagged = true
+    @success += 1
+    curl.report(DownloadResult::OK.new(curl))
+    auto_queue!
+  end
+
+  def report_failed(curl, error = nil)
+    @change_flagged = true
+    @failures += 1
+    error ||= CurlError.new(curl)
+    curl.report(DownloadResult::Fail.new(curl, error))
+    auto_queue!
+  end
+
+  def check_and_redirect(curl)
+    raise "Too many redirects for #{curl.url}" if curl.redirects > max_redirects
+    check_url(curl.redirect_url)
+    curl.url = curl.redirect_url
+    core.add(curl)
+  rescue => e
+    report_failed(curl, e)
+  end
+
+  private
+
+  attr_reader :uri_restrictions, :downloads, :core,
+              :max_parallel, :max_redirects
+
+  def auto_queue!
+    loop do
+      break if core.requests.size > max_parallel
+      break if downloads.empty?
+
+      queue_next!
+    end
+    @change_flagged = false
+  end
+
+  def queue_next!
+    get(downloads.pop)
+  rescue
+    nil
+  end
+
+  def check_url(url)
+    uri_restrictions.check(url)
+  end
+
+  def get(curl)
+    check_url(curl.url)
+    core.add(curl)
+  rescue => e
+    report_failed(curl, e)
+  end
+end

data/lib/remote_image_fetch/curl_error.rb

@@ -0,0 +1,16 @@
+class RemoteImageFetch
+  # Wrap cURL response as if it's an error
+  class CurlError
+    def initialize(curl)
+      @curl = curl
+    end
+
+    def message
+      @curl.status
+    end
+
+    def to_s
+      message
+    end
+  end
+end

data/lib/remote_image_fetch/curl_wrap.rb

@@ -0,0 +1,46 @@
+class RemoteImageFetch
+  # Wrap Curl::Easy with additional helper methods
+  # Can't override initialize() as curb doesn't call it properly.
+  class CurlWrap < Curl::Easy
+    attr_reader :redirects, :result
+    attr_accessor :args, :callback, :redirect, :fetcher
+
+    def setup(fetcher)
+      self.follow_location = false
+      @fetcher = fetcher
+      @redirects = 0
+
+      on_complete(&method(:handle_complete))
+      on_redirect(&method(:handle_redirect))
+    end
+
+    def body_io
+      @body_io ||= StringIO.new(body_str)
+    end
+
+    def report(result)
+      @result = result
+      callback.call(result, *args) if callback
+    end
+
+    private
+
+    def handle_complete(*_args)
+      case response_code
+      when 301, 302, 303
+        # handled by handle_redirect
+      when 200
+        fetcher.report_done(self)
+      else
+        fetcher.report_failed(self)
+      end
+      true
+    end
+
+    def handle_redirect(*_args)
+      @redirects += 1
+      fetcher.check_and_redirect(self)
+      true
+    end
+  end
+end

data/lib/remote_image_fetch/download_result.rb

@@ -0,0 +1,38 @@
+class DownloadResult
+  # Remote download succeeded
+  class OK < DownloadResult
+    def initialize(curl)
+      @curl = curl
+    end
+
+    def io
+      curl.body_io
+    end
+  end
+
+  # Remote download failed
+  class Fail < DownloadResult
+    def initialize(curl, error)
+      @curl = curl
+      @error = error
+    end
+
+    def error_message
+      @error.to_s
+    end
+  end
+
+  attr_reader :curl
+
+  def ok?
+    is_a?(OK)
+  end
+
+  def error?
+    is_a?(Fail)
+  end
+
+  def http_status
+    curl.response_code
+  end
+end

data/lib/remote_image_fetch/uri_restrictions.rb

@@ -0,0 +1,53 @@
+require 'resolv'
+require 'uri'
+
+class RemoteImageFetch
+  # Wrap cURL response as if it's an error
+  class UriRestrictions
+    def initialize(options = {})
+      @schemes = options[:schemes] || ['http', 'https']
+      @ports   = options[:ports] || [80, 443, 8080]
+
+      @ip_blacklist = options[:ip_blacklist]
+      @host_blacklist = options[:host_blacklist]
+    end
+
+    def check(url)
+      uri = URI.parse(url)
+
+      check_scheme! uri
+      check_port! uri
+      check_host! uri
+
+      Resolv.each_address(uri.hostname) do |addr|
+        raise "IP blacklisted - #{addr} for #{url}" if ip_blacklist_matches?(addr)
+      end
+    end
+
+    private
+
+    attr_reader :schemes, :ports, :host_blacklist, :ip_blacklist
+
+    def check_scheme!(uri)
+      raise "Scheme rejected: #{uri}" unless schemes.include?(uri.scheme)
+    end
+
+    def check_port!(uri)
+      raise "Port rejected: #{uri}" unless ports.include?(uri.port)
+    end
+
+    def check_host!(uri)
+      raise "Host blacklisted: #{uri}" if host_blacklist_matches?(uri)
+    end
+
+    def ip_blacklist_matches?(ip)
+      return false unless ip_blacklist
+      ip_blacklist === ip
+    end
+
+    def host_blacklist_matches?(uri)
+      return false unless host_blacklist
+      host_blacklist === uri.host
+    end
+  end
+end

data/lib/remote_image_fetch/version.rb

@@ -0,0 +1,3 @@
+class RemoteImageFetch
+  VERSION = "0.1.0"
+end

data/remote_image_fetch.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'remote_image_fetch/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'remote_image_fetch'
+  spec.version       = RemoteImageFetch::VERSION
+  spec.authors       = ['Geoff Youngs']
+  spec.email         = ['git@intersect-uk.co.uk']
+
+  spec.summary       = 'Safe, easy, parallel downloads via libcurl'
+  spec.description   = 'Restrict the types of redirect that libcurl will follow when fetching untrusted URLs'
+  spec.homepage      = "https://github.com/livelink/remote_image_fetch"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = "https://rubygems.org/"
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+  spec.add_dependency 'curb', '> 0'
+  spec.add_development_dependency 'bundler', '~> 1.14'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+end

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: remote_image_fetch
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Geoff Youngs
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-05-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: curb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Restrict the types of redirect that libcurl will follow when fetching
+  untrusted URLs
+email:
+- git@intersect-uk.co.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/remote_image_fetch.rb
+- lib/remote_image_fetch/curl_error.rb
+- lib/remote_image_fetch/curl_wrap.rb
+- lib/remote_image_fetch/download_result.rb
+- lib/remote_image_fetch/uri_restrictions.rb
+- lib/remote_image_fetch/version.rb
+- remote_image_fetch.gemspec
+homepage: https://github.com/livelink/remote_image_fetch
+licenses: []
+metadata:
+  allowed_push_host: https://rubygems.org/
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.10
+signing_key: 
+specification_version: 4
+summary: Safe, easy, parallel downloads via libcurl
+test_files: []