sufia 7.4.0 → 7.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 021661f3b93bbd570debcb9a59ee80d99ec25fbe
-  data.tar.gz: 5d6f072cc58068f6536d91110c1f884706424ac6
+  metadata.gz: 6c8f5591add2605e15e1672bc6667a31ddfe5b8f
+  data.tar.gz: 63262f7ca069a856cc3aff1f8b5572e067d2f45b
 SHA512:
-  metadata.gz: 977dde46e20ed18f04b5c49742df41f1b305bacb9539b2f7b00c2489809ccdcfaada9754d5163dfffb63e33363c8c5f49edca80bca72c8fd095e0bb26528b550
-  data.tar.gz: 629cc054b61b16d450731260b3e764db87f63a348242dc7761987252946b0bccee118a25bc043523c136a397f88cf08e7b4c21aa385749f9fadd2e9442db561b
+  metadata.gz: 5bb4673648eca734f7a73ce87ad6bd5431020f7e941996cdfc1a8d753411fd8d46c39db23e65b39466f6b1a9738a0ef63aeb073cb555802ae2d596794da63195
+  data.tar.gz: e028b8e41dcedbd32274d2b3eb3f54f8c0bf3407a936da99ba4d429053624b79dc27506e629439cd4b00de0a11ff6660db2bc15e20f0a5baa4b6a0c09d3c3398

data/README.md

@@ -12,7 +12,7 @@ Docs: [![Documentation Status](https://inch-ci.org/github/samvera/sufia.svg?bran
 [![Contribution Guidelines](http://img.shields.io/badge/CONTRIBUTING-Guidelines-blue.svg)](./.github/CONTRIBUTING.md)
 [![Apache 2.0 License](http://img.shields.io/badge/APACHE2-license-blue.svg)](./LICENSE)
 
-Jump in: [![Slack Status](http://slack.projecthydra.org/badge.svg)](http://slack.projecthydra.org/)
+Jump in: [![Slack Status](http://slack.samvera.org/badge.svg)](http://slack.samvera.org/)
 [![Ready Tickets](https://badge.waffle.io/samvera/sufia.png?label=ready&title=Ready)](https://waffle.io/samvera/sufia)
 
 # Table of Contents
@@ -41,7 +41,7 @@ Jump in: [![Slack Status](http://slack.projecthydra.org/badge.svg)](http://slack
 
 # What is Sufia?
 
-Sufia uses the full power of [Hydra](http://projecthydra.org/) and extends it to provide a user interface around common repository features and social features (see below). Sufia offers self-deposit and proxy deposit workflows, and mediated deposit workflows are being developed in a community sprint running from September-December 2016. Sufia delivers its rich and growing set of features via a modern, responsive user interface. It is implemented as a Rails engine, so it is meant to be added to existing Rails apps.
+Sufia uses the full power of [Samvera](http://samvera.org/) and extends it to provide a user interface around common repository features and social features (see below). Sufia offers self-deposit and proxy deposit workflows, and mediated deposit workflows are being developed in a community sprint running from September-December 2016. Sufia delivers its rich and growing set of features via a modern, responsive user interface. It is implemented as a Rails engine, so it is meant to be added to existing Rails apps.
 
 ## Feature list
 
@@ -51,12 +51,12 @@ For non-technical documentation about Sufia, see its [documentation site](http:/
 
 # Help
 
-If you have questions or need help, please email [the Hydra community tech list](mailto:hydra-tech@googlegroups.com) or stop by the #dev channel in [the Hydra community Slack team](https://wiki.duraspace.org/pages/viewpage.action?pageId=43910187#Getintouch!-Slack).
+If you have questions or need help, please email [the Samvera community tech list](mailto:samvera-tech@googlegroups.com) or stop by the #dev channel in [the Samvera community Slack team](https://wiki.duraspace.org/pages/viewpage.action?pageId=43910187#Getintouch!-Slack).
 
 # Getting started
 
 This document contains instructions specific to setting up an app with __Sufia
-v7.4.0__. If you are looking for instructions on installing a different
+v7.4.1__. If you are looking for instructions on installing a different
 version, be sure to select the appropriate branch or tag from the drop-down
 menu above.
 
@@ -211,9 +211,9 @@ See the [release management process](https://github.com/samvera/sufia/wiki/Relea
 
 # Acknowledgments
 
-This software has been developed by and is brought to you by the Hydra community.  Learn more at the
-[Project Hydra website](http://projecthydra.org/).
+This software has been developed by and is brought to you by the Samvera community.  Learn more at the
+[Samvera website](http://samvera.org/).
 
-![Project Hydra Logo](http://sufia.io/assets/images/hydra_logo.png)
+![Samvera Logo](http://sufia.io/assets/images/samvera_logo.png)
 
 The Sufia logo uses the Hong Kong Hustle font, thanks to [Iconian's](http://www.iconian.com/) non-commercial use policy.

data/app/actors/sufia/create_with_remote_files_actor.rb

@@ -19,6 +19,10 @@ module Sufia
         return true unless remote_files
         remote_files.each do |file_info|
           next if file_info.blank? || file_info[:url].blank?
+          unless validate_remote_url(file_info[:url])
+            Rails.logger.error "User #{user.user_key} attempted to ingest file from url #{file_info[:url]}, which doesn't pass validation"
+            return false
+          end
           create_file_from_url(file_info[:url], file_info[:file_name])
         end
         true
@@ -44,5 +48,23 @@ module Sufia
         CurationConcerns::Operation.create!(user: user,
                                             operation_type: "Attach Remote File")
       end
+
+      def validate_remote_url(url)
+        uri = URI.parse(URI.encode(url))
+        if uri.scheme == 'file'
+          path = File.absolute_path(URI.decode(uri.path))
+          whitelisted_ingest_dirs.any? do |dir|
+            path.start_with?(dir) && path.length > dir.length
+          end
+        else
+          # TODO: It might be a good idea to validate other URLs as well.
+          #       The server can probably access URLs the user can't.
+          true
+        end
+      end
+
+      def whitelisted_ingest_dirs
+        Sufia.config.whitelisted_ingest_dirs
+      end
   end
 end

data/lib/generators/sufia/templates/config/sufia.rb

@@ -101,6 +101,22 @@ Sufia.config do |config|
   # If you use a multi-server architecture, this MUST be a shared volume.
   # config.derivatives_path = File.join(Rails.root, 'tmp', 'derivatives')
 
+  ## Whitelist all directories which can be used to ingest from the local file
+  # system.
+  #
+  # Any file, and only those, that is anywhere under one of the specified
+  # directories can be used by CreateWithRemoteFilesActor to add local files
+  # to works. Files uploaded by the user are handled separately and the
+  # temporary directory for those need not be included here.
+  #
+  # Default value includes BrowseEverything.config['file_system'][:home] if it
+  # is set, otherwise default is an empty list. You should only need to change
+  # this if you have custom ingestions using CreateWithRemoteFilesActor to
+  # ingest files from the file system that are not part of the BrowseEverything
+  # mount point.
+  #
+  # config.whitelisted_ingest_dirs = []
+
   # If browse-everything has been configured, load the configs.  Otherwise, set to nil.
   begin
     if defined? BrowseEverything

data/lib/sufia/configuration.rb

@@ -155,5 +155,16 @@ module Sufia
     def model_to_create
       @model_to_create ||= ->(_attributes) { Sufia.primary_work_type.model_name.name }
     end
+
+    attr_writer :whitelisted_ingest_dirs
+    # List of directories which can be used for local file system ingestion.
+    def whitelisted_ingest_dirs
+      @whitelisted_ingest_dirs ||= \
+        if defined? BrowseEverything
+          Array.wrap(BrowseEverything.config['file_system'].try(:[], :home)).compact
+        else
+          []
+        end
+    end
   end
 end

data/lib/sufia/version.rb

@@ -1,3 +1,3 @@
 module Sufia
-  VERSION = '7.4.0'.freeze
+  VERSION = '7.4.1'.freeze
 end

data/spec/actors/sufia/create_with_remote_files_actor_spec.rb

@@ -51,11 +51,27 @@ describe Sufia::CreateWithRemoteFilesActor do
          file_name: "here.txt" }]
     end
 
+    before do
+      allow(Sufia.config).to receive(:whitelisted_ingest_dirs).and_return(["/local/file/"])
+    end
+
     it "attaches files" do
       expect(IngestLocalFileJob).to receive(:perform_later).with(FileSet, "/local/file/here.txt", user)
       expect(actor.create(attributes)).to be true
     end
 
+    context "with files from non-whitelisted directories" do
+      let(:file) { "file:///local/otherdir/test.txt" }
+
+      # rubocop:disable RSpec/AnyInstance
+      it "doesn't attach files" do
+        expect_any_instance_of(described_class).to receive(:validate_remote_url).and_call_original
+        expect(IngestLocalFileJob).not_to receive(:perform_later)
+        expect(actor.create(attributes)).to be false
+      end
+      # rubocop:enable RSpec/AnyInstance
+    end
+
     context "with spaces" do
       let(:file) { "file:///local/file/ pigs .txt" }
       it "attaches files" do
@@ -64,4 +80,26 @@ describe Sufia::CreateWithRemoteFilesActor do
       end
     end
   end
+
+  describe "#validate_remote_url" do
+    before do
+      allow(Sufia.config).to receive(:whitelisted_ingest_dirs).and_return(['/test/', '/local/file/'])
+    end
+
+    it "accepts file: urls in whitelisted directories" do
+      expect(actor.actor.send(:validate_remote_url, "file:///local/file/test.txt")).to be true
+      expect(actor.actor.send(:validate_remote_url, "file:///local/file/subdirectory/test.txt")).to be true
+      expect(actor.actor.send(:validate_remote_url, "file:///test/test.txt")).to be true
+    end
+
+    it "rejects file: urls outside whitelisted directories" do
+      expect(actor.actor.send(:validate_remote_url, "file:///tmp/test.txt")).to be false
+      expect(actor.actor.send(:validate_remote_url, "file:///test/../tmp/test.txt")).to be false
+      expect(actor.actor.send(:validate_remote_url, "file:///test/")).to be false
+    end
+
+    it "accepts other types of urls" do
+      expect(actor.actor.send(:validate_remote_url, "https://example.com/test.txt")).to be true
+    end
+  end
 end

data/spec/lib/sufia/configuration_spec.rb

@@ -28,4 +28,5 @@ describe Sufia::Configuration do
   it { is_expected.to respond_to(:contact_email) }
   it { is_expected.to respond_to(:subject_prefix) }
   it { is_expected.to respond_to(:model_to_create) }
+  it { is_expected.to respond_to(:whitelisted_ingest_dirs) }
 end

data/template.rb

@@ -1,4 +1,4 @@
-gem 'sufia', '7.4.0'
+gem 'sufia', '7.4.1'
 
 run 'bundle install'
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sufia
 version: !ruby/object:Gem::Version
-  version: 7.4.0
+  version: 7.4.1
 platform: ruby
 authors:
 - Justin Coyne
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-07 00:00:00.000000000 Z
+date: 2017-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hydra-works
@@ -1769,7 +1769,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: Sufia was originally extracted from ScholarSphere developed by Penn State