Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure uploaded images are image files #9299

Merged
merged 3 commits into from
Oct 31, 2024
Merged

Ensure uploaded images are image files #9299

merged 3 commits into from
Oct 31, 2024

Conversation

kbrock
Copy link
Member

@kbrock kbrock commented Oct 24, 2024

Consolidated catalog uploads and icon uploads.
Checking image magic numbers to ensure it is a png or jpg

Resolves issue where user could upload a zip bomb

This only addresses

Tested with jpg, gif, png, and zip files

@kbrock kbrock added the security fix Security fix generated by WhiteSource label Oct 24, 2024
@kbrock kbrock requested a review from a team as a code owner October 24, 2024 22:36
Fryguy
Fryguy reviewed Oct 25, 2024
View reviewed changes
app/controllers/mixins/image_validation_mixin.rb Outdated Show resolved Hide resolved
app/controllers/mixins/image_validation_mixin.rb
# @param file request parameter for a file
# @param
def valid_image_file?(file, type = nil)
ext = file.original_filename.split(".").last.downcase
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively, File.extname

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File.extname keeps the ".".
When I changed the code over to that it ended up changing too much.

Deciding to keep it the way it was when I came in

app/controllers/mixins/image_validation_mixin.rb Outdated Show resolved Hide resolved
app/controllers/catalog_controller.rb Outdated Show resolved Hide resolved
@kbrock kbrock force-pushed the file_upload_type branch 2 times, most recently from d1858bb to 7c15458 Compare October 25, 2024 20:21
@kbrock
Copy link
Member Author

kbrock commented Oct 25, 2024

update:

  • fixed @param descriptions
  • dropped Concern`
  • use File.extname
  • moved ext to the else
  • flattened 1 layer of ifs in the controller

update:

  • revert File.extname() => split(".").last. (it doesn't have a "." in the resulting extension.

@Fryguy
Copy link
Member

Fryguy commented Oct 28, 2024
edited
Loading

@kbrock Are there specs for this? I think the original valid_file? code had specs, which could be moved as a direct test of this mixin.

Maybe this one from #8934 ?

@kbrock
Copy link
Member Author

kbrock commented Oct 29, 2024

update:

  • introduced fixtures directory with images (and mis-typed images)
  • testing that catalog does not allow non-image uploads (by file type and not by file name)

Fryguy
Fryguy reviewed Oct 29, 2024
View reviewed changes
spec/fixtures/favicon.ico Outdated Show resolved Hide resolved
Fryguy
Fryguy reviewed Oct 29, 2024
View reviewed changes
spec/controllers/catalog_controller_spec.rb Outdated
Comment on lines 362 to 368
file = fixture_file_upload('files/upload_image.txt', 'image/png')
file = fixture_file_upload('spec/fixtures/test.txt.png')
Copy link
Member

@Fryguy Fryguy Oct 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I recall correctly, this was intentionally a .txt file and not a .png file (regardless of the guts of the file) to demonstrate neither .png nor .jpg.

So I'm wondering if this should be

Suggested change
file = fixture_file_upload('files/upload_image.txt', 'image/png')
file = fixture_file_upload('spec/fixtures/test.txt.png')
file = fixture_file_upload('spec/fixtures/test.txt')

Copy link
Member Author

@kbrock kbrock Oct 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your comment does makes a lot of sense.

But the upload_spec.rb uses the name test.txt.png to show that the controller is validating the file contents and not the file extension/mime type.

Before #8934 test.txt.png incorrectly would work. Using that filename shows that we are validating the contents and not the filename itself.

This PR adds similar validation, so I think the new file with an image extension but contents that are not an image makes sense.

I did update this line to use the image mime-type.

@kbrock
common image fixture files and fixture_file_upload
f16072e 
introduce spec/fixtures with images of various image formats.

Images of the name test.txt.png is a text file, but we tacked on the png suffix to ensure detection is correct.
favicon.png.ico is a png, so we're using it to ensure proper detection on the server
@kbrock
Ensure catalog uploaded images are image files
ce85853 
Consolidated catalog uploads and icon uploads.
Checking image magic numbers to ensure it is a png or jpg

Resolves issue where user could upload a zip bomb
@kbrock
flatten ifs in catalog_controller image processing
6463af5
@Fryguy Fryguy merged commit f890e1a into ManageIQ:master Oct 31, 2024
15 checks passed
@Fryguy Fryguy self-assigned this Oct 31, 2024
@kbrock kbrock deleted the file_upload_type branch November 6, 2024 19:34
@Fryguy
Copy link
Member

Fryguy commented Nov 14, 2024

Skipping backport to radjabov, because it is already in the branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fryguy Fryguy Fryguy approved these changes

Assignees

@Fryguy Fryguy

Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kbrock @Fryguy