Detect and prevent image bombs, max. processable dimension 4096^2 (#7229)

lolsob-rspec
Eugen Rochko 2018-04-23 09:16:38 +02:00 committed by GitHub
parent 115bac8af9
commit 39f36c0901
4 changed files with 34 additions and 17 deletions

View File

@ -6,6 +6,7 @@ module Mastodon
class ValidationError < Error; end class ValidationError < Error; end
class HostValidationError < ValidationError; end class HostValidationError < ValidationError; end
class LengthValidationError < ValidationError; end class LengthValidationError < ValidationError; end
class DimensionsValidationError < ValidationError; end
class RaceConditionError < Error; end class RaceConditionError < Error; end
class UnexpectedResponseError < Error class UnexpectedResponseError < Error

View File

@ -1,10 +1,15 @@
# frozen_string_literal: true # frozen_string_literal: true
require 'mime/types'
module Attachmentable module Attachmentable
extend ActiveSupport::Concern extend ActiveSupport::Concern
MAX_MATRIX_LIMIT = 16_777_216 # 4096x4096px or approx. 16MB
included do included do
before_post_process :set_file_extensions before_post_process :set_file_extensions
before_post_process :check_image_dimensions
end end
private private
@ -12,10 +17,31 @@ module Attachmentable
def set_file_extensions def set_file_extensions
self.class.attachment_definitions.each_key do |attachment_name| self.class.attachment_definitions.each_key do |attachment_name|
attachment = send(attachment_name) attachment = send(attachment_name)
next if attachment.blank? next if attachment.blank?
extension = Paperclip::Interpolations.content_type_extension(attachment, :original)
basename = Paperclip::Interpolations.basename(attachment, :original) attachment.instance_write :file_name, [Paperclip::Interpolations.basename(attachment, :original), appropriate_extension(attachment)].delete_if(&:blank?).join('.')
attachment.instance_write :file_name, [basename, extension].delete_if(&:blank?).join('.')
end end
end end
def check_image_dimensions
self.class.attachment_definitions.each_key do |attachment_name|
attachment = send(attachment_name)
next if attachment.blank? || !attachment.content_type.match?(/image.*/) || attachment.queued_for_write[:original].blank?
width, height = FastImage.size(attachment.queued_for_write[:original].path)
raise Mastodon::DimensionsValidationError, "#{width}x#{height} images are not supported" if width.present? && height.present? && (width * height >= MAX_MATRIX_LIMIT)
end
end
def appropriate_extension(attachment)
mime_type = MIME::Types[attachment.content_type]
extensions_for_mime_type = mime_type.empty? ? [] : mime_type.first.extensions
original_extension = Paperclip::Interpolations.extension(attachment, :original)
extensions_for_mime_type.include?(original_extension) ? original_extension : extensions_for_mime_type.first
end
end end

View File

@ -40,6 +40,8 @@ class CustomEmoji < ApplicationRecord
remotable_attachment :image, LIMIT remotable_attachment :image, LIMIT
include Attachmentable
def local? def local?
domain.nil? domain.nil?
end end

View File

@ -19,8 +19,6 @@
# description :text # description :text
# #
require 'mime/types'
class MediaAttachment < ApplicationRecord class MediaAttachment < ApplicationRecord
self.inheritance_column = nil self.inheritance_column = nil
@ -70,6 +68,8 @@ class MediaAttachment < ApplicationRecord
validates_attachment_size :file, less_than: LIMIT validates_attachment_size :file, less_than: LIMIT
remotable_attachment :file, LIMIT remotable_attachment :file, LIMIT
include Attachmentable
validates :account, presence: true validates :account, presence: true
validates :description, length: { maximum: 420 }, if: :local? validates :description, length: { maximum: 420 }, if: :local?
@ -176,9 +176,6 @@ class MediaAttachment < ApplicationRecord
def set_type_and_extension def set_type_and_extension
self.type = VIDEO_MIME_TYPES.include?(file_content_type) ? :video : :image self.type = VIDEO_MIME_TYPES.include?(file_content_type) ? :video : :image
extension = appropriate_extension
basename = Paperclip::Interpolations.basename(file, :original)
file.instance_write :file_name, [basename, extension].delete_if(&:blank?).join('.')
end end
def set_meta def set_meta
@ -223,13 +220,4 @@ class MediaAttachment < ApplicationRecord
bitrate: movie.bitrate, bitrate: movie.bitrate,
} }
end end
def appropriate_extension
mime_type = MIME::Types[file.content_type]
extensions_for_mime_type = mime_type.empty? ? [] : mime_type.first.extensions
original_extension = Paperclip::Interpolations.extension(file, :original)
extensions_for_mime_type.include?(original_extension) ? original_extension : extensions_for_mime_type.first
end
end end