Detect and prevent image bombs, max. processable dimension 4096^2 (#7229)
parent
115bac8af9
commit
39f36c0901
|
@ -6,6 +6,7 @@ module Mastodon
|
||||||
class ValidationError < Error; end
|
class ValidationError < Error; end
|
||||||
class HostValidationError < ValidationError; end
|
class HostValidationError < ValidationError; end
|
||||||
class LengthValidationError < ValidationError; end
|
class LengthValidationError < ValidationError; end
|
||||||
|
class DimensionsValidationError < ValidationError; end
|
||||||
class RaceConditionError < Error; end
|
class RaceConditionError < Error; end
|
||||||
|
|
||||||
class UnexpectedResponseError < Error
|
class UnexpectedResponseError < Error
|
||||||
|
|
|
@ -1,10 +1,15 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'mime/types'
|
||||||
|
|
||||||
module Attachmentable
|
module Attachmentable
|
||||||
extend ActiveSupport::Concern
|
extend ActiveSupport::Concern
|
||||||
|
|
||||||
|
MAX_MATRIX_LIMIT = 16_777_216 # 4096x4096px or approx. 16MB
|
||||||
|
|
||||||
included do
|
included do
|
||||||
before_post_process :set_file_extensions
|
before_post_process :set_file_extensions
|
||||||
|
before_post_process :check_image_dimensions
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
@ -12,10 +17,31 @@ module Attachmentable
|
||||||
def set_file_extensions
|
def set_file_extensions
|
||||||
self.class.attachment_definitions.each_key do |attachment_name|
|
self.class.attachment_definitions.each_key do |attachment_name|
|
||||||
attachment = send(attachment_name)
|
attachment = send(attachment_name)
|
||||||
|
|
||||||
next if attachment.blank?
|
next if attachment.blank?
|
||||||
extension = Paperclip::Interpolations.content_type_extension(attachment, :original)
|
|
||||||
basename = Paperclip::Interpolations.basename(attachment, :original)
|
attachment.instance_write :file_name, [Paperclip::Interpolations.basename(attachment, :original), appropriate_extension(attachment)].delete_if(&:blank?).join('.')
|
||||||
attachment.instance_write :file_name, [basename, extension].delete_if(&:blank?).join('.')
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def check_image_dimensions
|
||||||
|
self.class.attachment_definitions.each_key do |attachment_name|
|
||||||
|
attachment = send(attachment_name)
|
||||||
|
|
||||||
|
next if attachment.blank? || !attachment.content_type.match?(/image.*/) || attachment.queued_for_write[:original].blank?
|
||||||
|
|
||||||
|
width, height = FastImage.size(attachment.queued_for_write[:original].path)
|
||||||
|
|
||||||
|
raise Mastodon::DimensionsValidationError, "#{width}x#{height} images are not supported" if width.present? && height.present? && (width * height >= MAX_MATRIX_LIMIT)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def appropriate_extension(attachment)
|
||||||
|
mime_type = MIME::Types[attachment.content_type]
|
||||||
|
|
||||||
|
extensions_for_mime_type = mime_type.empty? ? [] : mime_type.first.extensions
|
||||||
|
original_extension = Paperclip::Interpolations.extension(attachment, :original)
|
||||||
|
|
||||||
|
extensions_for_mime_type.include?(original_extension) ? original_extension : extensions_for_mime_type.first
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -40,6 +40,8 @@ class CustomEmoji < ApplicationRecord
|
||||||
|
|
||||||
remotable_attachment :image, LIMIT
|
remotable_attachment :image, LIMIT
|
||||||
|
|
||||||
|
include Attachmentable
|
||||||
|
|
||||||
def local?
|
def local?
|
||||||
domain.nil?
|
domain.nil?
|
||||||
end
|
end
|
||||||
|
|
|
@ -19,8 +19,6 @@
|
||||||
# description :text
|
# description :text
|
||||||
#
|
#
|
||||||
|
|
||||||
require 'mime/types'
|
|
||||||
|
|
||||||
class MediaAttachment < ApplicationRecord
|
class MediaAttachment < ApplicationRecord
|
||||||
self.inheritance_column = nil
|
self.inheritance_column = nil
|
||||||
|
|
||||||
|
@ -70,6 +68,8 @@ class MediaAttachment < ApplicationRecord
|
||||||
validates_attachment_size :file, less_than: LIMIT
|
validates_attachment_size :file, less_than: LIMIT
|
||||||
remotable_attachment :file, LIMIT
|
remotable_attachment :file, LIMIT
|
||||||
|
|
||||||
|
include Attachmentable
|
||||||
|
|
||||||
validates :account, presence: true
|
validates :account, presence: true
|
||||||
validates :description, length: { maximum: 420 }, if: :local?
|
validates :description, length: { maximum: 420 }, if: :local?
|
||||||
|
|
||||||
|
@ -176,9 +176,6 @@ class MediaAttachment < ApplicationRecord
|
||||||
|
|
||||||
def set_type_and_extension
|
def set_type_and_extension
|
||||||
self.type = VIDEO_MIME_TYPES.include?(file_content_type) ? :video : :image
|
self.type = VIDEO_MIME_TYPES.include?(file_content_type) ? :video : :image
|
||||||
extension = appropriate_extension
|
|
||||||
basename = Paperclip::Interpolations.basename(file, :original)
|
|
||||||
file.instance_write :file_name, [basename, extension].delete_if(&:blank?).join('.')
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def set_meta
|
def set_meta
|
||||||
|
@ -223,13 +220,4 @@ class MediaAttachment < ApplicationRecord
|
||||||
bitrate: movie.bitrate,
|
bitrate: movie.bitrate,
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
def appropriate_extension
|
|
||||||
mime_type = MIME::Types[file.content_type]
|
|
||||||
|
|
||||||
extensions_for_mime_type = mime_type.empty? ? [] : mime_type.first.extensions
|
|
||||||
original_extension = Paperclip::Interpolations.extension(file, :original)
|
|
||||||
|
|
||||||
extensions_for_mime_type.include?(original_extension) ? original_extension : extensions_for_mime_type.first
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue