From df384ebf0d842a8c94c1603df4cfeae8d694b0ba Mon Sep 17 00:00:00 2001 From: Sebastian Serth Date: Thu, 6 Oct 2022 00:11:27 +0200 Subject: [PATCH] Disallow protected upload paths for non-native files Fixes CODEOCEAN-E0 --- app/controllers/code_ocean/files_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/code_ocean/files_controller.rb b/app/controllers/code_ocean/files_controller.rb index babe7cf6..21555ee5 100644 --- a/app/controllers/code_ocean/files_controller.rb +++ b/app/controllers/code_ocean/files_controller.rb @@ -23,7 +23,7 @@ module CodeOcean @file = CodeOcean::File.find(params[:id]) authorize! # The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk. - raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename] + raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename] || @file.native_file.blank? real_location = Pathname(@file.native_file.current_path).realpath send_file(real_location, type: 'application/octet-stream', filename: @file.name_with_extension, disposition: 'attachment') @@ -36,7 +36,7 @@ module CodeOcean @file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request) # The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk. - raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename] + raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename] || @file.native_file.present? real_location = Pathname(@file.native_file.current_path).realpath send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension)