htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add reminder about path validation for protected download and render

Browse Source
This commit is contained in:
Sebastian Serth
2022-09-25 01:12:48 +02:00
parent 4e2dbae2da
commit f73917313d
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/code_ocean/files_controller.rb
View File

@ -19,6 +19,7 @@ module CodeOcean
def show_protected_upload def show_protected_upload
@file = CodeOcean::File.find(params[:id]) @file = CodeOcean::File.find(params[:id])
authorize! authorize!
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.name_with_extension != params[:filename] raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.name_with_extension != params[:filename]
real_location = Pathname(@file.native_file.current_path).realpath real_location = Pathname(@file.native_file.current_path).realpath
@ -31,6 +32,7 @@ module CodeOcean
@file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request) @file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request)
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError unless @file.name_with_extension == params[:filename] raise Pundit::NotAuthorizedError unless @file.name_with_extension == params[:filename]
real_location = Pathname(@file.native_file.current_path).realpath real_location = Pathname(@file.native_file.current_path).realpath