Fix uploads to AWS S3 folder

owen2345 · Sep 15, 2024 · 5a15640 · 5a15640
1 parent 47036f5
commit 5a15640
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 7 deletions.
diff --git a/app/helpers/camaleon_cms/uploader_helper.rb b/app/helpers/camaleon_cms/uploader_helper.rb
@@ -76,7 +76,7 @@ def upload_file(uploaded_io, settings = {})
       res = { error: nil }
 
       # guard against path traversal
-      return { error: 'Invalid file path' } unless cama_uploader.class.valid_folder_path?(settings[:folder])
+      return { error: 'Invalid file path' } unless cama_uploader.valid_folder_path?(settings[:folder])
 
       # formats validations
       return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(

diff --git a/app/uploaders/camaleon_cms_local_uploader.rb b/app/uploaders/camaleon_cms_local_uploader.rb
@@ -130,4 +130,11 @@ def delete_file(key)
   def parse_key(file_path)
     file_path.sub(@root_folder, '').cama_fix_media_key
   end
+
+  def valid_folder_path?(path)
+    return false unless super
+    return false if File.absolute_path?(path)
+
+    true
+  end
 end
diff --git a/app/uploaders/camaleon_cms_uploader.rb b/app/uploaders/camaleon_cms_uploader.rb
@@ -125,10 +125,10 @@ def self.validate_file_format(key, valid_formats = '*')
     valid_formats.include?(File.extname(key).sub('.', '').split('?').first.try(:downcase))
   end
 
-  def self.valid_folder_path?(path)
+  def valid_folder_path?(path)
     return true if path == '/'
 
-    return false if path.include?('..') || File.absolute_path?(path) || path.include?('://')
+    return false if path.include?('..') || path.include?('://')
 
     true
   end

diff --git a/spec/helpers/uploader_helper_spec.rb b/spec/helpers/uploader_helper_spec.rb
@@ -56,16 +56,31 @@
   end
 
   describe 'file upload with invalid path' do
-    it 'upload a local file with invalid path of a path traversal try' do
+    it "doesn't upload a local file with invalid path of a path traversal try" do
       expect(upload_file(File.open(@path), { folder: '../../config/initializers' }).keys.include?(:error)).to be(true)
     end
 
-    it 'upload a local file with invalid URI-like path' do
+    it "doesn't upload a local file with invalid URI-like path" do
       expect(upload_file(File.open(@path), { folder: 'file:///config/initializers' }).keys.include?(:error)).to be(true)
     end
 
-    it 'upload a local file with an absolute path' do
-      expect(upload_file(File.open(@path), { folder: '/tmp/config/initializers' }).keys.include?(:error)).to be(true)
+    context 'with local server' do
+      before { current_site.set_option('filesystem_type', 'local') }
+
+      it "doesn't upload a local file with an absolute path" do
+        expect(upload_file(File.open(@path), { folder: '/tmp/config/initializers' }).keys.include?(:error)).to be(true)
+      end
+    end
+
+    context 'with AWS server' do
+      before do
+        current_site.set_option('filesystem_type', 's3')
+        allow_any_instance_of(CamaleonCmsAwsUploader).to receive(:add_file).and_return({})
+      end
+
+      it 'uploads a local file with an absolute path' do
+        expect(upload_file(File.open(@path), { folder: '/tmp/config/initializers' }).keys.include?(:error)).to be(false)
+      end
     end
   end