Merge remote-tracking branch 'central/master'

CodeGrade · Jul 12, 2024 · 860aefa · 860aefa
2 parents 0a5e97b + 40bb914
commit 860aefa
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 11 deletions.
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
@@ -1,22 +1,45 @@
 class FilesController < ApplicationController
+
+  @@resources_true_dir = "lib/assets"
+
   def upload
-    if File.file?(Upload.base_upload_dir.join(params[:path]))
-      case File.extname(params[:path]).downcase
-      when ".jpg", ".jpeg", ".png", ".gif", ".tap", ".log"
-        disp = "inline"
-      when ".pdf"
-        disp = nil
-      else
-        disp = "attachment"
-      end
+    send_file_from_path(Upload.base_upload_dir.join(params[:path]))
+  end
+
+  def resource
+    send_file_from_path(Rails.root.join(@@resources_true_dir, params[:path]))
+  end
+
+
+  private
+
+  def send_file_from_path(file_path)
+    if valid_path_param(params[:path]) && File.file?(file_path)
+      disp = get_file_disposition(File.extname(params[:path]).downcase)
       mime = ApplicationHelper.mime_type(params[:path])
-      
-      send_file Upload.base_upload_dir.join(params[:path]).to_s,
+
+      send_file file_path.to_s,
                 filename: File.basename(params[:path]),
                 disposition: disp,
                 type: mime
     else
       render 'errors/not_found', layout: 'errors', formats: [:html], status: 404
     end
   end
+
+  def valid_path_param(path)
+    !path.include? "../"
+  end
+
+  def get_file_disposition(file_ext)
+    case file_ext
+    when ".jpg", ".jpeg", ".png", ".gif", ".tap", ".log"
+      return "inline"
+    when ".pdf"
+      return nil
+    else
+      return "attachment"
+    end
+  end
+
 end
diff --git a/config/routes.rb b/config/routes.rb
@@ -45,6 +45,7 @@
   end
 
   get 'files/*path', to: 'files#upload', constraints: {path: /.*/}
+  get 'resources/*path', to: 'files#resource', constraints: {path: /.*/}
 
   resources :terms
 

diff --git a/test/controllers/files_controller_test.rb b/test/controllers/files_controller_test.rb
@@ -0,0 +1,53 @@
+require 'test_helper'
+require 'tempfile'
+require 'fileutils'
+
+class FilesControllerTest < ActionController::TestCase
+
+  @@method_to_dir = {
+    "upload": Upload.base_upload_dir,
+    "resource": Rails.root.join("lib/assets")
+  }
+
+  setup do
+    Upload.base_upload_dir.mkpath
+  end
+
+  teardown do
+    FileUtils.rmdir(Upload.base_upload_dir)
+  end
+
+  test "should get valid file path" do
+    @@method_to_dir.each do |method, dir|
+      Tempfile.create("foo", dir) do |f|
+        file_name = Pathname.new(f.path).basename
+        get method, params: {
+          path: file_name
+        }
+        assert_response :success
+      end
+    end
+  end
+
+  test "should error on non existent file path" do
+    @@method_to_dir.each do |method, _|
+      get method, params: {
+        path: "nonexistent_file.txt"
+      }
+      assert_response :missing
+    end
+  end
+
+  test "should error on path containing ../" do
+    @@method_to_dir.each do |method, dir|
+      Tempfile.create("foo", dir.join("..")) do |f|
+        file_name = Pathname.new(f.path).basename
+        get method, params: {
+          path: "../#{file_name}"
+        }
+        assert_response :missing
+      end
+    end
+  end
+
+end
-Original file line number
+Diff line change
@@ Expand Up / @@ -45,6 +45,7 @@ @@
       end
       get 'files/*path', to: 'files#upload', constraints: {path: /.*/}
+      get 'resources/*path', to: 'files#resource', constraints: {path: /.*/}
       resources :terms
@@ Expand Down @@