Browse Source

Fix media attachment enumeration

Signed-off-by: Eugen Rochko <[email protected]>
tags/v3.1.5
Thibaut Girka 7 months ago
committed by Eugen Rochko
parent
commit
2d2e3651ee
3 changed files with 47 additions and 3 deletions
  1. +4
    -1
      app/controllers/media_proxy_controller.rb
  2. +1
    -2
      spec/controllers/media_controller_spec.rb
  3. +42
    -0
      spec/controllers/media_proxy_controller_spec.rb

+ 4
- 1
app/controllers/media_proxy_controller.rb View File

@@ -2,6 +2,7 @@

class MediaProxyController < ApplicationController
include RoutingHelper
include Authorization

skip_before_action :store_current_location
skip_before_action :require_functional!
@@ -10,12 +11,14 @@ class MediaProxyController < ApplicationController

rescue_from ActiveRecord::RecordInvalid, with: :not_found
rescue_from Mastodon::UnexpectedResponseError, with: :not_found
rescue_from Mastodon::NotPermittedError, with: :not_found
rescue_from HTTP::TimeoutError, HTTP::ConnectionError, OpenSSL::SSL::SSLError, with: :internal_server_error

def show
RedisLock.acquire(lock_options) do |lock|
if lock.acquired?
@media_attachment = MediaAttachment.remote.find(params[:id])
@media_attachment = MediaAttachment.remote.attached.find(params[:id])
authorize @media_attachment.status, :show?
redownload! if @media_attachment.needs_redownload? && !reject_media?
else
raise Mastodon::RaceConditionError


+ 1
- 2
spec/controllers/media_controller_spec.rb View File

@@ -28,9 +28,8 @@ describe MediaController do
end

it 'raises when not permitted to view' do
status = Fabricate(:status)
status = Fabricate(:status, visibility: :direct)
media_attachment = Fabricate(:media_attachment, status: status)
allow_any_instance_of(MediaController).to receive(:authorize).and_raise(ActiveRecord::RecordNotFound)
get :show, params: { id: media_attachment.to_param }

expect(response).to have_http_status(404)


+ 42
- 0
spec/controllers/media_proxy_controller_spec.rb View File

@@ -0,0 +1,42 @@
# frozen_string_literal: true

require 'rails_helper'

describe MediaProxyController do
render_views

before do
stub_request(:get, 'http://example.com/attachment.png').to_return(request_fixture('avatar.txt'))
end

describe '#show' do
it 'redirects when attached to a status' do
status = Fabricate(:status)
media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
get :show, params: { id: media_attachment.id }

expect(response).to have_http_status(302)
end

it 'responds with missing when there is not an attached status' do
media_attachment = Fabricate(:media_attachment, status: nil, remote_url: 'http://example.com/attachment.png')
get :show, params: { id: media_attachment.id }

expect(response).to have_http_status(404)
end

it 'raises when id cant be found' do
get :show, params: { id: 'missing' }

expect(response).to have_http_status(404)
end

it 'raises when not permitted to view' do
status = Fabricate(:status, visibility: :direct)
media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
get :show, params: { id: media_attachment.id }

expect(response).to have_http_status(404)
end
end
end

Loading…
Cancel
Save