media assets: fix md5 leak in media assets.
Fix unprivileged users being able to see images and MD5 hashes of media assets belonging to censored posts.
This commit is contained in:
evazion
@@ -5,7 +5,7 @@ class MediaAssetsController < ApplicationController
|
||||
|
||||
def index
|
||||
@media_assets = authorize MediaAsset.visible(CurrentUser.user).paginated_search(params, count_pages: false)
|
||||
@media_assets = @media_assets.joins(:media_metadata)
|
||||
@media_assets = @media_assets.joins(:media_metadata).includes(:post)
|
||||
respond_with(@media_assets)
|
||||
end
|
||||
|
||||
|
||||
@@ -4,4 +4,16 @@ class MediaAssetPolicy < ApplicationPolicy
|
||||
def index?
|
||||
true
|
||||
end
|
||||
|
||||
def can_see_image?
|
||||
record.post.blank? || record.post.visible?(user)
|
||||
end
|
||||
|
||||
def api_attributes
|
||||
if can_see_image?
|
||||
super
|
||||
else
|
||||
super.excluding(:md5)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -18,7 +18,9 @@
|
||||
|
||||
<%= table_for @media_assets, class: "striped autofit" do |t| %>
|
||||
<% t.column "File", td: { class: "text-center" } do |media_asset| %>
|
||||
<%= render MediaAssetPreviewComponent.new(media_asset: media_asset, save_data: CurrentUser.save_data, shrink_to_fit: false) %>
|
||||
<% if policy(media_asset).can_see_image? %>
|
||||
<%= render MediaAssetPreviewComponent.new(media_asset: media_asset, save_data: CurrentUser.save_data, shrink_to_fit: false) %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
||||
<% t.column :image_width %>
|
||||
|
||||
@@ -2,7 +2,9 @@
|
||||
<div id="a-show" class="fixed-width-container">
|
||||
<h1 class="mb-4">Media Asset</h1>
|
||||
|
||||
<%= render MediaAssetComponent.new(media_asset: @media_asset) %>
|
||||
<% if policy(@media_asset).can_see_image? %>
|
||||
<%= render MediaAssetComponent.new(media_asset: @media_asset) %>
|
||||
<% end %>
|
||||
|
||||
<table class="striped aligned-vertical">
|
||||
<% if @post.present? %>
|
||||
@@ -12,10 +14,12 @@
|
||||
</tr>
|
||||
<% end %>
|
||||
|
||||
<tr>
|
||||
<th>MD5</th>
|
||||
<td><%= @media_asset.md5 %></td>
|
||||
</tr>
|
||||
<% if policy(@media_asset).can_see_image? %>
|
||||
<tr>
|
||||
<th>MD5</th>
|
||||
<td><%= @media_asset.md5 %></td>
|
||||
</tr>
|
||||
<% end %>
|
||||
|
||||
<% @media_asset.metadata.sort.each do |key, value| %>
|
||||
<tr>
|
||||
|
||||
@@ -25,6 +25,15 @@ class MediaAssetsControllerTest < ActionDispatch::IntegrationTest
|
||||
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
should "not show the md5 for assets belonging to posts not visible to the current user" do
|
||||
@media_asset = create(:media_asset)
|
||||
@post = create(:post, md5: @media_asset.md5, is_banned: true)
|
||||
get media_asset_path(@media_asset), as: :json
|
||||
|
||||
assert_response :success
|
||||
assert_equal(nil, response.parsed_body[:md5])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user