From 0132c5f0a5e9024ba10190a5dc14ceb233d1099c Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 30 Jan 2022 23:23:55 -0600 Subject: [PATCH] media assets: fix md5 leak in media assets. Fix unprivileged users being able to see images and MD5 hashes of media assets belonging to censored posts. --- app/controllers/media_assets_controller.rb | 2 +- app/policies/media_asset_policy.rb | 12 ++++++++++++ app/views/media_assets/index.html.erb | 4 +++- app/views/media_assets/show.html.erb | 14 +++++++++----- test/functional/media_assets_controller_test.rb | 9 +++++++++ 5 files changed, 34 insertions(+), 7 deletions(-) diff --git a/app/controllers/media_assets_controller.rb b/app/controllers/media_assets_controller.rb index cdda551c7..4b93e26c8 100644 --- a/app/controllers/media_assets_controller.rb +++ b/app/controllers/media_assets_controller.rb @@ -5,7 +5,7 @@ class MediaAssetsController < ApplicationController def index @media_assets = authorize MediaAsset.visible(CurrentUser.user).paginated_search(params, count_pages: false) - @media_assets = @media_assets.joins(:media_metadata) + @media_assets = @media_assets.joins(:media_metadata).includes(:post) respond_with(@media_assets) end diff --git a/app/policies/media_asset_policy.rb b/app/policies/media_asset_policy.rb index 636cd1431..d48cf5b73 100644 --- a/app/policies/media_asset_policy.rb +++ b/app/policies/media_asset_policy.rb @@ -4,4 +4,16 @@ class MediaAssetPolicy < ApplicationPolicy def index? true end + + def can_see_image? + record.post.blank? || record.post.visible?(user) + end + + def api_attributes + if can_see_image? + super + else + super.excluding(:md5) + end + end end diff --git a/app/views/media_assets/index.html.erb b/app/views/media_assets/index.html.erb index 3a0dbc2e4..4fe1239e2 100644 --- a/app/views/media_assets/index.html.erb +++ b/app/views/media_assets/index.html.erb @@ -18,7 +18,9 @@ <%= table_for @media_assets, class: "striped autofit" do |t| %> <% t.column "File", td: { class: "text-center" } do |media_asset| %> - <%= render MediaAssetPreviewComponent.new(media_asset: media_asset, save_data: CurrentUser.save_data, shrink_to_fit: false) %> + <% if policy(media_asset).can_see_image? %> + <%= render MediaAssetPreviewComponent.new(media_asset: media_asset, save_data: CurrentUser.save_data, shrink_to_fit: false) %> + <% end %> <% end %> <% t.column :image_width %> diff --git a/app/views/media_assets/show.html.erb b/app/views/media_assets/show.html.erb index 0417d99fc..956937475 100644 --- a/app/views/media_assets/show.html.erb +++ b/app/views/media_assets/show.html.erb @@ -2,7 +2,9 @@

Media Asset

- <%= render MediaAssetComponent.new(media_asset: @media_asset) %> + <% if policy(@media_asset).can_see_image? %> + <%= render MediaAssetComponent.new(media_asset: @media_asset) %> + <% end %> <% if @post.present? %> @@ -12,10 +14,12 @@ <% end %> - - - - + <% if policy(@media_asset).can_see_image? %> + + + + + <% end %> <% @media_asset.metadata.sort.each do |key, value| %> diff --git a/test/functional/media_assets_controller_test.rb b/test/functional/media_assets_controller_test.rb index 33014c1b2..f4e0bf41c 100644 --- a/test/functional/media_assets_controller_test.rb +++ b/test/functional/media_assets_controller_test.rb @@ -25,6 +25,15 @@ class MediaAssetsControllerTest < ActionDispatch::IntegrationTest assert_response :success end + + should "not show the md5 for assets belonging to posts not visible to the current user" do + @media_asset = create(:media_asset) + @post = create(:post, md5: @media_asset.md5, is_banned: true) + get media_asset_path(@media_asset), as: :json + + assert_response :success + assert_equal(nil, response.parsed_body[:md5]) + end end end end
MD5<%= @media_asset.md5 %>
MD5<%= @media_asset.md5 %>