jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

media assets: fix md5 leak in media assets.

Browse Source 
Fix unprivileged users being able to see images and MD5 hashes of media
assets belonging to censored posts.
This commit is contained in:
evazion
2022-01-30 23:23:55 -06:00
parent 2fe058eccf
commit 0132c5f0a5
5 changed files with 34 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/media_assets_controller.rb
View File

@@ -5,7 +5,7 @@ class MediaAssetsController < ApplicationController
def index def index
@media_assets = authorize MediaAsset.visible(CurrentUser.user).paginated_search(params, count_pages: false) @media_assets = authorize MediaAsset.visible(CurrentUser.user).paginated_search(params, count_pages: false)
@media_assets = @media_assets.joins(:media_metadata) @media_assets = @media_assets.joins(:media_metadata).includes(:post)
respond_with(@media_assets) respond_with(@media_assets)
end end

12
app/policies/media_asset_policy.rb
View File

@@ -4,4 +4,16 @@ class MediaAssetPolicy < ApplicationPolicy
def index? def index?
true true
end end
def can_see_image?
record.post.blank? || record.post.visible?(user)
end
def api_attributes
if can_see_image?
super
else
super.excluding(:md5)
end
end
end end

4
app/views/media_assets/index.html.erb
View File

@@ -18,7 +18,9 @@
<%= table_for @media_assets, class: "striped autofit" do |t| %> <%= table_for @media_assets, class: "striped autofit" do |t| %>
<% t.column "File", td: { class: "text-center" } do |media_asset| %> <% t.column "File", td: { class: "text-center" } do |media_asset| %>
<%= render MediaAssetPreviewComponent.new(media_asset: media_asset, save_data: CurrentUser.save_data, shrink_to_fit: false) %> <% if policy(media_asset).can_see_image? %>
<%= render MediaAssetPreviewComponent.new(media_asset: media_asset, save_data: CurrentUser.save_data, shrink_to_fit: false) %>
<% end %>
<% end %> <% end %>
<% t.column :image_width %> <% t.column :image_width %>

14
app/views/media_assets/show.html.erb
View File

@@ -2,7 +2,9 @@
<div id="a-show" class="fixed-width-container"> <div id="a-show" class="fixed-width-container">
<h1 class="mb-4">Media Asset</h1> <h1 class="mb-4">Media Asset</h1>
<%= render MediaAssetComponent.new(media_asset: @media_asset) %> <% if policy(@media_asset).can_see_image? %>
<%= render MediaAssetComponent.new(media_asset: @media_asset) %>
<% end %>
<table class="striped aligned-vertical"> <table class="striped aligned-vertical">
<% if @post.present? %> <% if @post.present? %>
@@ -12,10 +14,12 @@
</tr> </tr>
<% end %> <% end %>
<tr> <% if policy(@media_asset).can_see_image? %>
<th>MD5</th> <tr>
<td><%= @media_asset.md5 %></td> <th>MD5</th>
</tr> <td><%= @media_asset.md5 %></td>
</tr>
<% end %>
<% @media_asset.metadata.sort.each do |key, value| %> <% @media_asset.metadata.sort.each do |key, value| %>
<tr> <tr>

9
test/functional/media_assets_controller_test.rb
View File

@@ -25,6 +25,15 @@ class MediaAssetsControllerTest < ActionDispatch::IntegrationTest
assert_response :success assert_response :success
end end
should "not show the md5 for assets belonging to posts not visible to the current user" do
@media_asset = create(:media_asset)
@post = create(:post, md5: @media_asset.md5, is_banned: true)
get media_asset_path(@media_asset), as: :json
assert_response :success
assert_equal(nil, response.parsed_body[:md5])
end
end end
end end
end end