jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix #3985: Uploads: 405 Method Not Allowed.

Browse Source
This commit is contained in:
evazion
2018-11-11 20:18:21 -06:00
parent 6a7cd6ce8e
commit 7524d52276
4 changed files with 36 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/logical/cloudflare_service.rb
View File

@@ -22,6 +22,15 @@ class CloudflareService
}) })
end end
def ips(expiry: 24.hours)
text, code = HttpartyCache.get("https://api.cloudflare.com/client/v4/ips", expiry: expiry)
return [] if code != 200
json = JSON.parse(text, symbolize_names: true)
ips = json[:result][:ipv4_cidrs] + json[:result][:ipv6_cidrs]
ips.map { |ip| IPAddr.new(ip) }
end
def delete(md5, ext) def delete(md5, ext)
url = "https://api.cloudflare.com/client/v4/zones/#{zone}/purge_cache" url = "https://api.cloudflare.com/client/v4/zones/#{zone}/purge_cache"
files = ["#{md5}.#{ext}", "preview/#{md5}.jpg", "sample/sample-#{md5}.jpg"].map do |name| files = ["#{md5}.#{ext}", "preview/#{md5}.jpg", "sample/sample-#{md5}.jpg"].map do |name|

38
app/logical/downloads/file.rb
View File

@@ -10,28 +10,6 @@ module Downloads
validate :validate_url validate :validate_url
# Prevent Cloudflare from potentially mangling the image. See issue #3528.
def uncached_url
url = file_url.dup
if is_cloudflare?
url.query_values = (url.query_values || {}).merge(danbooru_no_cache: SecureRandom.uuid)
end
url
end
def is_cloudflare?
return false if ENV["SKIP_CLOUDFLARE_CHECK"]
Cache.get("is_cloudflare:#{file_url.origin}", 4.hours) do
res = HTTParty.head(file_url, httparty_options)
raise Error.new("HTTP error code: #{res.code} #{res.message}") unless res.success?
res.key?("CF-Ray")
end
end
def initialize(url, referer=nil) def initialize(url, referer=nil)
@url = Addressable::URI.parse(url) rescue nil @url = Addressable::URI.parse(url) rescue nil
@referer = referer @referer = referer
@@ -79,6 +57,15 @@ module Downloads
end end
end # def end # def
# Prevent Cloudflare from potentially mangling the image. See issue #3528.
def uncached_url
return file_url unless is_cloudflare?(file_url)
url = file_url.dup
url.query_values = url.query_values.to_h.merge(danbooru_no_cache: SecureRandom.uuid)
url
end
def file_url def file_url
@file_url ||= Addressable::URI.parse(strategy.image_url) @file_url ||= Addressable::URI.parse(strategy.image_url)
end end
@@ -95,6 +82,13 @@ module Downloads
connection_adapter: ValidatingConnectionAdapter, connection_adapter: ValidatingConnectionAdapter,
}.deep_merge(Danbooru.config.httparty_options) }.deep_merge(Danbooru.config.httparty_options)
end end
def is_cloudflare?(url)
return false if ENV["SKIP_CLOUDFLARE_CHECK"]
ip_addr = IPAddr.new(Resolv.getaddress(url.hostname))
CloudflareService.new.ips.any? { |subnet| subnet.include?(ip_addr) }
end
end end
# Hook into HTTParty to validate the IP before following redirects. # Hook into HTTParty to validate the IP before following redirects.

6
test/unit/cloudflare_service_test.rb
View File

@@ -24,4 +24,10 @@ class CloudflareServiceTest < ActiveSupport::TestCase
end end
end end
end end
context "#ips" do
should "work" do
refute_empty(subject.ips)
end
end
end end

13
test/unit/downloads/file_test.rb
View File

@@ -9,13 +9,15 @@ module Downloads
end end
context "for a banned IP" do context "for a banned IP" do
setup do
Resolv.expects(:getaddress).returns("127.0.0.1").at_least_once
end
should "not try to download the file" do should "not try to download the file" do
Resolv.expects(:getaddress).returns("127.0.0.1")
assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").download! } assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").download! }
end end
should "not try to fetch the size" do should "not try to fetch the size" do
Resolv.expects(:getaddress).returns("127.0.0.1")
assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").size } assert_raise(Downloads::File::Error) { Downloads::File.new("http://evil.com").size }
end end
@@ -29,15 +31,9 @@ module Downloads
should "not follow redirects that resolve to a banned IP" do should "not follow redirects that resolve to a banned IP" do
url = "http://httpbin.org/redirect-to?url=http://127.0.0.1.nip.io" url = "http://httpbin.org/redirect-to?url=http://127.0.0.1.nip.io"
stub_request(:get, url).to_return(status: 301, headers: { "Location": "http://127.0.0.1.xip.io" }) stub_request(:get, url).to_return(status: 301, headers: { "Location": "http://127.0.0.1.xip.io" })
Resolv.expects(:getaddress).returns("127.0.0.1")
assert_raise(Downloads::File::Error) { Downloads::File.new(url).download! } assert_raise(Downloads::File::Error) { Downloads::File.new(url).download! }
end end
should "not send a HEAD request when checking for cloudflare" do
Resolv.expects(:getaddress).with("www.google.com").returns("127.0.0.1")
assert_raise(Downloads::File::Error) { @download.is_cloudflare? }
end
end end
context "that fails" do context "that fails" do
@@ -52,6 +48,7 @@ module Downloads
resp = stub("resp", success?: true) resp = stub("resp", success?: true)
HTTParty.expects(:get).twice.multiple_yields("a", bomb, "b", "c").then.multiple_yields("a", "b", "c").returns(resp) HTTParty.expects(:get).twice.multiple_yields("a", bomb, "b", "c").then.multiple_yields("a", "b", "c").returns(resp)
@download.stubs(:is_cloudflare?).returns(false)
tempfile, _ = @download.download! tempfile, _ = @download.download!
assert_equal("abc", tempfile.read) assert_equal("abc", tempfile.read)