Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload files from a URL #3386

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Upload files from a URL #3386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
21e2e40
add uppy URL upload config
Floppy Jan 13, 2025
73cbbc6
routes and working url_meta for URL uploading
Floppy Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion app/assets/stylesheets/entrypoints/application.scss
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,13 @@ $ra-font-path: "https://cdn.jsdelivr.net/npm/rpg-awesome@0.2.0/fonts";

@import '@uppy/core/dist/style.min';
@import '@uppy/dashboard/dist/style.min';
@import '@uppy/url/dist/style.min';

.selectize-control {
padding: 1px;
}

p.alert:empty, p.notice:empty {
p.alert:empty,
p.notice:empty {
display: none;
}
21 changes: 21 additions & 0 deletions app/controllers/uppy_companion_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
class UppyCompanionController < ApplicationController
skip_forgery_protection

Check failure

Code scanning / CodeQL

CSRF protection weakened or disabled High

Potential CSRF vulnerability due to forgery protection being disabled or weakened.

Copilot Autofix AI 21 days ago

To fix the problem, we need to re-enable CSRF protection for the UppyCompanionController by removing the skip_forgery_protection call. This will ensure that all actions within the controller require a valid CSRF token, mitigating the risk of CSRF attacks.

  1. Remove the skip_forgery_protection call on line 2.
  2. Ensure that the protect_from_forgery method is used with the with: :exception option to raise an exception on an invalid CSRF token.
Suggested changeset 1
app/controllers/uppy_companion_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/uppy_companion_controller.rb b/app/controllers/uppy_companion_controller.rb
--- a/app/controllers/uppy_companion_controller.rb
+++ b/app/controllers/uppy_companion_controller.rb
@@ -1,3 +1,3 @@
 class UppyCompanionController < ApplicationController
-  skip_forgery_protection
+  protect_from_forgery with: :exception
 
EOF
@@ -1,3 +1,3 @@
class UppyCompanionController < ApplicationController
skip_forgery_protection
protect_from_forgery with: :exception

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options

def url_meta
authorize :model, :new?
# Do HEAD request for url
response = Faraday.head params[:url]

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The URL of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 21 days ago

To fix the problem, we need to ensure that the user-provided URL is validated against a list of authorized URLs or restricted to a particular host or URL prefix. This can be achieved by maintaining a list of allowed hosts and checking if the user-provided URL belongs to one of these hosts before making the request.

  1. Create a list of allowed hosts.
  2. Parse the user-provided URL and check if its host is in the list of allowed hosts.
  3. If the host is not allowed, return an error response.
  4. If the host is allowed, proceed with the request.
Suggested changeset 1
app/controllers/uppy_companion_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/uppy_companion_controller.rb b/app/controllers/uppy_companion_controller.rb
--- a/app/controllers/uppy_companion_controller.rb
+++ b/app/controllers/uppy_companion_controller.rb
@@ -1 +1,3 @@
+require 'uri'
+
 class UppyCompanionController < ApplicationController
@@ -5,10 +7,16 @@
     authorize :model, :new?
-    # Do HEAD request for url
-    response = Faraday.head params[:url]
-    render json: {
-      name: response.headers["filename"],
-      type: response.headers["content-type"],
-      size: response.headers["content-length"],
-      status_code: response.status
-    }
+    url = params[:url]
+    uri = URI.parse(url)
+    if ALLOWED_HOSTS.include?(uri.host)
+      # Do HEAD request for url
+      response = Faraday.head url
+      render json: {
+        name: response.headers["filename"],
+        type: response.headers["content-type"],
+        size: response.headers["content-length"],
+        status_code: response.status
+      }
+    else
+      render status: :bad_request, json: { error: "Invalid URL" }
+    end
   end
@@ -17,4 +25,10 @@
     authorize :model, :new?
-    Faraday.get params[:url]
-    render status: :internal_server_error, json: {}
+    url = params[:url]
+    uri = URI.parse(url)
+    if ALLOWED_HOSTS.include?(uri.host)
+      Faraday.get url
+      render status: :ok, json: {}
+    else
+      render status: :bad_request, json: { error: "Invalid URL" }
+    end
   end
EOF
@@ -1 +1,3 @@
require 'uri'

class UppyCompanionController < ApplicationController
@@ -5,10 +7,16 @@
authorize :model, :new?
# Do HEAD request for url
response = Faraday.head params[:url]
render json: {
name: response.headers["filename"],
type: response.headers["content-type"],
size: response.headers["content-length"],
status_code: response.status
}
url = params[:url]
uri = URI.parse(url)
if ALLOWED_HOSTS.include?(uri.host)
# Do HEAD request for url
response = Faraday.head url
render json: {
name: response.headers["filename"],
type: response.headers["content-type"],
size: response.headers["content-length"],
status_code: response.status
}
else
render status: :bad_request, json: { error: "Invalid URL" }
end
end
@@ -17,4 +25,10 @@
authorize :model, :new?
Faraday.get params[:url]
render status: :internal_server_error, json: {}
url = params[:url]
uri = URI.parse(url)
if ALLOWED_HOSTS.include?(uri.host)
Faraday.get url
render status: :ok, json: {}
else
render status: :bad_request, json: { error: "Invalid URL" }
end
end
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
render json: {
name: response.headers["filename"],
type: response.headers["content-type"],
size: response.headers["content-length"],
status_code: response.status
}
end

def url_get
authorize :model, :new?
Faraday.get params[:url]

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The URL of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 21 days ago

To fix the problem, we need to ensure that the user-provided URL is validated against a list of authorized URLs or restricted to a particular host or URL prefix. This can be achieved by maintaining a list of allowed domains and checking if the user-provided URL belongs to one of these domains before making the request.

We will:

  1. Define a list of allowed domains.
  2. Parse the user-provided URL and check if its host is in the list of allowed domains.
  3. Only proceed with the request if the URL is valid.
Suggested changeset 1
app/controllers/uppy_companion_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/uppy_companion_controller.rb b/app/controllers/uppy_companion_controller.rb
--- a/app/controllers/uppy_companion_controller.rb
+++ b/app/controllers/uppy_companion_controller.rb
@@ -1 +1,3 @@
+require 'uri'
+
 class UppyCompanionController < ApplicationController
@@ -5,10 +7,16 @@
     authorize :model, :new?
-    # Do HEAD request for url
-    response = Faraday.head params[:url]
-    render json: {
-      name: response.headers["filename"],
-      type: response.headers["content-type"],
-      size: response.headers["content-length"],
-      status_code: response.status
-    }
+    url = params[:url]
+    uri = URI.parse(url)
+    if ALLOWED_DOMAINS.include?(uri.host)
+      # Do HEAD request for url
+      response = Faraday.head url
+      render json: {
+        name: response.headers["filename"],
+        type: response.headers["content-type"],
+        size: response.headers["content-length"],
+        status_code: response.status
+      }
+    else
+      render status: :bad_request, json: { error: "Invalid URL" }
+    end
   end
@@ -17,4 +25,10 @@
     authorize :model, :new?
-    Faraday.get params[:url]
-    render status: :internal_server_error, json: {}
+    url = params[:url]
+    uri = URI.parse(url)
+    if ALLOWED_DOMAINS.include?(uri.host)
+      Faraday.get url
+      render status: :ok, json: {}
+    else
+      render status: :bad_request, json: { error: "Invalid URL" }
+    end
   end
EOF
@@ -1 +1,3 @@
require 'uri'

class UppyCompanionController < ApplicationController
@@ -5,10 +7,16 @@
authorize :model, :new?
# Do HEAD request for url
response = Faraday.head params[:url]
render json: {
name: response.headers["filename"],
type: response.headers["content-type"],
size: response.headers["content-length"],
status_code: response.status
}
url = params[:url]
uri = URI.parse(url)
if ALLOWED_DOMAINS.include?(uri.host)
# Do HEAD request for url
response = Faraday.head url
render json: {
name: response.headers["filename"],
type: response.headers["content-type"],
size: response.headers["content-length"],
status_code: response.status
}
else
render status: :bad_request, json: { error: "Invalid URL" }
end
end
@@ -17,4 +25,10 @@
authorize :model, :new?
Faraday.get params[:url]
render status: :internal_server_error, json: {}
url = params[:url]
uri = URI.parse(url)
if ALLOWED_DOMAINS.include?(uri.host)
Faraday.get url
render status: :ok, json: {}
else
render status: :bad_request, json: { error: "Invalid URL" }
end
end
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
render status: :internal_server_error, json: {}
end
end
2 changes: 2 additions & 0 deletions app/javascript/src/uploads.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import Uppy from '@uppy/core'
import Dashboard from '@uppy/dashboard'
import Tus from '@uppy/tus'
import Url from '@uppy/url'

import en from '@uppy/locales/lib/en_US'
import fr from '@uppy/locales/lib/fr_FR'
Expand Down Expand Up @@ -29,6 +30,7 @@ document.addEventListener('ManyfoldReady', () => {
showRemoveButtonAfterComplete: true,
hideProgressAfterFinish: true
})
.use(Url, { companionUrl: '/' })
.use(Tus, {
endpoint: settings.uploadEndpoint ?? '/upload',
chunkSize: 5 * 1024 * 1024
Expand Down
2 changes: 2 additions & 0 deletions config/routes.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,5 +124,7 @@

authenticate :user, lambda { |u| u.is_contributor? } do
mount Tus::Server => "/upload", :as => :upload
post "/url/meta" => "uppy_companion#url_meta"
post "/url/get" => "uppy_companion#url_get"
end
end
1 change: 1 addition & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"@uppy/form": "^4.1.1",
"@uppy/locales": "^4.5.0",
"@uppy/tus": "^4.2.1",
"@uppy/url": "^4.2.1",
"autoprefixer": "^10.4.20",
"bootstrap": "^5.3.3",
"bootstrap-icons": "^1.11.3",
Expand Down
18 changes: 18 additions & 0 deletions spec/requests/uppy_companion_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
require 'rails_helper'

RSpec.describe "UppyCompanions", type: :request do
describe "GET /url_meta" do
it "returns http success" do
get "/uppy_companion/url_meta"
expect(response).to have_http_status(:success)
end
end

describe "GET /url_get" do
it "returns http success" do
get "/uppy_companion/url_get"
expect(response).to have_http_status(:success)
end
end

end
15 changes: 15 additions & 0 deletions yarn.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading