Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use application tmp dir for product import #12649

Merged
merged 4 commits into from
Jul 11, 2024
Merged

Use application tmp dir for product import #12649

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cc1fa7f
Always avoid error on redirect_to
dacook Jul 9, 2024
823614c
Always delete uploaded file on error
dacook Jul 9, 2024
ca61228
Use Rails tmp dir for product imports again
dacook Jul 9, 2024
2ab6bcb
Use system method to generate temporary file path
dacook Jul 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions app/controllers/admin/product_import_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

module Admin
class ProductImportController < Spree::Admin::BaseController
TMPDIR_PREFIX = "product_import-"

before_action :validate_upload_presence, except: %i[index guide validate_data]

def index
Expand Down Expand Up @@ -101,8 +103,7 @@ def check_spreadsheet_has_data(importer)

def save_uploaded_file(upload)
extension = File.extname(upload.original_filename)
directory = Dir.mktmpdir 'product_import'
File.open(File.join(directory, "import#{extension}"), 'wb') do |f|
File.open(File.join(mktmpdir, "import#{extension}"), 'wb') do |f|
data = UploadSanitizer.new(upload.read).call
f.write(data)
f.path
Expand All @@ -126,6 +127,16 @@ def model_class
ProductImport::ProductImporter
end

def mktmpdir
tmpdir = tmpdir_base + SecureRandom.hex(6)
Dir.mkdir(tmpdir)
tmpdir
end

def tmpdir_base
Rails.root.join('tmp', TMPDIR_PREFIX).to_s
end
Comment on lines +134 to +136
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a constant which can then be re-used in specs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The knowledge of the path construction is in multiple places now as well. Instead of having a directory name prefix, we could just create a directory tmp/product_import/ and then have random filenames within. Would that make more sense?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that would probably make more sense, but we would need to re-implement without Dir::Tmpname.create (which handles name collisions for us).
Hmm, I guess that's what make_tmpname mentioned in #3435 is for, but that method was abandoned on that PR. I forget why, but as you say I don't think we should put more energy in ;)


def file_path
@file_path ||= validate_file_path(sanitize_file_path(params[:filepath]))
end
Expand All @@ -134,8 +145,9 @@ def sanitize_file_path(file_path)
FilePathSanitizer.new.sanitize(file_path, on_error: method(:raise_invalid_file_path))
end

# Ensure file is under the safe tmp directory
def validate_file_path(file_path)
return file_path if file_path.to_s.match?(TEMP_FILE_PATH_REGEX)
return file_path if file_path.to_s.match?(%r{^#{tmpdir_base}[A-Za-z0-9-]*/import\.csv$})

raise_invalid_file_path
end
Expand All @@ -145,6 +157,5 @@ def raise_invalid_file_path
notice: I18n.t(:product_import_no_data_in_spreadsheet_notice)
raise 'Invalid File Path'
end
TEMP_FILE_PATH_REGEX = %r{^/tmp/product_import[A-Za-z0-9-]*/import\.csv$}
end
end
22 changes: 12 additions & 10 deletions spec/controllers/admin/product_import_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,46 +4,48 @@

RSpec.describe Admin::ProductImportController, type: :controller do
describe 'validate_file_path' do
let(:tmp_directory_base) { Rails.root.join("tmp/product_import-") }

before do
# Avoid error on redirect_to
allow(controller).to receive(:raise_invalid_file_path).and_return(false)
end

context 'file extension' do
it 'should authorize csv extension' do
path = '/tmp/product_import123/import.csv'
path = "#{tmp_directory_base}123/import.csv"
expect(controller.__send__(:validate_file_path, path)).to be_truthy
end

it 'should reject other extensions' do
path = '/tmp/product_import123/import.pdf'
path = "#{tmp_directory_base}123/import.pdf"
expect(controller.__send__(:validate_file_path, path)).to be_falsey
path1 = '/tmp/product_import123/import.xslx'
path1 = "#{tmp_directory_base}123/import.xslx"
expect(controller.__send__(:validate_file_path, path1)).to be_falsey
end
end

context 'folder path' do
it 'should authorize valid paths' do
path = '/tmp/product_import123/import.csv'
path = "#{tmp_directory_base}123/import.csv"
expect(controller.__send__(:validate_file_path, path)).to be_truthy
path1 = '/tmp/product_importabc/import.csv'
path1 = "#{tmp_directory_base}abc/import.csv"
expect(controller.__send__(:validate_file_path, path1)).to be_truthy
path2 = '/tmp/product_importABC-abc-123/import.csv'
path2 = "#{tmp_directory_base}ABC-abc-123/import.csv"
expect(controller.__send__(:validate_file_path, path2)).to be_truthy
end

it 'should reject invalid paths' do
path = '/tmp/product_import123/../etc/import.csv'
path = "#{tmp_directory_base}123/../etc/import.csv"
expect(controller.__send__(:validate_file_path, path)).to be_falsey

path1 = '/tmp/product_import../etc/import.csv'
path1 = "#{tmp_directory_base}../etc/import.csv"
expect(controller.__send__(:validate_file_path, path1)).to be_falsey

path2 = '/tmp/product_import132%2F..%2Fetc%2F/import.csv'
path2 = "#{tmp_directory_base}132%2F..%2Fetc%2F/import.csv"
expect(controller.__send__(:validate_file_path, path2)).to be_falsey

path3 = '/etc/tmp/product_import123/import.csv'
path3 = "/etc#{tmp_directory_base}123/import.csv"
expect(controller.__send__(:validate_file_path, path3)).to be_falsey
end
end
Expand Down