2019-05-13-01 (#3860)

2019-05-13-01
This commit is contained in:
Pierre de La Morinerie 2019-05-13 12:45:30 +02:00 committed by GitHub
commit 64da597dae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 20 additions and 44 deletions

View file

@ -35,12 +35,16 @@ class ActiveStorage::VirusScanner
end
def metadata
download_blob_to_tempfile do |file|
if ClamavService.safe_file?(file.path)
{ virus_scan_result: SAFE, scanned_at: Time.zone.now }
else
{ virus_scan_result: INFECTED, scanned_at: Time.zone.now }
begin
download_blob_to_tempfile do |file|
if ClamavService.safe_file?(file.path)
{ virus_scan_result: SAFE, scanned_at: Time.zone.now }
else
{ virus_scan_result: INFECTED, scanned_at: Time.zone.now }
end
end
rescue StandardError => e
Raven.capture_exception(e)
end
end
end

View file

@ -22,17 +22,6 @@ class Helpscout::API
})
end
def add_custom_fields(conversation_id, dossier_id, browser)
body = {
'Dossier ID': dossier_id,
'Browser': browser
}.compact.map do |key, value|
{ id: custom_fields[key], value: value }
end
call_api(:put, "#{CONVERSATIONS}/#{conversation_id}/#{FIELDS}", { fields: body })
end
def create_conversation(email, subject, text, file)
body = {
subject: subject,

View file

@ -41,8 +41,6 @@ class Helpscout::FormAdapter
if conversation_id.present?
add_tags(conversation_id)
add_custom_fields(conversation_id)
true
else
false
@ -55,10 +53,6 @@ class Helpscout::FormAdapter
@api.add_tags(conversation_id, params[:tags])
end
def add_custom_fields(conversation_id)
@api.add_custom_fields(conversation_id, params[:dossier_id], params[:browser])
end
def create_conversation
response = @api.create_conversation(
params[:email],

View file

@ -20,7 +20,7 @@ class AttestationTemplateLogoUploader < BaseUploader
# Add a white list of extensions which are allowed to be uploaded.
# For images you might use something like this:
def extension_white_list
def extension_whitelist
['jpg', 'jpeg', 'png']
end

View file

@ -20,7 +20,7 @@ class AttestationTemplateSignatureUploader < BaseUploader
# Add a white list of extensions which are allowed to be uploaded.
# For images you might use something like this:
def extension_white_list
def extension_whitelist
['jpg', 'jpeg', 'png']
end

View file

@ -13,11 +13,11 @@ class CommentaireFileUploader < BaseUploader
"uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
end
def extension_white_list
def extension_whitelist
['pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp', 'jpg', 'jpeg', 'png', 'zip', 'txt']
end
def accept_extension_list
extension_white_list.map { |e| ".#{e}" }.join(",")
extension_whitelist.map { |e| ".#{e}" }.join(",")
end
end

View file

@ -18,7 +18,7 @@ class PieceJustificativeUploader < BaseUploader
# Add a white list of extensions which are allowed to be uploaded.
# For images you might use something like this:
def extension_white_list
def extension_whitelist
['pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp', 'jpg', 'jpeg', 'png']
end

View file

@ -20,7 +20,7 @@ class ProcedureLogoUploader < BaseUploader
# Add a white list of extensions which are allowed to be uploaded.
# For images you might use something like this:
def extension_white_list
def extension_whitelist
['jpg', 'jpeg', 'png']
end

View file

@ -1,18 +1,11 @@
Rails.application.config.content_security_policy do |policy|
# En cas de non respect d'une des règles, faire un POST sur cette URL
policy.report_uri "https://e30e0ed9c14194254481124271b34a72.report-uri.com/r/d/csp/reportOnly"
policy.report_uri "https://demarches-simplifiees.report-uri.com/r/d/csp/reportOnly"
# Whitelist image
policy.img_src :self, "https://*.openstreetmap.org"
# Whitelist JS: nous, sendinblue et matomo, et… miniprofiler :(
if Rails.env.development?
# https://github.com/MiniProfiler/rack-mini-profiler/issues/327
policy.script_src :self, "https://sibautomation.com", "//stats.data.gouv.fr", :unsafe_eval, :unsafe_inline
else
policy.script_src :self, "https://sibautomation.com", "//stats.data.gouv.fr"
end
# Génération d'un nonce pour les balises script inline qu'on maitrise (Gon)
Rails.application.config.content_security_policy_nonce_generator = -> _request { SecureRandom.base64(16) }
policy.img_src :self, "*.openstreetmap.org", "static.demarches-simplifiees.fr", "*.cloud.ovh.net", "stats.data.gouv.fr"
# Whitelist JS: nous, sendinblue et matomo
# miniprofiler et nous avons quelques boutons inline :(
policy.script_src :self, "*.sibautomation.com", "stats.data.gouv.fr", "*.sendinblue.com", :unsafe_eval, :unsafe_inline
# Pour les CSS, on a beaucoup de style inline et quelques balises <style>
# c'est trop compliqué pour être rectifié immédiatement (et sans valeur ajoutée:
# c'est hardcodé dans les vues, donc pas injectable).

View file

@ -62,8 +62,6 @@ describe Helpscout::FormAdapter do
.with(email, subject, text, nil)
expect(api).to have_received(:add_tags)
.with(conversation_id, tags)
expect(api).to have_received(:add_custom_fields)
.with(conversation_id, nil, nil)
end
end
@ -102,8 +100,6 @@ describe Helpscout::FormAdapter do
.with(email, subject, text, nil)
expect(api).to have_received(:add_phone_number)
.with(email, phone)
expect(api).to have_received(:add_custom_fields)
.with(conversation_id, nil, nil)
end
end
end