From f0ed61cce8e7faae90a3b3923eedc17a27118023 Mon Sep 17 00:00:00 2001
From: pedong <mail@peng-fei.name>
Date: Tue, 7 May 2019 13:20:20 +0200
Subject: [PATCH 1/4] Carrierwave: change the method name to
 extension_whitelist for filter uploader file extension

---
 app/uploaders/attestation_template_logo_uploader.rb      | 2 +-
 app/uploaders/attestation_template_signature_uploader.rb | 2 +-
 app/uploaders/commentaire_file_uploader.rb               | 4 ++--
 app/uploaders/piece_justificative_uploader.rb            | 2 +-
 app/uploaders/procedure_logo_uploader.rb                 | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/uploaders/attestation_template_logo_uploader.rb b/app/uploaders/attestation_template_logo_uploader.rb
index 53bc01a56..49be9500b 100644
--- a/app/uploaders/attestation_template_logo_uploader.rb
+++ b/app/uploaders/attestation_template_logo_uploader.rb
@@ -20,7 +20,7 @@ class AttestationTemplateLogoUploader < BaseUploader
 
   # Add a white list of extensions which are allowed to be uploaded.
   # For images you might use something like this:
-  def extension_white_list
+  def extension_whitelist
     ['jpg', 'jpeg', 'png']
   end
 
diff --git a/app/uploaders/attestation_template_signature_uploader.rb b/app/uploaders/attestation_template_signature_uploader.rb
index e42f81996..12110868d 100644
--- a/app/uploaders/attestation_template_signature_uploader.rb
+++ b/app/uploaders/attestation_template_signature_uploader.rb
@@ -20,7 +20,7 @@ class AttestationTemplateSignatureUploader < BaseUploader
 
   # Add a white list of extensions which are allowed to be uploaded.
   # For images you might use something like this:
-  def extension_white_list
+  def extension_whitelist
     ['jpg', 'jpeg', 'png']
   end
 
diff --git a/app/uploaders/commentaire_file_uploader.rb b/app/uploaders/commentaire_file_uploader.rb
index 1249c94c5..250cd23d5 100644
--- a/app/uploaders/commentaire_file_uploader.rb
+++ b/app/uploaders/commentaire_file_uploader.rb
@@ -13,11 +13,11 @@ class CommentaireFileUploader < BaseUploader
     "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
   end
 
-  def extension_white_list
+  def extension_whitelist
     ['pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp', 'jpg', 'jpeg', 'png', 'zip', 'txt']
   end
 
   def accept_extension_list
-    extension_white_list.map { |e| ".#{e}" }.join(",")
+    extension_whitelist.map { |e| ".#{e}" }.join(",")
   end
 end
diff --git a/app/uploaders/piece_justificative_uploader.rb b/app/uploaders/piece_justificative_uploader.rb
index 62cdb6c40..5b81cc3e4 100644
--- a/app/uploaders/piece_justificative_uploader.rb
+++ b/app/uploaders/piece_justificative_uploader.rb
@@ -18,7 +18,7 @@ class PieceJustificativeUploader < BaseUploader
 
   # Add a white list of extensions which are allowed to be uploaded.
   # For images you might use something like this:
-  def extension_white_list
+  def extension_whitelist
     ['pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'pptx', 'odt', 'ods', 'odp', 'jpg', 'jpeg', 'png']
   end
 
diff --git a/app/uploaders/procedure_logo_uploader.rb b/app/uploaders/procedure_logo_uploader.rb
index 6538230b6..68a110993 100644
--- a/app/uploaders/procedure_logo_uploader.rb
+++ b/app/uploaders/procedure_logo_uploader.rb
@@ -20,7 +20,7 @@ class ProcedureLogoUploader < BaseUploader
 
   # Add a white list of extensions which are allowed to be uploaded.
   # For images you might use something like this:
-  def extension_white_list
+  def extension_whitelist
     ['jpg', 'jpeg', 'png']
   end
 

From 675cc5150c05d0f19e8ab9a1b61f0c07e4d98453 Mon Sep 17 00:00:00 2001
From: clemkeirua <clement@keiruaprod.fr>
Date: Thu, 9 May 2019 14:55:21 +0200
Subject: [PATCH 2/4] update on the security policy headers

---
 config/initializers/content_security_policy.rb | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index b58d8af0e..0547856ad 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -1,18 +1,11 @@
 Rails.application.config.content_security_policy do |policy|
   # En cas de non respect d'une des règles, faire un POST sur cette URL
-  policy.report_uri "https://e30e0ed9c14194254481124271b34a72.report-uri.com/r/d/csp/reportOnly"
+  policy.report_uri "https://demarches-simplifiees.report-uri.com/r/d/csp/reportOnly"
   # Whitelist image
-  policy.img_src :self, "https://*.openstreetmap.org"
-  # Whitelist JS: nous, sendinblue et matomo, et… miniprofiler :(
-  if Rails.env.development?
-    # https://github.com/MiniProfiler/rack-mini-profiler/issues/327
-    policy.script_src :self, "https://sibautomation.com", "//stats.data.gouv.fr", :unsafe_eval, :unsafe_inline
-  else
-    policy.script_src :self, "https://sibautomation.com", "//stats.data.gouv.fr"
-  end
-  # Génération d'un nonce pour les balises script inline qu'on maitrise (Gon)
-  Rails.application.config.content_security_policy_nonce_generator = -> _request { SecureRandom.base64(16) }
-
+  policy.img_src :self, "*.openstreetmap.org", "static.demarches-simplifiees.fr", "*.cloud.ovh.net", "stats.data.gouv.fr"
+  # Whitelist JS: nous, sendinblue et matomo
+  # miniprofiler et nous avons quelques boutons inline :(
+  policy.script_src :self, "*.sibautomation.com", "stats.data.gouv.fr", "*.sendinblue.com", :unsafe_eval, :unsafe_inline
   # Pour les CSS, on a beaucoup de style inline et quelques balises <style>
   # c'est trop compliqué pour être rectifié immédiatement (et sans valeur ajoutée:
   # c'est hardcodé dans les vues, donc pas injectable).

From 25bcd51fce3af31942bc150e107d086f38db881d Mon Sep 17 00:00:00 2001
From: clemkeirua <clement@keiruaprod.fr>
Date: Mon, 13 May 2019 12:17:21 +0200
Subject: [PATCH 3/4] add log for virus_scanner

---
 app/lib/active_storage/virus_scanner.rb | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/app/lib/active_storage/virus_scanner.rb b/app/lib/active_storage/virus_scanner.rb
index e7ed91761..bfe41a773 100644
--- a/app/lib/active_storage/virus_scanner.rb
+++ b/app/lib/active_storage/virus_scanner.rb
@@ -35,12 +35,16 @@ class ActiveStorage::VirusScanner
   end
 
   def metadata
-    download_blob_to_tempfile do |file|
-      if ClamavService.safe_file?(file.path)
-        { virus_scan_result: SAFE, scanned_at: Time.zone.now }
-      else
-        { virus_scan_result: INFECTED, scanned_at: Time.zone.now }
+    begin
+      download_blob_to_tempfile do |file|
+        if ClamavService.safe_file?(file.path)
+          { virus_scan_result: SAFE, scanned_at: Time.zone.now }
+        else
+          { virus_scan_result: INFECTED, scanned_at: Time.zone.now }
+        end
       end
+    rescue StandardError => e
+      Raven.capture_exception(e)
     end
   end
 end

From e66e78b4db49f1563bf1ce50eba5a72110299d4d Mon Sep 17 00:00:00 2001
From: Pierre de La Morinerie <kemenaran@gmail.com>
Date: Mon, 13 May 2019 11:55:32 +0200
Subject: [PATCH 4/4] helpscout: remove integration of custom fields

Our new HelpScout plan doesn't allow custom fields
anymore.
---
 app/lib/helpscout/api.rb                | 11 -----------
 app/lib/helpscout/form_adapter.rb       |  6 ------
 spec/lib/helpscout/form_adapter_spec.rb |  4 ----
 3 files changed, 21 deletions(-)

diff --git a/app/lib/helpscout/api.rb b/app/lib/helpscout/api.rb
index e7cdbc2db..f6432760a 100644
--- a/app/lib/helpscout/api.rb
+++ b/app/lib/helpscout/api.rb
@@ -22,17 +22,6 @@ class Helpscout::API
     })
   end
 
-  def add_custom_fields(conversation_id, dossier_id, browser)
-    body = {
-      'Dossier ID': dossier_id,
-      'Browser': browser
-    }.compact.map do |key, value|
-      { id: custom_fields[key], value: value }
-    end
-
-    call_api(:put, "#{CONVERSATIONS}/#{conversation_id}/#{FIELDS}", { fields: body })
-  end
-
   def create_conversation(email, subject, text, file)
     body = {
       subject: subject,
diff --git a/app/lib/helpscout/form_adapter.rb b/app/lib/helpscout/form_adapter.rb
index 2d56db5db..c304e2014 100644
--- a/app/lib/helpscout/form_adapter.rb
+++ b/app/lib/helpscout/form_adapter.rb
@@ -41,8 +41,6 @@ class Helpscout::FormAdapter
 
     if conversation_id.present?
       add_tags(conversation_id)
-      add_custom_fields(conversation_id)
-
       true
     else
       false
@@ -55,10 +53,6 @@ class Helpscout::FormAdapter
     @api.add_tags(conversation_id, params[:tags])
   end
 
-  def add_custom_fields(conversation_id)
-    @api.add_custom_fields(conversation_id, params[:dossier_id], params[:browser])
-  end
-
   def create_conversation
     response = @api.create_conversation(
       params[:email],
diff --git a/spec/lib/helpscout/form_adapter_spec.rb b/spec/lib/helpscout/form_adapter_spec.rb
index 0b6c56209..8bccafcfc 100644
--- a/spec/lib/helpscout/form_adapter_spec.rb
+++ b/spec/lib/helpscout/form_adapter_spec.rb
@@ -62,8 +62,6 @@ describe Helpscout::FormAdapter do
           .with(email, subject, text, nil)
         expect(api).to have_received(:add_tags)
           .with(conversation_id, tags)
-        expect(api).to have_received(:add_custom_fields)
-          .with(conversation_id, nil, nil)
       end
     end
 
@@ -102,8 +100,6 @@ describe Helpscout::FormAdapter do
           .with(email, subject, text, nil)
         expect(api).to have_received(:add_phone_number)
           .with(email, phone)
-        expect(api).to have_received(:add_custom_fields)
-          .with(conversation_id, nil, nil)
       end
     end
   end