Merge pull request #3429 from betagouv/fix-3375
Fix 3375, do not expose an unsafe PJ
This commit is contained in:
commit
6883acfcc9
3 changed files with 29 additions and 2 deletions
|
@ -49,7 +49,7 @@ class Champs::PieceJustificativeChamp < Champ
|
|||
end
|
||||
|
||||
def for_api
|
||||
if piece_justificative_file.attached?
|
||||
if piece_justificative_file.attached? && virus_scan&.safe?
|
||||
Rails.application.routes.url_helpers.url_for(piece_justificative_file)
|
||||
end
|
||||
end
|
||||
|
|
24
spec/models/champs/piece_justificative_champ_spec.rb
Normal file
24
spec/models/champs/piece_justificative_champ_spec.rb
Normal file
|
@ -0,0 +1,24 @@
|
|||
describe Champs::PieceJustificativeChamp do
|
||||
describe '#for_api' do
|
||||
let(:champ_pj) { create(:champ_piece_justificative) }
|
||||
|
||||
before { champ_pj.virus_scan.update(status: status) }
|
||||
|
||||
subject { champ_pj.for_api }
|
||||
|
||||
context 'when file is safe' do
|
||||
let(:status) { 'safe' }
|
||||
it { is_expected.to include("/rails/active_storage/blobs/") }
|
||||
end
|
||||
|
||||
context 'when file is not scanned' do
|
||||
let(:status) { 'pending' }
|
||||
it { is_expected.to be_nil }
|
||||
end
|
||||
|
||||
context 'when file is infected' do
|
||||
let(:status) { 'infected' }
|
||||
it { is_expected.to be_nil }
|
||||
end
|
||||
end
|
||||
end
|
|
@ -8,7 +8,10 @@ describe ChampSerializer do
|
|||
|
||||
let(:champ) { create(:champ_piece_justificative) }
|
||||
|
||||
before { champ.piece_justificative_file.attach({ filename: __FILE__, io: File.open(__FILE__) }) }
|
||||
before do
|
||||
champ.piece_justificative_file.attach({ filename: __FILE__, io: File.open(__FILE__) })
|
||||
champ.reload.virus_scan.safe!
|
||||
end
|
||||
after { champ.piece_justificative_file.purge }
|
||||
|
||||
it { is_expected.to include(value: url_for(champ.piece_justificative_file)) }
|
||||
|
|
Loading…
Reference in a new issue