Merge pull request #3429 from betagouv/fix-3375

Fix 3375, do not expose an unsafe PJ
This commit is contained in:
Pierre de La Morinerie 2019-02-19 18:16:28 +01:00 committed by GitHub
commit 6883acfcc9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 2 deletions

View file

@ -49,7 +49,7 @@ class Champs::PieceJustificativeChamp < Champ
end end
def for_api def for_api
if piece_justificative_file.attached? if piece_justificative_file.attached? && virus_scan&.safe?
Rails.application.routes.url_helpers.url_for(piece_justificative_file) Rails.application.routes.url_helpers.url_for(piece_justificative_file)
end end
end end

View file

@ -0,0 +1,24 @@
describe Champs::PieceJustificativeChamp do
describe '#for_api' do
let(:champ_pj) { create(:champ_piece_justificative) }
before { champ_pj.virus_scan.update(status: status) }
subject { champ_pj.for_api }
context 'when file is safe' do
let(:status) { 'safe' }
it { is_expected.to include("/rails/active_storage/blobs/") }
end
context 'when file is not scanned' do
let(:status) { 'pending' }
it { is_expected.to be_nil }
end
context 'when file is infected' do
let(:status) { 'infected' }
it { is_expected.to be_nil }
end
end
end

View file

@ -8,7 +8,10 @@ describe ChampSerializer do
let(:champ) { create(:champ_piece_justificative) } let(:champ) { create(:champ_piece_justificative) }
before { champ.piece_justificative_file.attach({ filename: __FILE__, io: File.open(__FILE__) }) } before do
champ.piece_justificative_file.attach({ filename: __FILE__, io: File.open(__FILE__) })
champ.reload.virus_scan.safe!
end
after { champ.piece_justificative_file.purge } after { champ.piece_justificative_file.purge }
it { is_expected.to include(value: url_for(champ.piece_justificative_file)) } it { is_expected.to include(value: url_for(champ.piece_justificative_file)) }