debian-mirror-gitlab/lib/uploaded_file.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

115 lines
3 KiB
Ruby
Raw Permalink Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2015-11-26 14:37:03 +05:30
require "tempfile"
2018-05-09 12:01:36 +05:30
require "tmpdir"
2015-11-26 14:37:03 +05:30
require "fileutils"
class UploadedFile
2018-05-09 12:01:36 +05:30
InvalidPathError = Class.new(StandardError)
2019-12-21 20:55:43 +05:30
UnknownSizeError = Class.new(StandardError)
2018-05-09 12:01:36 +05:30
2015-11-26 14:37:03 +05:30
# The filename, *not* including the path, of the "uploaded" file
attr_reader :original_filename
# The tempfile
attr_reader :tempfile
# The content type of the "uploaded" file
attr_accessor :content_type
2018-05-09 12:01:36 +05:30
attr_reader :remote_id
attr_reader :sha256
2019-12-21 20:55:43 +05:30
attr_reader :size
2021-12-11 22:18:48 +05:30
attr_reader :upload_duration
2019-12-21 20:55:43 +05:30
2021-12-11 22:18:48 +05:30
def initialize(path, filename: nil, content_type: "application/octet-stream", sha256: nil, remote_id: nil, size: nil, upload_duration: nil)
2019-12-21 20:55:43 +05:30
if path.present?
raise InvalidPathError, "#{path} file does not exist" unless ::File.exist?(path)
@tempfile = File.new(path, 'rb')
@size = @tempfile.size
else
begin
@size = Integer(size)
rescue ArgumentError, TypeError
raise UnknownSizeError, 'Unable to determine file size'
end
end
2015-11-26 14:37:03 +05:30
2021-12-11 22:18:48 +05:30
begin
@upload_duration = Float(upload_duration)
rescue ArgumentError, TypeError
@upload_duration = 0
end
2015-11-26 14:37:03 +05:30
@content_type = content_type
2019-12-21 20:55:43 +05:30
@original_filename = sanitize_filename(filename || path || '')
2018-05-09 12:01:36 +05:30
@content_type = content_type
@sha256 = sha256
@remote_id = remote_id
2015-11-26 14:37:03 +05:30
end
2021-03-08 18:12:59 +05:30
def self.from_params(params, upload_paths)
2020-11-24 15:15:51 +05:30
path = params['path']
remote_id = params['remote_id']
return if path.blank? && remote_id.blank?
# don't use file_path if remote_id is set
if remote_id.present?
file_path = nil
elsif path.present?
file_path = File.realpath(path)
unless self.allowed_path?(file_path, Array(upload_paths).compact)
raise InvalidPathError, "insecure path used '#{file_path}'"
end
end
UploadedFile.new(
file_path,
filename: params['name'],
content_type: params['type'] || 'application/octet-stream',
sha256: params['sha256'],
remote_id: remote_id,
2021-12-11 22:18:48 +05:30
size: params['size'],
upload_duration: params['upload_duration']
).tap do |uploaded_file|
::Gitlab::Instrumentation::Uploads.track(uploaded_file)
end
2020-11-24 15:15:51 +05:30
end
2018-05-09 12:01:36 +05:30
def self.allowed_path?(file_path, paths)
paths.any? do |path|
File.exist?(path) && file_path.start_with?(File.realpath(path))
end
end
2018-11-08 19:23:39 +05:30
# copy-pasted from CarrierWave::SanitizedFile
def sanitize_filename(name)
name = name.tr("\\", "/") # work-around for IE
name = ::File.basename(name)
name = name.gsub(CarrierWave::SanitizedFile.sanitize_regexp, "_")
name = "_#{name}" if name =~ /\A\.+\z/
name = "unnamed" if name.empty?
name.mb_chars.to_s
end
2015-11-26 14:37:03 +05:30
def path
2019-12-21 20:55:43 +05:30
@tempfile&.path
end
def close
@tempfile&.close
2015-11-26 14:37:03 +05:30
end
alias_method :local_path, :path
def method_missing(method_name, *args, &block) #:nodoc:
2018-03-17 18:26:18 +05:30
@tempfile.__send__(method_name, *args, &block) # rubocop:disable GitlabSecurity/PublicSend
2015-11-26 14:37:03 +05:30
end
def respond_to?(method_name, include_private = false) #:nodoc:
@tempfile.respond_to?(method_name, include_private) || super
end
end