Skip to content

Commit

Permalink
add skip_ssrf_protection config
Browse files Browse the repository at this point in the history
  • Loading branch information
Yohta Kimura committed Sep 5, 2023
1 parent 8815592 commit fb74a1d
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 7 deletions.
2 changes: 1 addition & 1 deletion lib/carrierwave/downloader/base.rb
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ def process_uri(source)
# my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
#
def skip_ssrf_protection?(uri)
false
@uploader.skip_ssrf_protection
end
end
end
Expand Down
2 changes: 2 additions & 0 deletions lib/carrierwave/uploader/configuration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Configuration
add_config :cache_only
add_config :download_retry_count
add_config :download_retry_wait_time
add_config :skip_ssrf_protection

# set default values
reset_config
Expand Down Expand Up @@ -216,6 +217,7 @@ def reset_config
config.ensure_multipart_form = true
config.download_retry_count = 0
config.download_retry_wait_time = 5
config.skip_ssrf_protection = false
end
end
end
Expand Down
25 changes: 19 additions & 6 deletions spec/downloader/base_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -267,14 +267,27 @@
end

describe "#skip_ssrf_protection?" do
let(:uri) { 'http://localhost/test.jpg' }
before do
WebMock.stub_request(:get, uri).to_return(body: file)
allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
context "when ssrf_protection is skipped" do
let(:uri) { 'http://localhost/test.jpg' }
before do
WebMock.stub_request(:get, uri).to_return(body: file)
allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
end

it "allows local request to be made" do
expect(subject.download(uri).read).to eq 'this is stuff'
end
end

it "allows local request to be made" do
expect(subject.download(uri).read).to eq 'this is stuff'
context 'skip_ssrf_protection configuration' do
it 'defaults to false' do
expect(subject.skip_ssrf_protection?(uri)).to be_falsey
end

it 'can be configured by skip_ssrf_protection config' do
uploader.skip_ssrf_protection = true
expect(subject.skip_ssrf_protection?(uri)).to be_truthy
end
end
end
end

0 comments on commit fb74a1d

Please sign in to comment.