Merge pull request #1300 from qichunren/fix_svg_upload_xss

Not allowed upload svg image currently, fixed XSS issue #1299
ruby-china · Oct 9, 2021 · 7fe2a0a · 7fe2a0a
2 parents e5f678b + 244e1b7
commit 7fe2a0a
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 6 deletions.
diff --git a/app/uploaders/base_uploader.rb b/app/uploaders/base_uploader.rb
@@ -23,7 +23,7 @@ def store_dir
   end
 
   def extension_allowlist
-    %w[jpg jpeg gif png svg]
+    %w[jpg jpeg gif png]
   end
 
   def allow_thumb?(url)

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -9,7 +9,7 @@ en:
     not_found: "Sorry, this have an unknown error with SSO login."
   errors:
     messages:
-      extension_whitelist_error: "Invalid file format, only image allowed [jpg, jpeg, gif, png, svg]"
+      extension_whitelist_error: "Invalid file format, only image allowed [jpg, jpeg, gif, png]"
   activerecord:
     enums:
       user:

diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml
@@ -15,7 +15,7 @@
       verification_failed: "reCaptcha 验证不通过，请重试"
   errors:
     messages:
-      extension_whitelist_error: "仅允许图片文件上传 [jpg, jpeg, gif, png, svg]"
+      extension_whitelist_error: "仅允许图片文件上传 [jpg, jpeg, gif, png]"
   activerecord:
     enums:
       user:

diff --git a/test/uploaders/avatar_uploader_test.rb b/test/uploaders/avatar_uploader_test.rb
@@ -9,7 +9,7 @@ class AvatarUploaderTest < ActiveSupport::TestCase
 
     user = build(:user, avatar: not_an_image)
     assert_equal false, user.valid?
-    assert_equal ["Avatar Invalid file format, only image allowed [jpg, jpeg, gif, png, svg]"], user.errors.full_messages_for(:avatar)
+    assert_equal ["Avatar Invalid file format, only image allowed [jpg, jpeg, gif, png]"], user.errors.full_messages_for(:avatar)
 
     user = build(:user, avatar: image)
     assert_equal true, user.valid?

diff --git a/test/uploaders/photo_uploader_test.rb b/test/uploaders/photo_uploader_test.rb
@@ -23,10 +23,10 @@ class PhotoUploaderTest < ActiveSupport::TestCase
 
     photo = build(:photo, image: not_an_image)
     assert_equal false, photo.valid?
-    assert_equal ["Image Invalid file format, only image allowed [jpg, jpeg, gif, png, svg]"], photo.errors.full_messages_for(:image)
+    assert_equal ["Image Invalid file format, only image allowed [jpg, jpeg, gif, png]"], photo.errors.full_messages_for(:image)
 
     photo = build(:photo, image: svg_image)
-    assert_equal true, photo.valid?
+    assert_equal false, photo.valid?
 
     photo = build(:photo, image: image)
     assert_equal true, photo.valid?