spec/sanitized_file_spec.rb @@ -169,6 +169,8 @@ If you want to only allow the upload of XHTML and XML files, so you can manipula upload_column :xml, :extensions => %w(xml html htm), :manipulator => MyXSLTProcessor + validate_integrity_of :xml + You can also use some of Rails' validations with UploadColumn. validates_presence_of and validates_size_of have been verified to work. README @@ -12,6 +12,22 @@ module UploadColumn EXTENSIONS = %w(asf avi css doc dvi gif gz html jpg js m3u mov mp3 mpeg odf pac pdf png ppt ps sig spl swf tar tar.gz torrent txt wav wax wm wma xbm xml xpm xsl xwd zip) IMAGE_EXTENSIONS = %w(jpg jpeg gif png) + DEFAULTS = { + :tmp_dir => 'tmp', + :store_dir => proc{ |r, f| f.attribute.to_s }, + :root_dir => File.join(RAILS_ROOT, 'public'), + :get_content_type_from_file_exec => true, + :fix_file_extensions => false, + :web_root => nil, + :process => nil, + :permissions => 0644, + :extensions => UploadColumn::EXTENSIONS, + :web_root => '', + :manipulator => nil, + :versions => nil, + :validate_integrity => false + } + Column = Struct.new(:name, :options) private @@ -36,8 +52,8 @@ module UploadColumn # [+store_dir+] Determines where the file will be stored permanently, you can pass a String or a Proc that takes the current instance and the attribute name as parameters, see the +README+ for detaills. # [+tmp_dir+] Determines where the file will be stored temporarily before it is stored to its final location, you can pass a String or a Proc that takes the current instance and the attribute name as parameters, see the +README+ for detaills. # [+old_files+] Determines what happens when a file becomes outdated. It can be set to one of <tt>:keep</tt>, <tt>:delete</tt> and <tt>:replace</tt>. If set to <tt>:keep</tt> UploadColumn will always keep old files, and if set to :delete it will always delete them. If it's set to :replace, the file will be replaced when a new one is uploaded, but will be kept when the associated object is deleted. Default to :delete. - # [+permissions+] Specify the Unix permissions to be used with UploadColumn. Defaults to 0644. - # [+root_path+] The root path where image will be stored, it will be prepended to store_dir and tmp_dir + # [+permissions+] Specify the Unix permissions to be used with UploadColumn. Defaults to 0644. Remember that permissions are usually counted in octal and that in Ruby octal numbers start with a zero, so 0644 != 644. + # [+root_dir+] The root path where image will be stored, it will be prepended to store_dir and tmp_dir # # it also accepts the following, less common options: # [+web_root+] Prepended to all addresses returned by UploadColumn::UploadedFile.url @@ -50,11 +66,13 @@ module UploadColumn # Add the accessor methods define_method name do + options = self.class.reflect_on_upload_columns[name].options #TODO: Spec this! @files ||= {} @files[name] ||= if self[name] then UploadedFile.retrieve(self[name], self, name, options) else nil end end define_method "#{name}=" do |file| + options = self.class.reflect_on_upload_columns[name].options @files ||= {} if file.nil? @files[name], self[name] = nil @@ -72,6 +90,7 @@ module UploadColumn end define_method "#{name}_temp=" do |path| + options = self.class.reflect_on_upload_columns[name].options @files ||= {} return if path.nil? or path.empty? unless @files[name] and @files[name].new_file? @@ -81,6 +100,32 @@ module UploadColumn end end + def image_column(name, options={}) + options = options.merge( + :manipulator => UploadColumn::Manipulators::RMagick, + :root_dir => File.join(RAILS_ROOT, 'public', 'images'), + :web_root => '/images', + :extensions => UploadColumn::IMAGE_EXTENSIONS + ) + upload_column(name, options) + end + + # Validates whether the images extension is in the array passed to :extensions. + # By default this is the UploadColumn::EXTENSIONS array + # + # Use this to prevent upload of files which could potentially damage your system, + # such as executables or script files (.rb, .php, etc...). + def validates_integrity_of(*attr_names) + configuration = { :message => "is not of a valid file type." } + configuration.update(attr_names.pop) if attr_names.last.is_a?(Hash) + + #attr_names.each { |name| self.reflect_on_upload_columns[name].options[:validate_integrity] = true } + + validates_each(attr_names, configuration) do |record, attr, column| + + end + end + # returns a hash of all UploadColumns defined on the model and their options. def reflect_on_upload_columns @upload_columns lib/upload_column/upload_column.rb @@ -31,16 +31,6 @@ module UploadColumn # See the +README+ for more detaills. class UploadedFile < SanitizedFile - DEFAULTS = { - :tmp_dir => 'tmp', - :store_dir => proc{ |r, f| f.attribute.to_s }, - :root_dir => File.join(RAILS_ROOT, 'public'), - :file_exec => 'file', - :fix_file_extensions => false, - :web_root => nil, - :process => nil - } - attr_reader :instance, :attribute, :options, :versions attr_accessor :suffix @@ -67,7 +57,7 @@ module UploadColumn end def initialize(mode, file, instance, attribute, options={}) - @options = DEFAULTS.merge(options) + @options = options.reverse_merge(UploadColumn::DEFAULTS) @instance = instance @attribute = attribute lib/upload_column/uploaded_file.rb @@ -429,4 +429,21 @@ describe UploadColumn do # end #end + describe "uploading a file with an extension that is not in the whitelist" do + + migrate + + before(:each) do + Event.upload_column(:image, :fix_file_extensions => false) + Event.validates_integrity_of :image + + @event = Event.new + end + + it "should add an error to the record" do + @event.image = stub_tempfile('kerb.jpg', nil, 'monkey.exe') + @event.errors.on(:image).should == ".exe is not in the list of allowed extensions." + end + end + end \ No newline at end of file spec/integration_spec.rb @@ -1,11 +1,10 @@ require File.join(File.dirname(__FILE__), 'spec_helper') -require File.join(File.dirname(__FILE__), '../lib/upload_column/sanitized_file') -require File.join(File.dirname(__FILE__), '../lib/upload_column/uploaded_file') -require File.join(File.dirname(__FILE__), '../lib/upload_column/upload_column') gem 'activerecord' require 'active_record' +require File.join(File.dirname(__FILE__), '../lib/upload_column') + ActiveRecord::Base.send(:include, UploadColumn) def disconnected_model(model_class) @@ -324,5 +323,20 @@ describe "an upload column with no file" do end end - - +describe "UploadColumn.image_column" do + before(:each) do + @class = Class.new(ActiveRecord::Base) + @class.send(:include, UploadColumn) + end + + it "should call an upload column with some specialized options" do + @class.should_receive(:upload_column).with(:sicada, + :manipulator => UploadColumn::Manipulators::RMagick, + :root_dir => File.join(RAILS_ROOT, 'public', 'images'), + :web_root => '/images', + :monkey => 'blah', + :extensions => UploadColumn::IMAGE_EXTENSIONS + ) + @class.image_column(:sicada, :monkey => 'blah') + end +end \ No newline at end of file spec/upload_column_spec.rb @@ -1,4 +1,5 @@ require File.join(File.dirname(__FILE__), 'spec_helper') +require File.join(File.dirname(__FILE__), '../lib/upload_column/upload_column') require File.join(File.dirname(__FILE__), '../lib/upload_column/sanitized_file') require File.join(File.dirname(__FILE__), '../lib/upload_column/uploaded_file') begin @@ -6,475 +7,7 @@ begin rescue LoadError end -describe "SanitizedFile", :shared => true do - - describe "a new SanitizedFile" do - it "should be empty on empty String, nil, empty StringIO" do - UploadColumn::SanitizedFile.new("").should be_empty - UploadColumn::SanitizedFile.new(StringIO.new("")).should be_empty - UploadColumn::SanitizedFile.new(nil).should be_empty - file = mock('emptyfile') - file.should_receive(:size).at_least(:once).and_return(0) - UploadColumn::SanitizedFile.new(file).should be_empty - end - - it "should not be empty on valid upload" do - UploadColumn::SanitizedFile.new(stub_stringio('kerb.jpg', 'image/jpeg')).should_not be_empty - UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', 'image/jpeg')).should_not be_empty - end - - it "should sanitize invalid filenames" do - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, "test.jpg")) - t.filename.should == "test.jpg" - - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, "test-s,%&m#st?.jpg")) - t.filename.should == "test-s___m_st_.jpg" - - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, "../../very_tricky/foo.bar")) - t.filename.should_not =~ /[\\\/]/ - - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, '`*foo')) - t.filename.should == "__foo" - - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, 'c:\temp\foo.txt')) - t.filename.should == "foo.txt" - - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, ".")) - t.filename.should == "_." - end - - it "should downcase uppercase filenames" do - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', nil, "DSC4056.JPG")) - t.filename.should == "dsc4056.jpg" - end - - end - - # Note that SanitizedFile#path and #exists? need to be checked seperately as the return values will vary - describe "all sanitized files", :shared => true do - - it "should not be empty" do - @file.should_not be_empty - end - - it "should return the original filename" do - @file.original_filename.should == "kerb.jpg" - end - - it "should return the filename" do - @file.filename.should == "kerb.jpg" - end - - it "should return the basename" do - @file.basename.should == "kerb" - end - - it "should return the extension" do - @file.extension.should == "jpg" - end - - it "should be moved to the correct location" do - @file.move_to(public_path('gurr.jpg')) - File.exists?( public_path('gurr.jpg') ).should === true - file_path('kerb.jpg').should be_identical_with(public_path('gurr.jpg')) - end - - it "should have changed its path when moved" do - @file.move_to(public_path('gurr.jpg')) - @file.path.should match_path(public_path('gurr.jpg')) - end - - it "should have changed its filename when moved" do - @file.filename # Make sure the filename has been cached - @file.move_to(public_path('gurr.jpg')) - @file.filename.should == 'gurr.jpg' - end - - it "should have split the filename when moved" do - @file.move_to(public_path('gurr.monk')) - @file.basename.should == 'gurr' - @file.extension.should == 'monk' - end - - it "should be copied to the correct location" do - @file.copy_to(public_path('gurr.jpg')) - File.exists?( public_path('gurr.jpg') ).should === true - file_path('kerb.jpg').should be_identical_with(public_path('gurr.jpg')) - end - - it "should not have changed its path when copied" do - lambda do - @file.copy_to(public_path('gurr.jpg')) - end.should_not change(@file, :path) - end - - it "should not have changed its filename when copied" do - lambda do - @file.copy_to(public_path('gurr.jpg')) - end.should_not change(@file, :filename) - end - - it "should return an object of the same class when copied" do - @file = @file.copy_to(public_path('gurr.jpg')) - @file.should be_an_instance_of(@file.class) - end - - it "should adjust the path of the object that is returned when copied" do - @file = @file.copy_to(public_path('gurr.jpg')) - @file.path.should match_path(public_path('gurr.jpg')) - end - - it "should adjust the filename of the object that is returned when copied" do - @file.filename # Make sure the filename has been cached - @file = @file.copy_to(public_path('gurr.monk')) - @file.filename.should == 'gurr.monk' - end - - it "should split the filename of the object that is returned when copied" do - @file = @file.copy_to(public_path('gurr.monk')) - @file.basename.should == 'gurr' - @file.extension.should == 'monk' - end - - after do - FileUtils.rm_rf(PUBLIC) - end - end - - describe "a sanitized Tempfile" do - before do - @file = UploadColumn::SanitizedFile.new(stub_tempfile('kerb.jpg', 'image/jpeg')) - end - - it_should_behave_like "all sanitized files" - - it "should exist" do - @file.should be_in_existence - end - - it "should return the correct path" do - @file.path.should_not == nil - @file.path.should =~ %r{^/tmp/kerb.jpg} - end - end - - describe "a sanitized StringIO" do - before do - @file = UploadColumn::SanitizedFile.new(stub_stringio('kerb.jpg', 'image/jpeg')) - end - - it_should_behave_like "all sanitized files" - - it "should not exist" do - @file.should_not be_in_existence - end - - it "should return no path" do - @file.path.should == nil - end - - end - - describe "a sanitized File object" do - before do - @file = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', 'image/jpeg')) - @file.should_not be_empty - end - - it_should_behave_like "all sanitized files" - - it "should exits" do - @file.should be_in_existence - end - - it "should return correct path" do - @file.path.should match_path(file_path('kerb.jpg')) - end - end - - describe "a SanitizedFile opened from a path" do - before do - @file = UploadColumn::SanitizedFile.new(file_path('kerb.jpg')) - @file.should_not be_empty - end - - it_should_behave_like "all sanitized files" - - it "should exits" do - @file.should be_in_existence - end - - it "should return correct path" do - @file.path.should == file_path('kerb.jpg') - end - end - - describe "an empty SanitizedFile" do - before do - @empty = UploadColumn::SanitizedFile.new(nil) - end - - it "should be empty" do - @empty.should be_empty - end - - it "should not exist" do - @empty.should_not be_in_existence - end - - it "should have no size" do - @empty.size.should == nil - end - - it "should have no path" do - @empty.path.should == nil - end - - it "should have no original filename" do - @empty.original_filename.should == nil - end - - it "should have no filename" do - @empty.filename.should == nil - end - - it "should have no basename" do - @empty.basename.should == nil - end - - it "should have no extension" do - @empty.extension.should == nil - end - end - - describe "a SanitizedFile" do - - before do - @file = UploadColumn::SanitizedFile.new(stub_tempfile('kerb.jpg', 'image/jpeg')) - end - - it "should properly split into basename and extension" do - @file.basename.should == "kerb" - @file.extension.should == "jpg" - end - - it "should do a system call" do - @file.send(:system_call, 'echo "monkey"').chomp.should == "monkey" - end - - end - - describe "a SanizedFile with a complex filename" do - it "properly split into basename and extension" do - t = UploadColumn::SanitizedFile.new(stub_tempfile('kerb.jpg', nil, 'complex.filename.tar.gz')) - t.basename.should == "complex.filename" - t.extension.should == "tar.gz" - end - end - - # FIXME: figure out why this doesn't run - #describe "determinating the mime-type with a *nix exec" do - # - # before do - # @file = stub_file('kerb.jpg', nil, 'harg.css') - # @sanitized = UploadColumn::SanitizedFile.new(@file) - # end - # - # it "should chomp and return if it has no encoding" do - # @sanitized.should_receive(:system_call).with(%(file -bi "#{@file.path}")).and_return("image/jpeg\n") - # - # @sanitized.send(:get_content_type_from_exec) #.should == "image/jpeg" - # end - # - # it "should chomp and return and chop off the encoding if it has one" do - # @sanitized.should_receive(:system_call).with(%(file -bi "#{@file.path}")).and_return("text/plain; charset=utf-8;\n") - # - # @sanitized.send(:get_content_type_from_exec) #.should == "text/plain" - # end - # - # it "should not crap out when something weird happens" do - # @sanitized.should_receive(:system_call).with(%(file -bi "#{@file.path}")).and_return("^blah//(?)wtf???") - # - # @sanitized.send(:get_content_type_from_exec).should == nil - # end - # - #end - - describe "The mime-type of a Sanitized File" do - - before do - @file = stub_file('kerb.jpg', nil, 'harg.css') - @sanitized = UploadColumn::SanitizedFile.new(@file) - end - - # TODO: refactor this test so it mocks out system_call - it "should be determined via *nix exec" do - @file.should_not_receive(:content_type) - @sanitized.should_not_receive(:extension) - @sanitized.should_receive(:get_content_type_from_exec).and_return('image/jpeg') - @sanitized.content_type.should == "image/jpeg" - end - - it "shouldn't choke up when the *nix exec errors out" do - lambda { - @sanitized.should_receive(:system_call).and_raise('monkey') - @sanitized.content_type - }.should_not raise_error(Exception) - end - - it "should otherwise be loaded from MIME::Types" do - if defined?(MIME::Types) - @sanitized.should_receive(:get_content_type_from_exec).and_return(nil) # Make sure the *nix exec isn't interfering - @sanitized.content_type.should == "text/css" - else - puts "WARNING: Could not run all tests because MIME::Types is not defined, try installing the mime-types gem!" - end - end - - it "should be taken from the browser if all else fails" do - @file.should_receive(:content_type).at_least(:once).and_return('application/xhtml+xml') # Set up browser behavior - @sanitized.should_receive(:get_content_type_from_mime_types).and_return(nil) # Make sure MIME::Types isn't interfering - @sanitized.should_receive(:get_content_type_from_exec).and_return(nil) # Make sure the *nix exec isn't interfering - @sanitized.content_type.should == "application/xhtml+xml" - end - end - - describe "a SanitizedFile with a wrong extension" do - - # This test currently always fails if MIME::Types is unavailable, - # TODO: come up with a clever way to stub out the content_type-y behaviour. - it "should fix extention if fix_file_extensions is true" do - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', 'image/jpeg', 'kerb.css'), :fix_file_extensions => true) - - t.content_type.should == "image/jpeg" - t.extension.should == "jpeg" - t.filename.should == "kerb.jpeg" - end - - it "should not fix extention if fix_file_extensions is false" do - t = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', 'image/jpeg', 'kerb.css'), :fix_file_extensions => false) - - t.content_type.should == "image/jpeg" - t.extension.should == "css" - t.filename.should == "kerb.css" - end - end - - describe "a sanitized Tempfile" do - before do - @file = UploadColumn::SanitizedFile.new(stub_tempfile('kerb.jpg', 'image/jpeg')) - end - - it_should_behave_like "all sanitized files" - - it "should exist" do - @file.should be_in_existence - end - - it "should return the correct path" do - @file.path.should_not == nil - @file.path.should =~ %r{^/tmp/kerb.jpg} - end - end - - describe "copying a sanitized Tempfile with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(stub_tempfile('kerb.jpg', 'image/jpeg'), :permissions => 0755) - @file = @file.copy_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - describe "copying a sanitized StringIO with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(stub_stringio('kerb.jpg', 'image/jpeg'), :permissions => 0755) - @file = @file.copy_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - describe "copying a sanitized File object with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', 'image/jpeg'), :permissions => 0755) - @file = @file.copy_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - describe "copying a sanitized StringIO with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(file_path('kerb.jpg'), :permissions => 0755) - @file = @file.copy_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - - describe "moving a sanitized Tempfile with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(stub_tempfile('kerb.jpg', 'image/jpeg'), :permissions => 0755) - @file.move_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - describe "moving a sanitized StringIO with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(stub_stringio('kerb.jpg', 'image/jpeg'), :permissions => 0755) - @file.move_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - describe "moving a sanitized File object with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(stub_file('kerb.jpg', 'image/jpeg'), :permissions => 0755) - @file.move_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - - describe "moving a sanitized StringIO with permissions set" do - before do - @file = UploadColumn::SanitizedFile.new(file_path('kerb.jpg'), :permissions => 0755) - @file.move_to(public_path('gurr.jpg')) - end - - it "should set the right permissions" do - @file.should have_permissions(0755) - end - end - -end - - - - -############### UploadedFile ############### - describe "UploadedFile" do - it_should_behave_like "SanitizedFile" describe "all uploaded files", :shared => true do it "should not be empty" do spec/uploaded_file_spec.rb 3a921adda059f9ae69a9652c0c3eb701928f3b78 Jonas Nicklas jonas.nicklas@gmail.com http://github.com/jnicklas/uploadcolumn/commit/0a20e7c7c9f6ff8f2a736c92e1a3d0047fe02adb 0a20e7c7c9f6ff8f2a736c92e1a3d0047fe02adb 2007-08-25T03:53:02-07:00 2007-08-25T03:53:02-07:00 split up specs and preparations for integrity testing git-svn-id: http://uploadcolumn.rubyforge.org/svn/trunk@92 02338ee4-8dee-4235-8d26-5b68cf25713b 67f96d8c131a41adea0a7a72d57f342e7f98819c Jonas Nicklas jonas.nicklas@gmail.com