add skip_ssrf_protection config

carrierwaveuploader · Sep 5, 2023 · fb74a1d · fb74a1d
1 parent 8815592
commit fb74a1d
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/lib/carrierwave/downloader/base.rb b/lib/carrierwave/downloader/base.rb
@@ -94,7 +94,7 @@ def process_uri(source)
       #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
       #
       def skip_ssrf_protection?(uri)
-        false
+        @uploader.skip_ssrf_protection
       end
     end
   end

diff --git a/lib/carrierwave/uploader/configuration.rb b/lib/carrierwave/uploader/configuration.rb
@@ -47,6 +47,7 @@ module Configuration
         add_config :cache_only
         add_config :download_retry_count
         add_config :download_retry_wait_time
+        add_config :skip_ssrf_protection
 
         # set default values
         reset_config
@@ -216,6 +217,7 @@ def reset_config
             config.ensure_multipart_form = true
             config.download_retry_count = 0
             config.download_retry_wait_time = 5
+            config.skip_ssrf_protection = false
           end
         end
       end

diff --git a/spec/downloader/base_spec.rb b/spec/downloader/base_spec.rb
@@ -267,14 +267,27 @@
   end
 
   describe "#skip_ssrf_protection?" do
-    let(:uri) { 'http://localhost/test.jpg' }
-    before do
-      WebMock.stub_request(:get, uri).to_return(body: file)
-      allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
+    context "when ssrf_protection is skipped" do
+      let(:uri) { 'http://localhost/test.jpg' }
+      before do
+        WebMock.stub_request(:get, uri).to_return(body: file)
+        allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
+      end
+
+      it "allows local request to be made" do
+        expect(subject.download(uri).read).to eq 'this is stuff'
+      end
     end
 
-    it "allows local request to be made" do
-      expect(subject.download(uri).read).to eq 'this is stuff'
+    context 'skip_ssrf_protection configuration' do
+      it 'defaults to false' do
+        expect(subject.skip_ssrf_protection?(uri)).to be_falsey
+      end
+
+      it 'can be configured by skip_ssrf_protection config' do
+        uploader.skip_ssrf_protection = true
+        expect(subject.skip_ssrf_protection?(uri)).to be_truthy
+      end
     end
   end
 end