Skip to content

Commit

Permalink
Merge pull request #2696 from rajyan/skip-ssrf-protection-config
Browse files Browse the repository at this point in the history
add skip_ssrf_protection config
  • Loading branch information
mshibuya authored Dec 3, 2023
2 parents 717b207 + 0196b21 commit c1f500a
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 8 deletions.
7 changes: 6 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -659,14 +659,19 @@ end
## Testing with CarrierWave

It's a good idea to test your uploaders in isolation. In order to speed up your
tests, it's recommended to switch off processing in your tests, and to use the
tests, it's recommended to switch off processing in your tests, and to use the file storage.
Also, you can disable SSRF protection at your own risk using the `skip_ssrf_protection` configuration.

In Rails you could do that by adding an initializer with:

file storage. In Rails you could do that by adding an initializer with:

```ruby
if Rails.env.test? or Rails.env.cucumber?
CarrierWave.configure do |config|
config.storage = :file
config.enable_processing = false
config.skip_ssrf_protection = true
end
end
```
Expand Down
2 changes: 1 addition & 1 deletion lib/carrierwave/downloader/base.rb
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ def process_uri(source)
# my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
#
def skip_ssrf_protection?(uri)
false
@uploader.skip_ssrf_protection
end
end
end
Expand Down
2 changes: 2 additions & 0 deletions lib/carrierwave/uploader/configuration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ module Configuration
add_config :cache_only
add_config :download_retry_count
add_config :download_retry_wait_time
add_config :skip_ssrf_protection

# set default values
reset_config
Expand Down Expand Up @@ -216,6 +217,7 @@ def reset_config
config.ensure_multipart_form = true
config.download_retry_count = 0
config.download_retry_wait_time = 5
config.skip_ssrf_protection = false
end
end
end
Expand Down
25 changes: 19 additions & 6 deletions spec/downloader/base_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -267,14 +267,27 @@
end

describe "#skip_ssrf_protection?" do
let(:uri) { 'http://localhost/test.jpg' }
before do
WebMock.stub_request(:get, uri).to_return(body: file)
allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
context "when ssrf_protection is skipped" do
let(:uri) { 'http://localhost/test.jpg' }
before do
WebMock.stub_request(:get, uri).to_return(body: file)
allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
end

it "allows local request to be made" do
expect(subject.download(uri).read).to eq 'this is stuff'
end
end

it "allows local request to be made" do
expect(subject.download(uri).read).to eq 'this is stuff'
context 'skip_ssrf_protection configuration' do
it 'defaults to false' do
expect(subject.skip_ssrf_protection?(uri)).to be_falsey
end

it 'can be configured by skip_ssrf_protection config' do
uploader.skip_ssrf_protection = true
expect(subject.skip_ssrf_protection?(uri)).to be_truthy
end
end
end
end

0 comments on commit c1f500a

Please sign in to comment.