Add brakeman rake task and improve code security

16e899ca · Dmitriy Zaporozhets · cc877c53 · 16e899ca · 16e899ca · 16e899ca
Commit 16e899ca authored Mar 02, 2015 by Dmitriy Zaporozhets
5 changed files
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -26,7 +26,7 @@ class Projects::ImportsController < Projects::ApplicationController
  def show
    unless @project.import_in_progress?
      if @project.import_finished?
-        redirect_to(@project) and return
+        redirect_to(project_path(@project)) and return
      else
        redirect_to new_namespace_project_import_path(@project.namespace,
                                                      @project) && return

--- a/app/controllers/projects/team_members_controller.rb
+++ b/app/controllers/projects/team_members_controller.rb
@@ -15,15 +15,9 @@ class Projects::TeamMembersController < Projects::ApplicationController

  def create
    users = User.where(id: params[:user_ids].split(','))
-
    @project.team << [users, params[:access_level]]

-    if params[:redirect_to]
-      redirect_to params[:redirect_to]
-    else
-      redirect_to namespace_project_team_index_path(@project.namespace,
-                                                    @project)
-    end
+    redirect_to namespace_project_team_index_path(@project.namespace, @project)
  end

  def update

--- a/app/controllers/projects/wikis_controller.rb
+++ b/app/controllers/projects/wikis_controller.rb
@@ -97,7 +97,7 @@ class Projects::WikisController < Projects::ApplicationController
    @project_wiki.wiki
  rescue ProjectWiki::CouldNotCreateWikiError => ex
    flash[:notice] = "Could not create Wiki Repository at this time. Please try again later."
-    redirect_to @project
+    redirect_to project_path(@project)
    return false
  end


--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -3,22 +3,53 @@ class UploadsController < ApplicationController
  before_filter :authorize_access

  def show
-    model = params[:model].camelize.constantize.find(params[:id])
-    uploader = model.send(params[:mounted_as])
+    unless upload_model && upload_mount
+      return not_found!
+    end

-    return not_found! if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
+    model = upload_model.find(params[:id])
+    uploader = model.send(upload_mount)

-    return redirect_to uploader.url unless uploader.file_storage?
+    if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
+      return not_found!
+    end

-    return not_found! unless uploader.file.exists?
+    unless uploader.file_storage?
+      return redirect_to uploader.url
+    end
+
+    unless uploader.file.exists?
+      return not_found!
+    end

    disposition = uploader.image? ? 'inline' : 'attachment'
    send_file uploader.file.path, disposition: disposition
  end

+  private
+
  def authorize_access
    unless params[:mounted_as] == 'avatar'
      authenticate_user! && reject_blocked!
    end
  end
+
+  def upload_model
+    upload_models = {
+      user: User,
+      project: Project,
+      note: Note,
+      group: Group
+    }
+
+    upload_models[params[:model].to_sym]
+  end
+
+  def upload_mount
+    upload_mounts = %w(avatar attachment file)
+
+    if upload_mounts.include?(params[:mounted_as])
+      params[:mounted_as]
+    end
+  end
 end
--- a/lib/tasks/brakeman.rake
+++ b/lib/tasks/brakeman.rake
 desc 'Security check via brakeman'
 task :brakeman do
-  if system("brakeman -w3 -z")
+  if system("brakeman --skip-files lib/backup/repository.rb -w3 -z")
    exit 0
  else
    puts 'Security check failed'