SECURITY: Safely decompress files. (#8124)

* FEATURE: Adds an extra protection layer when decompressing files. * Rename exporter/importer to zip importer. Update old locale * Added a new composite class to decompress a file with multiple strategies * Set max file size inside a site setting * Ensure that file is deleted after compression * Sanitize path and files before compressing/decompressing
2025-05-21 18:12:32 +08:00 · 2019-10-03 10:19:35 -03:00
parent aaf15944f8
commit 10565e4623
20 changed files with 466 additions and 101 deletions
--- a/lib/compression/pipeline.rb
+++ b/lib/compression/pipeline.rb
@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Compression
+  class Pipeline < Strategy
+    def initialize(strategies)
+      @strategies = strategies
+    end
+
+    def extension
+      @strategies.reduce('') { |ext, strategy| ext += strategy.extension }
+    end
+
+    def compress(path, target_name)
+      current_target = target_name
+      @strategies.reduce('') do |compressed_path, strategy|
+        compressed_path = strategy.compress(path, current_target)
+        current_target = compressed_path.split('/').last
+
+        compressed_path
+      end
+    end
+
+    def decompress(dest_path, compressed_file_path, allow_non_root_folder: false)
+      to_decompress = compressed_file_path
+      @strategies.reverse.each do |strategy|
+        last_extension = strategy.extension
+        strategy.decompress(dest_path, to_decompress, allow_non_root_folder: allow_non_root_folder)
+        to_decompress = compressed_file_path.gsub(last_extension, '')
+      end
+    end
+  end
+end