SECURITY: ensure we never accept fake images

2025-05-22 22:43:33 +08:00 · 2015-12-21 16:08:14 +01:00
parent 727fd727ea
commit a9099f9e23
3 changed files with 29 additions and 3 deletions
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@ -19,6 +19,13 @@ describe UploadsController do
        })
      end

+      let(:fake_jpg) do
+        ActionDispatch::Http::UploadedFile.new({
+          filename: 'fake.jpg',
+          tempfile: file_from_fixtures("fake.jpg")
+        })
+      end
+
      let(:text_file) do
        ActionDispatch::Http::UploadedFile.new({
          filename: 'LICENSE.TXT',
@ -118,6 +125,20 @@ describe UploadsController do
        expect(response).to_not be_success
      end

+      it 'returns an error when it could not determine the dimensions of an image' do
+        Jobs.expects(:enqueue).with(:create_thumbnails, anything).never
+
+        message = MessageBus.track_publish do
+          xhr :post, :create, file: fake_jpg, type: "composer"
+        end.first
+
+        expect(response.status).to eq 200
+
+        expect(message.channel).to eq("/uploads/composer")
+        expect(message.data["errors"]).to be
+        expect(message.data["errors"][0]).to eq(I18n.t("upload.images.size_not_found"))
+      end
+
    end

  end