Handle invalid signed blob IDs gracefully

4 files changed, 28 insertions, 18 deletions

diff --git a/activestorage/app/controllers/active_storage/blobs_controller.rb b/activestorage/app/controllers/active_storage/blobs_controller.rb
index a17e3852f9..fa44131048 100644
--- a/activestorage/app/controllers/active_storage/blobs_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs_controller.rb
@@ -5,12 +5,10 @@
 # security-through-obscurity factor of the signed blob references, you'll need to implement your own
 # authenticated redirection controller.
 class ActiveStorage::BlobsController < ActionController::Base
+  include ActiveStorage::SetBlob
+
   def show
-    if blob = ActiveStorage::Blob.find_signed(params[:signed_id])
-      expires_in ActiveStorage::Blob.service.url_expires_in
-      redirect_to blob.service_url(disposition: params[:disposition])
-    else
-      head :not_found
-    end
+    expires_in ActiveStorage::Blob.service.url_expires_in
+    redirect_to @blob.service_url(disposition: params[:disposition])
   end
 end
diff --git a/activestorage/app/controllers/active_storage/previews_controller.rb b/activestorage/app/controllers/active_storage/previews_controller.rb
index 9e8cf27b6e..aa7ef58ca4 100644
--- a/activestorage/app/controllers/active_storage/previews_controller.rb
+++ b/activestorage/app/controllers/active_storage/previews_controller.rb
@@ -1,12 +1,10 @@
 # frozen_string_literal: true
 
 class ActiveStorage::PreviewsController < ActionController::Base
+  include ActiveStorage::SetBlob
+
   def show
-    if blob = ActiveStorage::Blob.find_signed(params[:signed_blob_id])
-      expires_in ActiveStorage::Blob.service.url_expires_in
-      redirect_to ActiveStorage::Preview.new(blob, params[:variation_key]).processed.service_url(disposition: params[:disposition])
-    else
-      head :not_found
-    end
+    expires_in ActiveStorage::Blob.service.url_expires_in
+    redirect_to ActiveStorage::Preview.new(@blob, params[:variation_key]).processed.service_url(disposition: params[:disposition])
   end
 end
diff --git a/activestorage/app/controllers/active_storage/variants_controller.rb b/activestorage/app/controllers/active_storage/variants_controller.rb
index dc5e78ecc0..e8f8dd592d 100644
--- a/activestorage/app/controllers/active_storage/variants_controller.rb
+++ b/activestorage/app/controllers/active_storage/variants_controller.rb
@@ -5,12 +5,10 @@
 # security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
 # authenticated redirection controller.
 class ActiveStorage::VariantsController < ActionController::Base
+  include ActiveStorage::SetBlob
+
   def show
-    if blob = ActiveStorage::Blob.find_signed(params[:signed_blob_id])
-      expires_in ActiveStorage::Blob.service.url_expires_in
-      redirect_to ActiveStorage::Variant.new(blob, params[:variation_key]).processed.service_url(disposition: params[:disposition])
-    else
-      head :not_found
-    end
+    expires_in ActiveStorage::Blob.service.url_expires_in
+    redirect_to ActiveStorage::Variant.new(@blob, params[:variation_key]).processed.service_url(disposition: params[:disposition])
   end
 end
diff --git a/activestorage/app/controllers/concerns/active_storage/set_blob.rb b/activestorage/app/controllers/concerns/active_storage/set_blob.rb
new file mode 100644
index 0000000000..b0f3d97a66
--- /dev/null
+++ b/activestorage/app/controllers/concerns/active_storage/set_blob.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ActiveStorage::SetBlob
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :set_blob
+  end
+
+  private
+    def set_blob
+      @blob = ActiveStorage::Blob.find_signed(params[:signed_blob_id] || params[:signed_id])
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      head :not_found
+    end
+end