aboutsummaryrefslogtreecommitdiffstats
path: root/activestorage
Commit message (Collapse)AuthorAgeFilesLines
...
* | text is treated as `attachment`yuuji.yaginuma2018-11-281-2/+2
| |
* | Fix broken `ActiveStorage::BlobTest`yuuji.yaginuma2018-11-281-1/+1
| | | | | | | | `ActiveStorage::Filename#parameters` was removed by #33829.
* | Remove duplicated testyuuji.yaginuma2018-11-281-14/+0
| | | | | | | | | | | | | | | | | | | | | | | | Since 06ab7b27ea1c1ab357085439abacdb464f6742bf, `GCSServiceTest#test_signed_URL_response_headers` is broken. https://travis-ci.org/rails/rails/jobs/460454477#L7084-L7087 This seems to be due to lack of `content_type` at upload. This is solved by specifying `conten_type`. However, since the same content is also tested with `test_upload_with_content_type`, it will be duplicated content, so I think that can remove `test_signed_URL_response_headers`.
* | Fix minor Active Storage docs typo [ci skip]Adrian Hawrylak2018-11-281-1/+1
| |
* | Prevent content type and disposition bypass in storage service URLsRosa Gutierrez2018-11-2714-38/+172
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Force content-type to binary on service urls for relevant content types We have a list of content types that must be forcibly served as binary, but in practice this only means to serve them as attachment always. We should also set the Content-Type to the configured binary type. As a bonus: add text/cache-manifest to the list of content types to be served as binary by default. * Store content-disposition and content-type in GCS Forcing these in the service_url when serving the file works fine for S3 and Azure, since these services include params in the signature. However, GCS specifically excludes response-content-disposition and response-content-type from the signature, which means an attacker can modify these and have files that should be served as text/plain attachments served as inline HTML for example. This makes our attempt to force specific files to be served as binary and as attachment can be easily bypassed. The only way this can be forced in GCS is by storing content-disposition and content-type in the object metadata. * Update GCS object metadata after identifying blob In some cases we create the blob and upload the data before identifying the content-type, which means we can't store that in GCS right when uploading. In these, after creating the attachment, we enqueue a job to identify the blob, and set the content-type. In other cases, files are uploaded to the storage service via direct upload link. We create the blob before the direct upload, which happens independently from the blob creation itself. We then mark the blob as identified, but we have already the content-type we need without having put it in the service. In these two cases, then, we need to update the metadata in the GCS service. * Include content-type and disposition in the verified key for disk service This prevents an attacker from modifying these params in the service signed URL, which is particularly important when we want to force them to have specific values for security reasons. * Allow only a list of specific content types to be served inline This is different from the content types that must be served as binary in the sense that any content type not in this list will be always served as attachment but with its original content type. Only types in this list are allowed to be served either inline or as attachment. Apart from forcing this in the service URL, for GCS we need to store the disposition in the metadata. Fix CVE-2018-16477.
* | ASt direct uploads: account for <button type="submit"> elementsTasos Maschalidis2018-11-242-4/+4
| |
* | Add progressive JPG to default variable content typesMaurice Kühlborn2018-11-212-0/+5
| |
* | Amend CVE note and security guide section wordingsGannon McGibbon2018-11-061-3/+3
| | | | | | | | | | | | | | Reword first sentence of dep management and CVE section of security guide. Also, reword and move gemspec notes above deps. [ci skip]
* | Add CVE note to security guide and gemspecsGannon McGibbon2018-11-061-0/+3
| | | | | | | | [ci skip]
* | update activestorage attachment model documentation reflect recent behavior ↵Kyle Keesling2018-10-241-3/+2
|/ | | | changes
* Point to requiring the ASt engine in the installation instructions [ci skip]Donnie Propst2018-10-081-0/+2
|
* Use content_mime_typeGraham Conzett2018-10-081-2/+1
|
* Fix issue ActiveStorage direct upload diskGraham Conzett2018-10-072-1/+12
| | | | | | Fix an issue in ActiveStorage where a direct upload to disk storage would fail due to a content type mismatch if the file was uploaded using a mime-type synonym.
* Make Webpacker the default JavaScript compiler for Rails 6 (#33079)David Heinemeier Hansson2018-09-303-4/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use Webpacker by default on new apps * Stop including coffee-rails by default * Drop using a js_compressor by default * Drop extra test for coffeescript inclusion by default * Stick with skip_javascript to signify skipping webpack * Don't install a JS runtime by default any more * app/javascript will be the new default directory for JS * Make it clear that this is just for configuring the default Webpack framework setup now * Start using the Webpack tag in the default layout * Irrelevant test * jQuery is long gone * Stop having asset pipeline compile default application.js * Add rails-ujs by default to the Webpack setup * Add Active Storage JavaScript to application.js pack by default * Consistent quoting * Add Turbolinks to default pack * Add Action Cable to default pack Need some work on how to set the global consumer that channels will work with. @javan? * Require all channels by default and use a separate consumer stub * Channel generator now targets Webpack style * Update task docs to match new generator style * Use uniform import style * Drop the JS assets generator It was barely helpful as it was. It’s no longer helpful in a Webpacked world. Sayonara! * Add app/javascript to the stats directories * Simpler import style Which match the other imports. * Address test failures from dropping JS compilation (and compression) * webpacker-default: Modify `AssetsGeneratorTest` Before: ``` $ bin/test test/generators/assets_generator_test.rb Run options: --seed 46201 F Failure: AssetsGeneratorTest#test_assets [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/assets_generator_test.rb:12]: Expected file "app/assets/javascripts/posts.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/assets_generator_test.rb:10 . Finished in 0.031343s, 63.8101 runs/s, 95.7152 assertions/s. 2 runs, 3 assertions, 1 failures, 0 errors, 0 skips ``` After: ``` $ bin/test test/generators/assets_generator_test.rb Run options: --seed 43571 .. Finished in 0.030370s, 65.8545 runs/s, 65.8545 assertions/s. 2 runs, 2 assertions, 0 failures, 0 errors, 0 skips ``` * webpacker-default: Modify `ChannelGeneratorTest` Before: ``` $ bin/test test/generators/channel_generator_test.rb Run options: --seed 8986 .F Failure: ChannelGeneratorTest#test_channel_with_multiple_actions_is_created [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:43]: Expected file "app/assets/javascripts/channels/chat.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:34 .F Failure: ChannelGeneratorTest#test_channel_is_created [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:29]: Expected file "app/assets/javascripts/channels/chat.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:22 E Error: ChannelGeneratorTest#test_cable_js_is_created_if_not_present_already: Errno::ENOENT: No such file or directory @ apply2files - /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/fixtures/tmp/app/assets/javascripts/cable.js bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:60 F Failure: ChannelGeneratorTest#test_channel_suffix_is_not_duplicated [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:87]: Expected file "app/assets/javascripts/channels/chat.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:80 F Failure: ChannelGeneratorTest#test_channel_on_revoke [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:77]: Expected file "app/assets/javascripts/cable.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:68 Finished in 0.064384s, 108.7227 runs/s, 481.4861 assertions/s. 7 runs, 31 assertions, 4 failures, 1 errors, 0 skips ``` After: ``` $ bin/test test/generators/channel_generator_test.rb Run options: --seed 44857 ....... Finished in 0.060243s, 116.1961 runs/s, 697.1764 assertions/s. 7 runs, 42 assertions, 0 failures, 0 errors, 0 skips ``` * Fix shared generator tests. * webpacker-default: Modify `ControllerGeneratorTest` The JS assets generator was dropped. ref. https://github.com/rails/rails/commit/46215b179483d3e4d264555f5a4952f43eb8142a * Revert "Simpler import style". It's currently failing with an error of "TypeError: undefined is not an object (evaluating '__WEBPACK_IMPORTED_MODULE_2_activestorage___default.a.start')". Waiting for @javan to have a look. This reverts commit 5d3ebb71059f635d3756cbda4ab9752027e09256. * require webpacker in test app * Add webpacker without making the build hang/timeout. (#33640) * use yarn workspaces to allow for installing unreleased packages and only generate js/bootsnap when required * no longer need to have webpacker in env templates as webpacker moved this config to yml file * Fix rubocop violation * Got the test passing for the running scaffold * update expected lines of code * update middleware tests to account for webpacker * disable js in plugins be default to get the tests passing (#34009) * clear codeclimate report issues * Anything newer than currently released is good * Use Webpacker development version during development of Rails * Edge should get development webpacker as well * Add changelog entry for Webpacker change
* Change the empty block style to have space inside of the blockRafael Mendonça França2018-09-251-1/+1
|
* Merge pull request #33829 from mtsmfm/encode-filenameKasper Timm Hansen2018-09-235-76/+5
|\ | | | | Encode Content-Disposition filenames on send_data and send_file
| * Encode Content-Disposition filenames on send_data and send_fileFumiaki MATSUSHIMA2018-09-135-76/+5
| |
* | Enable `Performance/UnfreezeString` copyuuji.yaginuma2018-09-232-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In Ruby 2.3 or later, `String#+@` is available and `+@` is faster than `dup`. ```ruby # frozen_string_literal: true require "bundler/inline" gemfile(true) do source "https://rubygems.org" gem "benchmark-ips" end Benchmark.ips do |x| x.report('+@') { +"" } x.report('dup') { "".dup } x.compare! end ``` ``` $ ruby -v benchmark.rb ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux] Warming up -------------------------------------- +@ 282.289k i/100ms dup 187.638k i/100ms Calculating ------------------------------------- +@ 6.775M (± 3.6%) i/s - 33.875M in 5.006253s dup 3.320M (± 2.2%) i/s - 16.700M in 5.032125s Comparison: +@: 6775299.3 i/s dup: 3320400.7 i/s - 2.04x slower ```
* | Raise `ActiveRecord::InvalidForeignKey` in `before_destroy` for a blob if ↵bogdanvlviv2018-09-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | attachments exist The issue #32584 was fixed in #33405 by adding foreign key constraint to the `active_storage_attachments` table for blobs. This commit implements fix on app-level in order to ensure that users can't delete a blob with attachments even if they don't have the foreign key constraint. See a related discussion in the Campfire: https://3.basecamp.com/3076981/buckets/24956/chats/12416418@1236718899 Note that, we should backport it to `5-2-stable` too. Related to #33405
* | Configure Active Storage route prefixChris Bisnett2018-09-144-12/+19
|/ | | | | | | | | | | Applications can configure the route prefix prepended to the Active Storage routes. By default this maintains the previous prefix `/rails/active_storage` but supports custom prefixes. Before this change the route for serving blobs is fixed to `/rails/active_storage/blobs/:signed_id/*filename`. After this change it's possible to configure the route to something like `/files/blobs/:signed_id/*filename`.
* use "minitest" consistentlyXavier Noria2018-09-111-2/+1
| | | | | | | | | The name of the minitest library is spelled that way: regular font, and lowercase. Lowercase is used even at the beginning of sentences, see http://docs.seattlerb.org/minitest/ I double-checked this with @zenspider too (thanks!).
* Fix zero-byte files uploadMarcelo Perini Veloso2018-09-063-1/+12
|
* Handle only specifically relevant Azure HTTPErrorsCameron Bothner2018-08-232-5/+14
| | | | | | | | | The Azure gem uses `Azure::Core::Http::HTTPError` for everything: checksum mismatch, missing object, network unavailable, and many more. (https://www.rubydoc.info/github/yaxia/azure-storage-ruby/Azure/Core/Http/HTTPError). Rescuing that class obscures all sorts of configuration errors. We should check the type of error in those rescue blocks, and reraise when needed.
* Revert "Merge pull request #33667 from ↵George Claghorn2018-08-232-20/+7
| | | | | | | cbothner/azure-service-swallowing-all-errors" This reverts commit b204d167c5cfebd59f771d406178e371811ac43a, reversing changes made to de6a200f82a3de399fa685d583503bc88dbc5e9f.
* Handle only specifically relevant Azure HTTPErrorsCameron Bothner2018-08-232-7/+20
| | | | | | | | | The Azure gem uses `Azure::Core::Http::HTTPError` for everything: checksum mismatch, missing object, network unavailable, and many more. (https://www.rubydoc.info/github/yaxia/azure-storage-ruby/Azure/Core/Http/HTTPError). Rescuing that class obscures all sorts of configuration errors. We should check the type of error in those rescue blocks, and reraise when needed.
* Merge pull request #33666 from ↵George Claghorn2018-08-229-18/+118
|\ | | | | | | | | cbothner/fail-gracefully-from-activestorage-file-not-found Fail more gracefully from ActiveStorage missing file exceptions
| * Respond with 404 in ActiveStorage::DiskController#show when file missingCameron Bothner2018-08-213-0/+16
| | | | | | | | | | | | `ActiveStorage::DiskController#show` generates a 404 Not Found response when the requested file is missing from the disk service. It previously raised `Errno::ENOENT`.
| * Translate service-specific missing object exceptions into a generic oneCameron Bothner2018-08-217-18/+102
| | | | | | | | | | | | | | | | | | `ActiveStorage::Blob#download` and `ActiveStorage::Blob#open` raise `ActiveStorage::FileNotFoundError` when the corresponding file is missing from the storage service. Services translate service-specific missing object exceptions (e.g. `Google::Cloud::NotFoundError` for the GCS service and `Errno::ENOENT` for the disk service) into `ActiveStorage::FileNotFoundError`.
* | activestorage: yarn buildbogdanvlviv2018-08-191-4/+4
| | | | | | | | Context https://github.com/rails/rails/pull/33413#issuecomment-414137587
* | Retry ActiveStorage::AnalyzeJobs on download integrity check failuresGeorge Claghorn2018-08-191-0/+2
| |
* | Remove superfluous testGeorge Claghorn2018-08-191-10/+0
| | | | | | | | This test no longer covers the behavior of ActiveStorage::PurgeJob. Attached blobs are ignored by ActiveStorage::Blob#purge as of 934fccd, which includes an equivalent model test.
* | Enable multiple submit buttons for Active Storage formsChris Seelus2018-08-182-2/+22
|/
* Extract ActiveStorage::SetCurrentGeorge Claghorn2018-08-163-5/+23
| | | | Provide a handy concern for custom Active Storage controllers that can't inherit from ActiveStorage::BaseController.
* Document all Active Storage error classes [ci skip]George Claghorn2018-08-101-0/+8
|
* Add a generic base class for Active Storage exceptionsGeorge Claghorn2018-08-102-4/+14
| | | | | | Closes #33292. [Andrei Makarov & George Claghorn]
* Extract transformersGeorge Claghorn2018-08-106-70/+146
|
* DRY up web image checks in ActiveStorage::VariantGeorge Claghorn2018-08-091-18/+24
|
* Camelize instead of classifyingGeorge Claghorn2018-08-061-1/+1
| | | | | | | Avoid mangling service names that end in S: "GCS".classify # => "GC" "GCS".camelize # => "GCS"
* Improve ActiveStorage service adapter error handlingJoel Taylor2018-08-062-1/+9
|
* Fix uploading Tempfiles to Azure StorageGeorge Claghorn2018-08-032-1/+18
| | | | Closes #32530.
* Remove another unused requireGeorge Claghorn2018-08-021-2/+0
|
* Remove unused requireGeorge Claghorn2018-08-011-2/+0
|
* Retry ActiveStorage::PurgeJobs on DB deadlockGeorge Claghorn2018-07-311-0/+1
|
* Guard against missing blobs caused by concurrent purgesGeorge Claghorn2018-07-301-3/+3
|
* Ignore concurrently-deleted files when deleting by prefix from GCSGeorge Claghorn2018-07-301-1/+7
|
* Update ActiveStorage::Previewer docsGeorge Claghorn2018-07-291-2/+2
| | | | PDFPreviewer became MuPDFPreviewer in 0b717c2. Previewers are simple enough that we can just provide a single example.
* Clarify conditionGeorge Claghorn2018-07-271-1/+1
| | | | && binds tighter than || in JavaScript, but we ought not expect readers to remember language trivia.
* Fix directly uploading zero-byte filesGeorge Claghorn2018-07-272-2/+2
| | | | Closes #33450.
* Log streaming downloadsGeorge Claghorn2018-07-261-0/+2
|
* Ignore ActiveRecord::InvalidForeignKey in ActiveStorage::Blob#purgeJasper Martin2018-07-265-3/+95
| | | Do nothing instead of raising an error when it’s called on an attached blob.