From d40284b1a44773b03d78ca67a888b94fd330d1b1 Mon Sep 17 00:00:00 2001
From: Rosa Gutierrez <rosa.ge@gmail.com>
Date: Thu, 4 Jan 2018 19:35:54 +0100
Subject: Force content disposition to attachment for specific content types

In this way we avoid HTML, XML, SVG and other files that can be rendered
by the browser to be served inline by default. Depending on the origin
from where these files are served, this might lead to XSS
vulnerabilities, and in the best case, to more realistic phishing
attacks and open redirects.

We force it rather than falling back to it when other disposition is not
provided. Otherwise it would be possible for someone to force inline
just by passing `disposition=inline` in the URL.

The list of content types to be served as attachments is configurable.
---
 activestorage/test/models/blob_test.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'activestorage/test/models')

diff --git a/activestorage/test/models/blob_test.rb b/activestorage/test/models/blob_test.rb
index f94e65ed77..fa8b935da0 100644
--- a/activestorage/test/models/blob_test.rb
+++ b/activestorage/test/models/blob_test.rb
@@ -41,6 +41,15 @@ class ActiveStorage::BlobTest < ActiveSupport::TestCase
     end
   end
 
+  test "urls force attachment as content disposition for content types served as binary" do
+    blob = create_blob(content_type: "text/html")
+
+    freeze_time do
+      assert_equal expected_url_for(blob, disposition: :attachment), blob.service_url
+      assert_equal expected_url_for(blob, disposition: :attachment), blob.service_url(disposition: :inline)
+    end
+  end
+
   test "purge deletes file from external service" do
     blob = create_blob
 
-- 
cgit v1.2.3