Strip EXIF data from resource uploads

publify · Aug 15, 2022 · af69097 · af69097
1 parent 5e3022d
commit af69097
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 1 deletion.
diff --git a/publify_core/Manifest.txt b/publify_core/Manifest.txt
@@ -421,6 +421,7 @@ lib/publify_core/testing_support/fixtures/exploit.svg
 lib/publify_core/testing_support/fixtures/fakepng.png
 lib/publify_core/testing_support/fixtures/just_some.html
 lib/publify_core/testing_support/fixtures/otherfile.txt
+lib/publify_core/testing_support/fixtures/testfile.jpg
 lib/publify_core/testing_support/fixtures/testfile.png
 lib/publify_core/testing_support/fixtures/testfile.txt
 lib/publify_core/testing_support/upload_fixtures.rb

diff --git a/publify_core/app/uploaders/resource_uploader.rb b/publify_core/app/uploaders/resource_uploader.rb
@@ -4,7 +4,10 @@
 
 class ResourceUploader < CarrierWave::Uploader::Base
   include CarrierWave::MiniMagick
-  before :cache, :check_content_type!
+  before :process, :check_content_type!
+
+  process :fix_exif_rotation, if: :image?
+  process :strip, if: :image?
 
   def content_type_allowlist
     [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
@@ -32,6 +35,22 @@ def dynamic_resize_to_fit(size)
     resize_to_fit(resize_setting, resize_setting)
   end
 
+  def strip
+    manipulate! do |img|
+      img.strip
+      img = yield(img) if block_given?
+      img
+    end
+  end
+
+  def fix_exif_rotation
+    manipulate! do |img|
+      img.auto_orient
+      img = yield(img) if block_given?
+      img
+    end
+  end
+
   def image?(new_file)
     content_type = new_file.content_type
     content_type&.include?("image")

diff --git a/publify_core/lib/publify_core/testing_support/fixtures/testfile.jpg b/publify_core/lib/publify_core/testing_support/fixtures/testfile.jpg
diff --git a/publify_core/spec/controllers/admin/resources_controller_spec.rb b/publify_core/spec/controllers/admin/resources_controller_spec.rb
@@ -88,6 +88,35 @@
       end
     end
 
+    context "when uploading an image file with exif data" do
+      let(:upload) { file_upload("testfile.jpg", "image/jpeg") }
+
+      it "creates a new Resource" do
+        expect { post :upload, params: { upload: upload } }.
+          to change(Resource, :count).by(1)
+      end
+
+      it "strips EXIF data" do
+        post :upload, params: { upload: upload }
+        resource = Resource.last
+        img = MiniMagick::Image.open resource.upload.file.file
+        expect(img.exif).to be_empty
+      end
+
+      it "sets the content type correctly" do
+        post :upload, params: { upload: upload }
+        expect(Resource.last.mime).to eq "image/jpeg"
+      end
+
+      it "sets the flash to success" do
+        post :upload, params: { upload: upload }
+        aggregate_failures do
+          expect(flash[:success]).not_to be_nil
+          expect(flash[:warning]).to be_nil
+        end
+      end
+    end
+
     context "when attempting to upload a dangerous svg" do
       let(:upload) { file_upload("exploit.svg", "image/svg") }