From af69097d349f4c00f244c51cd3c3e937fd3387cd Mon Sep 17 00:00:00 2001
From: Matijs van Zuijlen <matijs@matijs.net>
Date: Sun, 14 Aug 2022 15:00:42 +0200
Subject: [PATCH] Strip EXIF data from resource uploads

---
 publify_core/Manifest.txt                     |   1 +
 .../app/uploaders/resource_uploader.rb        |  21 ++++++++++++-
 .../testing_support/fixtures/testfile.jpg     | Bin 0 -> 7537 bytes
 .../admin/resources_controller_spec.rb        |  29 ++++++++++++++++++
 4 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 publify_core/lib/publify_core/testing_support/fixtures/testfile.jpg

diff --git a/publify_core/Manifest.txt b/publify_core/Manifest.txt
index 835f7832b9..2c077ed4ea 100644
--- a/publify_core/Manifest.txt
+++ b/publify_core/Manifest.txt
@@ -421,6 +421,7 @@ lib/publify_core/testing_support/fixtures/exploit.svg
 lib/publify_core/testing_support/fixtures/fakepng.png
 lib/publify_core/testing_support/fixtures/just_some.html
 lib/publify_core/testing_support/fixtures/otherfile.txt
+lib/publify_core/testing_support/fixtures/testfile.jpg
 lib/publify_core/testing_support/fixtures/testfile.png
 lib/publify_core/testing_support/fixtures/testfile.txt
 lib/publify_core/testing_support/upload_fixtures.rb
diff --git a/publify_core/app/uploaders/resource_uploader.rb b/publify_core/app/uploaders/resource_uploader.rb
index 36d5d5a5e4..99ddfc05c5 100644
--- a/publify_core/app/uploaders/resource_uploader.rb
+++ b/publify_core/app/uploaders/resource_uploader.rb
@@ -4,7 +4,10 @@
 
 class ResourceUploader < CarrierWave::Uploader::Base
   include CarrierWave::MiniMagick
-  before :cache, :check_content_type!
+  before :process, :check_content_type!
+
+  process :fix_exif_rotation, if: :image?
+  process :strip, if: :image?
 
   def content_type_allowlist
     [%r{image/}, %r{audio/}, %r{video/}, "text/plain"]
@@ -32,6 +35,22 @@ def dynamic_resize_to_fit(size)
     resize_to_fit(resize_setting, resize_setting)
   end
 
+  def strip
+    manipulate! do |img|
+      img.strip
+      img = yield(img) if block_given?
+      img
+    end
+  end
+
+  def fix_exif_rotation
+    manipulate! do |img|
+      img.auto_orient
+      img = yield(img) if block_given?
+      img
+    end
+  end
+
   def image?(new_file)
     content_type = new_file.content_type
     content_type&.include?("image")
diff --git a/publify_core/lib/publify_core/testing_support/fixtures/testfile.jpg b/publify_core/lib/publify_core/testing_support/fixtures/testfile.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..4fcda8103da6eb148538093df93261aa46f841ed
GIT binary patch
literal 7537
zcmeHMX>=Ra6@J<**_IQ@9tXz+BFj!tLS#v!v9%nW;6=ttW3X%|#H2m#NHek&v>}aS
zC#SR}ErF=v6dNay@T0LvX@GEO0%;q1IBaQZLV(Z)no!zPmO@IQ3riPzTJ?J)$u=~l
z+v%@n?3uZ9=icvr_rCW=Z|3Ds=YLKNtGoT(M4?cUMffB6S9CA?#-d?D{Ql)cM+o+6
zg^DO3(Y;=wk<SUp7Z&ABkS#?U6=Vm%s&M`Sb`~;&^A7CMo7A%JUdT&sF35)<pTO=?
z64|bFzQW(zXJVTj_GTvw6g$g$?QXAwGdXZ{dpS3d6nkfR0RoybQebzKUKTe2=W_B_
zQiw-$Ac}%a$tdQ?O5{NKuY_Jz%%=?3Wpm`(Ie99S1)MI}D~s~iv@`&%8vV=9tuQ4B
z%luDBC()IaY0ES^tyWuJuB*^9Rr<<G{le;+`OHQ2i!Z*Ye$gURQ}ZPz^NPkri!82X
zE9?%A;}&1yX>+reH9I+$f+)(%%k`D|x~i%=wqa2N`)_ag$B0o!IjIz8qBJU0Mn(Q8
zSqz>Ug}fC~!L?GQ)|6>=<rS4MIBX!OluD^qX*6mz?p}}kL~YbmH#pkMY6860d>zBy
zFg~Sg>^S&%ZU6JXZE^<FTgxjJTu`^Le#z2HEX$U2Ev+uM$J^QE>%OALzj|PB?YgVi
z4_y-y#PDz=x-lb-Y#JTgyyeSZxpCV~H*e2Q+%~y$*X?)g-jlm)-#705=Kg!`J@nv1
zhrj)u?;d&hi6@VK|JV<vpE~}-ADw#P#UGzO^U^D?zV`Yr-gxuuFW>szyYIdK!SDa@
z$3J~Y^P+i{wnAnf%gczolxnp~t)+P>l%q6pqgvD8D64J{X!+}E%<K(1rel2S;N#_u
z&i>!l2Gh@1ENJ3hS@JuYnw;6cme|(+D6^TwX7hT9=v4|dp2|p8kw5IQ<n~QG!UX#L
z9a+nPX*QC}9-W@fWiPE!T?~bO$HSJ~A*b_fE<2(B(2~1h5(c>)kPdTBh%cWy0ozPw
zW!7?k@9M#TFB0kWF>5EUKjUKt4edBo_rrkI-)qS|$g-AP_OYW+QS?SH(0818i-y02
z30%$q?9g!z07G~Bn00R)8({()E?oG2z!%#%2#3y&dQ0w(=MDp5dU{*da!=EJ6g(X8
z)ovdjhevleJcbrhoD*Aj(uBIRmc12|0pE~swI%n^iYXY~eJl>x`rR_@)w%5QryFzG
zWjj7RMpM=8&t=DJ5nwCL^g+{e2<tS1+|a}TO!dc41$;eO9LPF2O|Hf5j^n_O46T;4
z=K{WskrL?gZPy!p%+-!(TeFsZ8m}d{ck5x0YKQ58r!EC+b?sTyR0q13qf7%zn%*?7
zax}t_2+9XeJ^;!$?%a>cY<u3vJodp`mfVpOY6MqkXo6KZn1R|yrS>Mo_cuwPM?;zs
za(5S0fv!P%U;s*`zG+J?D{e<b)x)$MOhD6#XaFNPHH{<8c5_kH(@DuKVFGKEsHE;J
z{EW~0YJE5`$5FTC+t{q-ZU^wlPXNVga#@RE67k{EGyYJ(*H8tG0{6!?2tfC8#3fMH
zy=2Ml4*@<@fj$K`YZ(wEz}u$;x(-d*(@_-q8%_m$<_=ImfMq1$W9WX&3b^@{1Uk~)
zeTZhi2;dgV=FR=6*iCT%(gf`&^k4+1_NGZR;C5Ja-3aGOAJgXmH1Q+6eiu*zFj|w_
z0%`&*9n|RJ>(K<q_Q{TC;aH6VC|A%@RpVe@3IhHnS}!oZoZjrb1Xq*2G^1;9^EfV-
zZ(9%DF3MB8171fCf_sl|5BkK!Gw5BrcY*KLN-p4QSA&ng35SLn&{wokKHp~ogMmcW
za-Zc9pzc`!8Yd6E!vxm#p*!5M*hLYKw9u{q%f9w4bX-0CP{1b$8)&OkO2E}*={S1<
za3aF)_I-!}QGl!GFv22HFrS**h#)Iat$P=~3%m^%)&N?)3-y|)LNgs?Iq*C>{U{x5
zOCF{p<Om&tpFw*nKLDR0gucIm1HV(J&meSY;7TZN`4k8Y3GbtzU#Hz?Y6@BPO#Bpy
z-x@)H?c;X=aOu*WOkjQ8?TBz<E5Q2w7_R+B9M<lV$%XNZ+Hhz6DX@)ggxkS;Xtb(I
zhT>|0D^j*iw@2`NIB^ou8ygY*fWB(ECHF0svrskaH#mWqj1C6NzuE%jsgtK+n;8fK
z?3rh_;IY<X1K89Q6!%&3XE3{&|G9`HrMxy<BGb$Z$)MOAO2%zte9Go%w%f>MtHx4%
z=vq-S1;ycLqRsr9?>%ZZMTIu=)h)gD-c+X;iS}$sivwG(91Lx_Hsle^t5%vW8}p9E
zQ*lw^O=Iy`BI6xvGt1y!$W(1Jn`9H|+BWlgOl&%nY0<<rbIo=uCR>|WGceLZ*xTRL
zT|~fDo4H7Jbab?N)Y+U&58E6bkH=<bZ7gerg*CG|A@O6@M5eKX&?RO<>1axdCKD!#
z$On@nQkxm^3&i57-rgDDbJidpr)*{GjO5z{=TE9wW^i*#wDpUb<VZRs`ZkFPsj=iP
zgl2qGBk7o&fDp2YF)<Fa3@YxJ2}S37GuAZW;b=T1d!Vv2R{oR};-H}Qo3Tc=A=xq`
z3AVWwa+AuL%mBc5#_ycjQ|>5{w<{SMp)CDfZDvZvD<nfv!7GdQU|4i<F45|8yF*s4
zrG>S+ok7-WcQ`$QCn$s+4z7gbPh=!M5fUj5kej0baj~q^EeZ}R$F;In&g0>&9uFs4
zJ)%7v#2uauI!gXmrK9MFd~7ZsiX#9AQ^K&*6>?Zx?SjY3Io#mk4zt#<+vD(HCe<qP
zyxAm#yxqxkoJT`O<NUB_+n5rE%_drKZ+oA=&CE92i<f;dUJApu&AcX>7#S;S2cvOu
zK;miT9IdT(&g1krU3UDjU@60_6Vn-VI0_|C*v+Q7&EV~fwhL+Bn8XX|Hgh{4iO9)$
zJJTXBCDVh+WUS3RGv6=V>&2iEc!}@gB{cNx^nb84{lC<X7Xt7`Exf%+AsXKN&rIns
zm7BIFnnBpj#UVE!URRW2QIp)^y?lrcpEh%b-y{m=qB0cW6T>1N1U5RLDYw#{=((D>
zRbYd>=&-sSF1wWrqG|Y6K5TV_S{*KTP;j)kW{@+<ur$i2#r9$JH&g<>O@8w+S>#q&
zR*Ewk5ow9>DrB|0tqzXX!rtO-X)V^m_CLtO;|PX1-ibU|XVA)p93HD13adRB4D&&^
z;C8rMO8ow-JX*ai?0=X?DgL?I!R_%lLm?My6~rLgA&kZd2AzUcbh+48dysDxS}{}$
z&Hmr;M^m)8=J2=CXK$fv**@OuFd(I<6cdZh)gF^(8xBt^Zwws`4+~HZ^CL0IymC;?
zNG5sgUMAzlqHvI<g0F23;ztKwVT5%i@hcIM{E2Y#pAAgfhh*eAzau3Tew?T{^INyl
zbbdQuf%6qOUxD)#IA4MD75M+F!0g+yn83_<6z{_MSC!xLcXocZum7rU{~8~@ujAYJ
z-dHG}QQHZLC!}=$6&)sg>NRQKzz6bqWIkym7x1A>s=cpoP3eR4-=BZ~BK>ww$d9ZP
z>+kP>qNYl~TQNRVn_zW$D3z8Ve-3i%sFb4e9grDJ@Uc{&H~@J?8U!Jqrutw(ew)g}
zvW%q)$mzlUPUJ=xH%!BG<lr1R6iLTn!@;IWh$n!rTwjm{Du15J@z@Bs$s5g3FDBLw
z;M|0L5xIi+NiXRmCK4ngBuZjLB37Ie&}2wI?sxnH|9aWK4_-ldMM(%AT_j23gqQsZ
zZ3Ea~o2_joOjld5DfAtLXnvN@zqf=C?QMko<<@-u&r|vQUvgL*d6|&M60`ovy@a?w
zfd1B5UDMYIng10+zI}977rdR2@7zR4-I)}h=H)naxkVYqYSX*lB&2GHkeZW(RBR~J
z4fp7Ma@UUu8APqtJVVItJ%lVB2KJ}_LEd!9YNl?VXj80T{vEQSFOrm!nMg8aayHwE
zyTjj07dEiXU!>HKirEQxVf99(RMLNJYW!<-bR9%fq1Be@^c8x2WkqFW)x2s$)jZ?8
z%1XlmgRzFGt*zD1zo2dbQ&-K@GV<z;3O;I0xkgjYR8>|n|Mr%D0;@N~KnyAc7A{Jw
zHw!T06f*VFL8~ak>c;}Q@=;P1&d?WE4-6^;n*5}gY25VqH@*n#3k)AO*DwkKa~(hw
z8l`yO!H!@3aPom07rafejUUHWk!sl(3ofe^qc6|j{-mMoHx!pzeuRda)Tm@rB{lu^
zEsb}1w9k6pe-y@y;UktHZ7MP-TcuolPL>K{Y$&l@)$rO?2hC+|cS0erk;t9N@W2BU
z+IVhg%GWUOy-%>9Gz|v2PF4qcSbCYW(dg|n;SEpZmIyr+_rE^4^P1D{qgOtcKl3+n
C+Z93p

literal 0
HcmV?d00001

diff --git a/publify_core/spec/controllers/admin/resources_controller_spec.rb b/publify_core/spec/controllers/admin/resources_controller_spec.rb
index 2b7fc066e5..9cacf7136a 100644
--- a/publify_core/spec/controllers/admin/resources_controller_spec.rb
+++ b/publify_core/spec/controllers/admin/resources_controller_spec.rb
@@ -88,6 +88,35 @@
       end
     end
 
+    context "when uploading an image file with exif data" do
+      let(:upload) { file_upload("testfile.jpg", "image/jpeg") }
+
+      it "creates a new Resource" do
+        expect { post :upload, params: { upload: upload } }.
+          to change(Resource, :count).by(1)
+      end
+
+      it "strips EXIF data" do
+        post :upload, params: { upload: upload }
+        resource = Resource.last
+        img = MiniMagick::Image.open resource.upload.file.file
+        expect(img.exif).to be_empty
+      end
+
+      it "sets the content type correctly" do
+        post :upload, params: { upload: upload }
+        expect(Resource.last.mime).to eq "image/jpeg"
+      end
+
+      it "sets the flash to success" do
+        post :upload, params: { upload: upload }
+        aggregate_failures do
+          expect(flash[:success]).not_to be_nil
+          expect(flash[:warning]).to be_nil
+        end
+      end
+    end
+
     context "when attempting to upload a dangerous svg" do
       let(:upload) { file_upload("exploit.svg", "image/svg") }