Skip to content

Commit 21221cc

Browse files
committed
Security: Fix bypass in content_type_denylist via unescaped RegExp chars
Refs. GHSA-7g26-2qgj-chfg
1 parent 7023b89 commit 21221cc

2 files changed

Lines changed: 26 additions & 1 deletion

File tree

lib/carrierwave/uploader/content_type_denylist.rb

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,10 @@ def check_content_type_denylist!(new_file)
5454
end
5555

5656
def denylisted_content_type?(denylist, content_type)
57-
Array(denylist).any? { |item| content_type =~ /#{item}/ }
57+
Array(denylist).any? do |item|
58+
item = Regexp.quote(item) if item.class != Regexp
59+
content_type =~ /#{item}/
60+
end
5861
end
5962

6063
end # ContentTypeDenylist

spec/uploader/content_type_denylist_spec.rb

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,28 @@
5454

5555
expect { uploader.cache!(ruby_file) }.to raise_error(CarrierWave::IntegrityError)
5656
end
57+
58+
it "properly escapes metacharacters" do
59+
allow(uploader).to receive(:content_type_denylist).and_return(['image/svg+xml'])
60+
61+
sanitized_file = CarrierWave::SanitizedFile.new(ruby_file)
62+
allow(sanitized_file).to receive(:content_type).and_return('image/svg+xml')
63+
64+
expect { uploader.send(:check_content_type_denylist!, sanitized_file) }.to raise_error(CarrierWave::IntegrityError)
65+
end
66+
67+
it "matches anywhere in the string to be more restrictive" do
68+
allow(uploader).to receive(:content_type_denylist).and_return(['html'])
69+
70+
sanitized_file = CarrierWave::SanitizedFile.new(ruby_file)
71+
allow(sanitized_file).to receive(:content_type).and_return('text/html')
72+
73+
expect { uploader.send(:check_content_type_denylist!, sanitized_file) }.to raise_error(CarrierWave::IntegrityError)
74+
75+
allow(sanitized_file).to receive(:content_type).and_return('application/html')
76+
77+
expect { uploader.send(:check_content_type_denylist!, sanitized_file) }.to raise_error(CarrierWave::IntegrityError)
78+
end
5779
end
5880

5981
context "when the denylist is a single value" do

0 commit comments

Comments
 (0)