Add latest changes from gitlab-org/gitlab@master

4 files changed, 65 insertions, 6 deletions

diff --git a/app/uploaders/avatar_uploader.rb b/app/uploaders/avatar_uploader.rb
index e4046e4b7e6..73dafaefb41 100644
--- a/app/uploaders/avatar_uploader.rb
+++ b/app/uploaders/avatar_uploader.rb
@@ -5,9 +5,8 @@ class AvatarUploader < GitlabUploader
   include RecordsUploads::Concern
   include ObjectStorage::Concern
   prepend ObjectStorage::Extension::RecordsUploads
-  include UploadTypeCheck::Concern
 
-  check_upload_type extensions: AvatarUploader::SAFE_IMAGE_EXT
+  MIME_WHITELIST = %w[image/png image/jpeg image/gif image/bmp image/tiff image/vnd.microsoft.icon].freeze
 
   def exists?
     model.avatar.file && model.avatar.file.present?
@@ -29,6 +28,10 @@ class AvatarUploader < GitlabUploader
     super || 'avatar'
   end
 
+  def content_type_whitelist
+    MIME_WHITELIST
+  end
+
   private
 
   def dynamic_segment
diff --git a/app/uploaders/content_type_whitelist.rb b/app/uploaders/content_type_whitelist.rb
new file mode 100644
index 00000000000..b3975d7e2e0
--- /dev/null
+++ b/app/uploaders/content_type_whitelist.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+# Currently we run CarrierWave 1.3.1 which means we can not whitelist files
+# by their content type through magic header parsing.
+#
+# This is a patch to hold us over until we get to CarrierWave 2 :) It's a mashup of
+# CarrierWave's lib/carrierwave/uploader/content_type_whitelist.rb and
+# lib/carrierwave/sanitized_file.rb
+#
+# Include this concern and add a content_type_whitelist method to get the same
+# behavior as you would with CarrierWave 2.
+#
+# This is not an exact replacement as we don't override
+# SanitizedFile#content_type but we do set the content_type attribute when we
+# check the whitelist.
+#
+# Remove this after moving to CarrierWave 2, though on practical terms it shouldn't
+# break anything if left for a while.
+module ContentTypeWhitelist
+  module Concern
+    extend ActiveSupport::Concern
+
+    private
+
+    # CarrierWave calls this method as part of it's before :cache callbacks.
+    # Here we override and extend CarrierWave's method that does not parse the
+    # magic headers.
+    def check_content_type_whitelist!(new_file)
+      new_file.content_type = mime_magic_content_type(new_file.path)
+
+      if content_type_whitelist && !whitelisted_content_type?(new_file.content_type)
+        message = I18n.translate(:"errors.messages.content_type_whitelist_error", allowed_types: Array(content_type_whitelist).join(", "))
+        raise CarrierWave::IntegrityError, message
+      end
+
+      super(new_file)
+    end
+
+    def whitelisted_content_type?(content_type)
+      Array(content_type_whitelist).any? { |item| content_type =~ /#{item}/ }
+    end
+
+    def mime_magic_content_type(path)
+      if path
+        File.open(path) do |file|
+          MimeMagic.by_magic(file).try(:type) || 'invalid/invalid'
+        end
+      end
+    rescue Errno::ENOENT
+      nil
+    end
+  end
+end
diff --git a/app/uploaders/favicon_uploader.rb b/app/uploaders/favicon_uploader.rb
index f393fdf0d84..c9be55e001c 100644
--- a/app/uploaders/favicon_uploader.rb
+++ b/app/uploaders/favicon_uploader.rb
@@ -1,16 +1,17 @@
 # frozen_string_literal: true
 
 class FaviconUploader < AttachmentUploader
-  include UploadTypeCheck::Concern
-
   EXTENSION_WHITELIST = %w[png ico].freeze
-
-  check_upload_type extensions: EXTENSION_WHITELIST
+  MIME_WHITELIST = %w[image/png image/vnd.microsoft.icon].freeze
 
   def extension_whitelist
     EXTENSION_WHITELIST
   end
 
+  def content_type_whitelist
+    MIME_WHITELIST
+  end
+
   private
 
   def filename_for_different_format(filename, format)
diff --git a/app/uploaders/gitlab_uploader.rb b/app/uploaders/gitlab_uploader.rb
index 7dc211b14e4..654bb15378c 100644
--- a/app/uploaders/gitlab_uploader.rb
+++ b/app/uploaders/gitlab_uploader.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class GitlabUploader < CarrierWave::Uploader::Base
+  include ContentTypeWhitelist::Concern
+
   class_attribute :options
 
   class << self