5b41db2c6a
Some checks failed
The sanitize_svg_icon before_validation callback called icon.download, but Active Storage uploads pending blobs in before_save — so at before_validation time the file only existed in the request tempfile, not at the configured storage path. Read from the pending attachable (UploadedFile / IO hash) instead. Guards against the recursive callback that icon.attach would otherwise trigger by tracking the cleaned attachable by object identity. Bumps to 0.13.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
33 lines
951 B
Ruby
33 lines
951 B
Ruby
require "test_helper"
|
|
|
|
class ApplicationTest < ActiveSupport::TestCase
|
|
test "sanitizes an SVG icon uploaded via UploadedFile (regression for FileNotFoundError)" do
|
|
app = applications(:kavita_app)
|
|
|
|
svg = %(<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script><path d="M0 0"/></svg>)
|
|
tempfile = Tempfile.new(["icon", ".svg"]).tap do |t|
|
|
t.write(svg)
|
|
t.rewind
|
|
end
|
|
uploaded = ActionDispatch::Http::UploadedFile.new(
|
|
tempfile: tempfile,
|
|
filename: "icon.svg",
|
|
type: "image/svg+xml"
|
|
)
|
|
|
|
# Previously raised ActiveStorage::FileNotFoundError because the
|
|
# before_validation callback called icon.download before the blob was
|
|
# uploaded to disk.
|
|
assert_nothing_raised do
|
|
app.update!(icon: uploaded)
|
|
end
|
|
|
|
cleaned = app.icon.download
|
|
refute_match(/<script/i, cleaned)
|
|
assert_match(/<path/, cleaned)
|
|
ensure
|
|
tempfile&.close
|
|
tempfile&.unlink
|
|
end
|
|
end
|