search

filestack / filestack-rails

Official Ruby on Rails plugin for Filestack File Picker that makes it easy to add powerful file uploading and transformation capabilities to any web or mobile application.
https://www.filestack.com
Apache License 2.0
223 stars 101 forks source link

Security issue #228

Open webdev36 opened 4 years ago

webdev36 commented 4 years ago

Hi @gabifiolek , Please check the security option. The error occurs when using the filestack_field tag with security option. Of course I've already set in the application.rb file app_secret and security options.

Just got this error undefined method `policy' for {"call"=>["pick", "read", "store", "convert", "remove"]}:Hash Please check for this issue.

gabifija commented 4 years ago

Hello, @joaopedre ! Thank you for reaching me out. Please let me know which filestack-rails gem version do you use, and what did you setup in config.filestack_rails.version in the configuration file.

webdev36 commented 4 years ago

I've used filestack-rails 5.2.2 and did not set the version in the configuration file.

gabifija commented 4 years ago

@joaopedre Please confirm if your application.rb has provided security as following Hash config.filestack_rails.api_key = 'APIKEY' config.filestack_rails.app_secret = 'APP_SECRET'

config.filestack_rails.security = {"call"=>["pick", "read", "store", "convert", "remove"]} or config.filestack_rails.security = {call: %w[pick read store convert remove]}

Let me know, because I can't reproduce it.

webdev36 commented 4 years ago

Rails.application.config.filestack_rails.api_key = ENV['FILESTACK_API_KEY'] Rails.application.config.filestack_rails.client_name = ENV['FILESTACK_CLIENT_NAME'] if Rails.env.production? Rails.application.config.filestack_rails.app_secret = ENV['FILESTACK_API_SECRET'] Rails.application.config.filestack_rails.security = {'call' => %w[pick read store convert remove]} end

sets like this

On Wed, Mar 25, 2020 at 5:16 AM Gabi Fijalkowska notifications@github.com wrote:

@joaopedre https://github.com/joaopedre Please confirm if your application.rb has provided security as following Hash config.filestack_rails.api_key = 'APIKEY' config.filestack_rails.app_secret = 'APP_SECRET'

config.filestack_rails.security = {"call"=>["pick", "read", "store", "convert", "remove"]} or config.filestack_rails.security = {call: %w[pick read store convert remove]}

Let me know, because I can't reproduce it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/filestack/filestack-rails/issues/228#issuecomment-603508929, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAW6RS3SVXSG35MA32BKJGDRJEPJFANCNFSM4LQSZ6HQ .

gabifija commented 4 years ago

@joaopedre I've setup my application.rb file with the same security hash, but I don't see the error. Can you check if config.filestack_rails.security = {call: %w[pick read store convert remove]} returns the same error. Let me also know what versions of Ruby, and Rails do you use.

gabifija commented 4 years ago

@joaopedre You can also contact our support (support@filestack.com) and share your APIKEY and attach this issue. Then, we can check your application, and secret and security options.

mauroponce commented 4 years ago

@joaopedre @gabifiolek I downgraded to 4.0.1 and it works well (tested in Rails 5.2 and 6.0.2)

mauroponce commented 4 years ago

4.0.4 is the latest one that works. From then on, security is a simple ruby hash. Also, it's not possible to upload SVG files using the filepicker AFTER security is enabled. Please let me know if this is a known issue. Thanks!

webdev36 commented 4 years ago

Okay, I got it. Thanks

taylorthurlow commented 4 years ago

I'm also having the same issue. After taking a look at the code it's obvious why the problem is happening, but I dont know why the code was changed.

If you take a look at lib/filestack-rails/configuration.rb in v4.0.4: https://github.com/filestack/filestack-rails/blob/4.0.4/lib/filestack_rails/configuration.rb#L25

@security is set to an instance of FilestackSecurity which has method #policy, like we're looking for.

If you take a look at lib/filestack-rails/configuration.rb in v4.0.5: https://github.com/filestack/filestack-rails/blob/4.0.5/lib/filestack_rails/configuration.rb#L27

@security is set to whatever is passed into the method, defaulting to a Hash. Given that the README suggests setting it to a hash:

config.filestack_rails.security = {'call' => %w[pick store read convert] }

Here's the commit with the breaking change: https://github.com/filestack/filestack-rails/commit/f39bd24bea3aa36592149b8a1cde25ad68779c13#diff-8c72e16fad1744738f63d517983cf69c

as you can see, @joaopedre left a comment there as well. This just seems broken, or the README is wrong.

taylorthurlow commented 4 years ago

Okay I've come to the conclusion that I don't think it was clear what the OP was trying to achieve in the first place (call FilestackSecurity#policy?), and that there isn't technically an issue or bug - the public API of FilestackConfiguration just had breaking changes between 4.0.4 and 4.0.5.

FilestackSecurity#policy is still a method that works, but FilestackConfiguration#security no longer returns an instance of FilestackSecurity, just a Hash. This seems deliberate because the ApplicationHelper still uses it here.

What was missing from the OP is why they were trying to call Rails.application.config.filestack_rails.security.policy. In my case, I use it in a background job for deleting assets. I've copied the method from the above linked class:

def security
  security_options = ::Rails.application.config.filestack_rails.security
  app_secret = ::Rails.application.config.filestack_rails.app_secret

  return nil unless security_options
  FilestackSecurity.new(app_secret, options: security_options)
end

Using this method and calling security.policy instead works.

webdev36 commented 4 years ago

puts config.filestack_rails.security.policy puts config.filestack_rails.security.signature

This command doesn't work. I'd like to change the config name to config.security_option instead of config.security.

gabifija commented 4 years ago

@taylorthurlow Thank you for letting me know, I'll take a look on that as soon as possible.

webdev36 commented 4 years ago

Thanks

On Tue, Apr 21, 2020 at 10:29 PM Gabi Fijalkowska notifications@github.com wrote:

@taylorthurlow https://github.com/taylorthurlow Thank you for letting me know, I'll take a look on that as soon as possible.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/filestack/filestack-rails/issues/228#issuecomment-617216139, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAW6RSZM6GG4NXE6VOKZHNTRNWUVRANCNFSM4LQSZ6HQ .

gabifija commented 4 years ago

@joaopedre Many months ago I changed it because some of our clients requested to generate security per request. The security stopped working for him just in 1 hour after deployment. Policy and signature key pair was generated once, in initializers in Rails application. When the server started, it did not change in next requests.

That's why this change broke your code, because I moved the security generation to application_helper. I'll figure it out how to handle both cases asap.