Include Content-Length in signature for ActiveStorage direct upload

travisp · tenderlove · commit 17507e8b32c8 · 2020-05-14T15:59:56.000-07:00
[CVE-2020-8162]
diff --git a/activestorage/lib/active_storage/service/s3_service.rb b/activestorage/lib/active_storage/service/s3_service.rb
@@ -81,7 +81,8 @@ def url(key, expires_in:, filename:, disposition:, content_type:)
     def url_for_direct_upload(key, expires_in:, content_type:, content_length:, checksum:)
       instrument :url, key: key do |payload|
         generated_url = object_for(key).presigned_url :put, expires_in: expires_in.to_i,
-          content_type: content_type, content_length: content_length, content_md5: checksum
+          content_type: content_type, content_length: content_length, content_md5: checksum,
+          whitelist_headers: ['content-length']
 
         payload[:url] = generated_url
 
diff --git a/activestorage/test/service/s3_service_test.rb b/activestorage/test/service/s3_service_test.rb
@@ -30,6 +30,29 @@ class ActiveStorage::Service::S3ServiceTest < ActiveSupport::TestCase
       @service.delete key
     end
 
+    test "directly uploading file larger than the provided content-length does not work" do
+      key      = SecureRandom.base58(24)
+      data     = "Some text that is longer than the specified content length"
+      checksum = Digest::MD5.base64digest(data)
+      url      = @service.url_for_direct_upload(key, expires_in: 5.minutes, content_type: "text/plain", content_length: data.size - 1, checksum: checksum)
+
+      uri = URI.parse url
+      request = Net::HTTP::Put.new uri.request_uri
+      request.body = data
+      request.add_field "Content-Type", "text/plain"
+      request.add_field "Content-MD5", checksum
+      upload_result = Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+        http.request request
+      end
+
+      assert_equal "403", upload_result.code
+      assert_raises ActiveStorage::FileNotFoundError do
+        @service.download(key)
+      end
+    ensure
+      @service.delete key
+    end
+
     test "upload a zero byte file" do
       blob = directly_upload_file_blob filename: "empty_file.txt", content_type: nil
       user = User.create! name: "DHH", avatar: blob
