From 0603971894a967f632020277c32a8e50ea165519 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 23 Nov 2016 10:46:48 +0100 Subject: Adding sensitive marker to statuses in API --- app/controllers/api/v1/statuses_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb index b2b432a6b..2e0399301 100644 --- a/app/controllers/api/v1/statuses_controller.rb +++ b/app/controllers/api/v1/statuses_controller.rb @@ -50,7 +50,7 @@ class Api::V1::StatusesController < ApiController end def create - @status = PostStatusService.new.call(current_user.account, params[:status], params[:in_reply_to_id].blank? ? nil : Status.find(params[:in_reply_to_id]), params[:media_ids]) + @status = PostStatusService.new.call(current_user.account, params[:status], params[:in_reply_to_id].blank? ? nil : Status.find(params[:in_reply_to_id]), media_ids: params[:media_ids], sensitive: params[:sensitive]) render action: :show end -- cgit From 79a01358698ad3889b0c9a43cfb2f886fbae77e4 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 23 Nov 2016 18:56:30 +0100 Subject: Cache accounts/:id/statuses and single statuses too --- app/controllers/api/v1/accounts_controller.rb | 22 +++++++++++++++++++++- app/controllers/api/v1/statuses_controller.rb | 2 ++ 2 files changed, 23 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/api/v1/accounts_controller.rb b/app/controllers/api/v1/accounts_controller.rb index 97d626af2..4ae900583 100644 --- a/app/controllers/api/v1/accounts_controller.rb +++ b/app/controllers/api/v1/accounts_controller.rb @@ -57,7 +57,8 @@ class Api::V1::AccountsController < ApiController end def statuses - @statuses = @account.statuses.with_includes.paginate_by_max_id(DEFAULT_STATUSES_LIMIT, params[:max_id], params[:since_id]).to_a + @statuses = @account.statuses.paginate_by_max_id(DEFAULT_STATUSES_LIMIT, params[:max_id], params[:since_id]).to_a + @statuses = cache(@statuses) set_maps(@statuses) set_counters_maps(@statuses) @@ -120,4 +121,23 @@ class Api::V1::AccountsController < ApiController @followed_by = Account.followed_by_map([@account.id], current_user.account_id) @blocking = Account.blocking_map([@account.id], current_user.account_id) end + + def cache(raw) + uncached_ids = [] + cached_keys_with_value = Rails.cache.read_multi(*raw.map(&:cache_key)) + + raw.each do |status| + uncached_ids << status.id unless cached_keys_with_value.key?(status.cache_key) + end + + unless uncached_ids.empty? + uncached = Status.where(id: uncached_ids).with_includes.map { |s| [s.id, s] }.to_h + + uncached.values.each do |status| + Rails.cache.write(status.cache_key, status) + end + end + + raw.map { |status| cached_keys_with_value[status.cache_key] || uncached[status.id] } + end end diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb index 2e0399301..a693ce00d 100644 --- a/app/controllers/api/v1/statuses_controller.rb +++ b/app/controllers/api/v1/statuses_controller.rb @@ -9,6 +9,8 @@ class Api::V1::StatusesController < ApiController respond_to :json def show + cached = Rails.cache.read(@status.cache_key) + @status = cached unless cached.nil? end def context -- cgit From 7161f91313b51c8425bd184dc5374084fd4e68a8 Mon Sep 17 00:00:00 2001 From: Andrea Faulds Date: Wed, 23 Nov 2016 21:00:00 +0000 Subject: Rename media to avoid exposing filename (fixes #207) --- app/controllers/api/v1/media_controller.rb | 5 ++++- app/controllers/settings/profiles_controller.rb | 13 ++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/api/v1/media_controller.rb b/app/controllers/api/v1/media_controller.rb index bb8e8d9ee..23cc9bb7c 100644 --- a/app/controllers/api/v1/media_controller.rb +++ b/app/controllers/api/v1/media_controller.rb @@ -7,7 +7,10 @@ class Api::V1::MediaController < ApiController respond_to :json def create - @media = MediaAttachment.create!(account: current_user.account, file: params[:file]) + file = params[:file] + # Change so Paperclip won't expose the actual filename + file.original_filename = "media" + File.extname(file.original_filename) + @media = MediaAttachment.create!(account: current_user.account, file: file) rescue Paperclip::Errors::NotIdentifiedByImageMagickError render json: { error: 'File type of uploaded media could not be verified' }, status: 422 rescue Paperclip::Error diff --git a/app/controllers/settings/profiles_controller.rb b/app/controllers/settings/profiles_controller.rb index 4b2b5a131..9d9c0bb72 100644 --- a/app/controllers/settings/profiles_controller.rb +++ b/app/controllers/settings/profiles_controller.rb @@ -20,7 +20,18 @@ class Settings::ProfilesController < ApplicationController private def account_params - params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced) + p = params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced) + if p[:avatar] + avatar = p[:avatar] + # Change so Paperclip won't expose the actual filename + avatar.original_filename = "media" + File.extname(avatar.original_filename) + end + if p[:header] + header = p[:header] + # Change so Paperclip won't expose the actual filename + header.original_filename = "media" + File.extname(header.original_filename) + end + p end def set_account -- cgit From cefef2c57197a06d403b9cbe13e969e08aaf5301 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Wed, 23 Nov 2016 23:31:38 +0000 Subject: Extract filename obfuscation into module --- app/controllers/api/v1/media_controller.rb | 8 ++++---- app/controllers/settings/profiles_controller.rb | 17 +++++------------ app/models/concerns/obfuscate_filename.rb | 16 ++++++++++++++++ 3 files changed, 25 insertions(+), 16 deletions(-) create mode 100644 app/models/concerns/obfuscate_filename.rb (limited to 'app/controllers') diff --git a/app/controllers/api/v1/media_controller.rb b/app/controllers/api/v1/media_controller.rb index 23cc9bb7c..f8139ade7 100644 --- a/app/controllers/api/v1/media_controller.rb +++ b/app/controllers/api/v1/media_controller.rb @@ -4,13 +4,13 @@ class Api::V1::MediaController < ApiController before_action -> { doorkeeper_authorize! :write } before_action :require_user! + include ObfuscateFilename + obfuscate_filename :file + respond_to :json def create - file = params[:file] - # Change so Paperclip won't expose the actual filename - file.original_filename = "media" + File.extname(file.original_filename) - @media = MediaAttachment.create!(account: current_user.account, file: file) + @media = MediaAttachment.create!(account: current_user.account, file: params[:file]) rescue Paperclip::Errors::NotIdentifiedByImageMagickError render json: { error: 'File type of uploaded media could not be verified' }, status: 422 rescue Paperclip::Error diff --git a/app/controllers/settings/profiles_controller.rb b/app/controllers/settings/profiles_controller.rb index 9d9c0bb72..21fbba2af 100644 --- a/app/controllers/settings/profiles_controller.rb +++ b/app/controllers/settings/profiles_controller.rb @@ -6,6 +6,10 @@ class Settings::ProfilesController < ApplicationController before_action :authenticate_user! before_action :set_account + include ObfuscateFilename + obfuscate_filename [:account, :avatar] + obfuscate_filename [:account, :header] + def show end @@ -20,18 +24,7 @@ class Settings::ProfilesController < ApplicationController private def account_params - p = params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced) - if p[:avatar] - avatar = p[:avatar] - # Change so Paperclip won't expose the actual filename - avatar.original_filename = "media" + File.extname(avatar.original_filename) - end - if p[:header] - header = p[:header] - # Change so Paperclip won't expose the actual filename - header.original_filename = "media" + File.extname(header.original_filename) - end - p + params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced) end def set_account diff --git a/app/models/concerns/obfuscate_filename.rb b/app/models/concerns/obfuscate_filename.rb new file mode 100644 index 000000000..dc25cdbc2 --- /dev/null +++ b/app/models/concerns/obfuscate_filename.rb @@ -0,0 +1,16 @@ +module ObfuscateFilename + extend ActiveSupport::Concern + + class_methods do + def obfuscate_filename(*args) + before_action { obfuscate_filename(*args) } + end + end + + def obfuscate_filename(path) + file = params.dig(*path) + return if file.nil? + + file.original_filename = "media" + File.extname(file.original_filename) + end +end -- cgit From 8e34bed7cce7b97388e55fabacee7d424b5846ea Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Thu, 24 Nov 2016 19:59:11 +0100 Subject: Mini Profiler not working well, remove it --- Gemfile | 5 ----- Gemfile.lock | 9 --------- app/controllers/application_controller.rb | 5 ----- config/initializers/mini_profiler.rb | 17 ----------------- 4 files changed, 36 deletions(-) delete mode 100644 config/initializers/mini_profiler.rb (limited to 'app/controllers') diff --git a/Gemfile b/Gemfile index 327a17ee9..4abed33ff 100644 --- a/Gemfile +++ b/Gemfile @@ -50,11 +50,6 @@ gem 'react-rails' gem 'browserify-rails' gem 'autoprefixer-rails' -gem 'rack-mini-profiler', require: false -gem 'flamegraph' -gem 'stackprof' -gem 'memory_profiler' - group :development, :test do gem 'rspec-rails' gem 'pry-rails' diff --git a/Gemfile.lock b/Gemfile.lock index 28ad1abb6..b058ae940 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -136,7 +136,6 @@ GEM execjs (2.7.0) fabrication (2.15.2) fast_blank (1.0.0) - flamegraph (0.9.5) font-awesome-rails (4.6.3.1) railties (>= 3.2, < 5.1) fuubar (2.1.1) @@ -206,7 +205,6 @@ GEM nokogiri (>= 1.5.9) mail (2.6.4) mime-types (>= 1.16, < 4) - memory_profiler (0.9.7) method_source (0.8.2) mime-types (3.1) mime-types-data (~> 3.2015) @@ -264,8 +262,6 @@ GEM rack-attack (5.0.1) rack rack-cors (0.4.0) - rack-mini-profiler (0.10.1) - rack (>= 1.2.0) rack-protection (1.5.3) rack rack-test (0.6.3) @@ -376,7 +372,6 @@ GEM actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) - stackprof (0.2.10) temple (0.7.7) term-ansicolor (1.4.0) tins (~> 1.0) @@ -425,7 +420,6 @@ DEPENDENCIES dotenv-rails fabrication fast_blank - flamegraph font-awesome-rails fuubar goldfinger @@ -441,7 +435,6 @@ DEPENDENCIES letter_opener link_header lograge - memory_profiler neography nokogiri oj @@ -456,7 +449,6 @@ DEPENDENCIES rabl rack-attack rack-cors - rack-mini-profiler rails! rails_12factor rails_autolink @@ -471,7 +463,6 @@ DEPENDENCIES sidekiq simple_form simplecov - stackprof uglifier (>= 1.3.0) webmock will_paginate diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index effb4ed78..847763c65 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -14,7 +14,6 @@ class ApplicationController < ActionController::Base before_action :store_current_location, except: :raise_not_found, unless: :devise_controller? before_action :set_locale - before_action :check_rack_mini_profiler def raise_not_found raise ActionController::RoutingError, "No route matches #{params[:unmatched_route]}" @@ -32,10 +31,6 @@ class ApplicationController < ActionController::Base I18n.locale = I18n.default_locale end - def check_rack_mini_profiler - Rack::MiniProfiler.authorize_request if current_user && current_user.admin? - end - protected def not_found diff --git a/config/initializers/mini_profiler.rb b/config/initializers/mini_profiler.rb deleted file mode 100644 index 265783618..000000000 --- a/config/initializers/mini_profiler.rb +++ /dev/null @@ -1,17 +0,0 @@ -require 'rack-mini-profiler' - -Rack::MiniProfilerRails.initialize!(Rails.application) - -Rails.application.middleware.swap(Rack::Deflater, Rack::MiniProfiler) -Rails.application.middleware.swap(Rack::MiniProfiler, Rack::Deflater) - -Rack::MiniProfiler.config.storage = Rack::MiniProfiler::MemoryStore - -if Rails.env.production? - Rack::MiniProfiler.config.storage_options = { - host: ENV.fetch('REDIS_HOST') { 'localhost' }, - port: ENV.fetch('REDIS_PORT') { 6379 }, - } - - Rack::MiniProfiler.config.storage = Rack::MiniProfiler::RedisStore -end -- cgit