• Josianne Hyson's avatar
    Exclude carrierwave remote url methods from import · ef171dcf
    Josianne Hyson authored
    Prior to this change, methods defined by carrierwave when using
    `mount_uploader` could be used to supply remote urls to the project
    importer. The method Note#remote_attachment_url could therefore be used
    to perform SSRF attacks as this url was requested during the import.
    The method `remote_attachment_request_header` could also be used to
    supply data in these requests.
    
    This commit filters these attributes out of the import as well as any
    other dynamically generated attributes for models that have different
    names for uploads.
    
    This is implemented in carrierwave here:
    
    https://github.com/carrierwaveuploader/carrierwave/blob/v1.3.1/lib/carrierwave/mount.rb
    ef171dcf
security-ssrf-attachment-url.yml 100 Bytes