discourse/lib/theme_store/zip_importer.rb
Bianca Nenciu 5dbe3b7b55
SECURITY: Add limits for themes and theme assets
This commit adds limits to themes and theme components on the:

- file size of about.json and .discourse-compatibility
- file size of theme assets
- number of files in a theme
2023-09-12 15:35:50 -03:00

46 lines
1.1 KiB
Ruby

# frozen_string_literal: true
require "compression/engine"
class ThemeStore::ZipImporter < ThemeStore::Importer
attr_reader :url
def initialize(filename, original_filename)
super
@filename = filename
@original_filename = original_filename
end
def import!
FileUtils.mkdir(@temp_folder)
available_size = SiteSetting.decompressed_theme_max_file_size_mb
Compression::Engine
.engine_for(@original_filename)
.tap do |engine|
engine.decompress(@temp_folder, @filename, available_size)
strip_root_directory
end
rescue RuntimeError
raise RemoteTheme::ImportError, I18n.t("themes.import_error.unpack_failed")
rescue Compression::Zip::ExtractFailed
raise RemoteTheme::ImportError, I18n.t("themes.import_error.file_too_big")
end
def cleanup!
FileUtils.rm_rf(@temp_folder)
end
def version
""
end
def strip_root_directory
root_files = Dir.glob("#{@temp_folder}/*")
if root_files.size == 1 && File.directory?(root_files[0])
FileUtils.mv(Dir.glob("#{@temp_folder}/*/*"), @temp_folder)
end
end
end