extract core unzip functionality into canvas_unzip gem, and put
security logic there. use this gem instead of shelling out to
`unzip` (which does not have the option to skip symlinks).
test plan:
1. import 'evil_course_2.imscc' from CNVS-14338
* there should be an import warning
* you should get a blank syllabus body and
definitely not see sensitive system data
2. import 'evil_sis_import.zip' from CNVS-14346
* a file called '/tmp/pwn3d' should not have been
created on your app server
3. sanity check the parts of canvas that unzip things:
* course copy
* course import
* zip content imports via the API
* zip file uploads from files page
* assignment submission comments download/upload
* sis imports
fixes CNVS-14338
fixes CNVS-14346
Change-Id: I38fa141653eb7bc483e99a28a135831b8cb3b2a6
Reviewed-on: https://gerrit.instructure.com/37959
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
refs CNVS-13987
what was called CanvasUuid was *not* generating UUIDs. it was generating
slugs. by default, its generate method only creates 4 character slugs.
these should obviously not be used as UUIDs. the misnomer already caused
a bug in EventStream where it used these slugs as UUIDs, causing
collisions. to fix:
(1) rename canvas_uuid gem to canvas_slug, and rename it's primary
class CanvasUuid to CanvasSlug
(2) create new canvas_uuid gem, with class CanvasUUID, extracted from
lib/uuid_singleton for actual UUID generation
(3) fix event stream use CanvasUUID, rather than following the rename
of CanvasUuid to CanvasSlug
test-plan:
- have cassandra set up for audit logs
- create an audit log entry (e.g. change a grade)
- look at the generated audit log entry's id field; it should be a UUID
value, not a 4 character slug
Change-Id: I19758fff4433cd6cb2e21219217dced19ee05c5a
Reviewed-on: https://gerrit.instructure.com/37506
Reviewed-by: Rob Orton <rob@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
QA-Review: Jeremy Putnam <jeremyp@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>
test plan:
- use rails3
- create an assignment that accepts file submissions
- as a student, submit something that isn't plaintext (such as
an Office document; anything that isn't plain UTF-8 will work)
- as a teacher, go to the assignment page and select
"Download Submissions"
- then refresh the page and select "Re-Upload Submissions",
and upload the file you just downloaded
- you should not get a page error
fixes CNVS-12369
Change-Id: I676efc2e8c54419b6bb0ad274d42d0342241a82f
Reviewed-on: https://gerrit.instructure.com/33245
Reviewed-by: Cameron Matheson <cameron@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Amber Taniuchi <amber@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
Change-Id: Ic226e61e900532cc3acf08444b316b6e2bb6b368
Reviewed-on: https://gerrit.instructure.com/30049
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
QA-Review: Caleb Guanzon <cguanzon@instructure.com>
Product-Review: Simon Williams <simon@instructure.com>
test plan: zip functionality should continue to work, including:
* course exports and imports
* zip file uploads
* zip submissions
also, the selenium dependency on rubyzip 1.0.0 is resolved
and we're making progress toward > 4GB exports
Change-Id: I58c5b0644b1e7fbb289821c9c0901f00750988de
Reviewed-on: https://gerrit.instructure.com/25474
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Bryan Madsen <bryan@instructure.com>
Product-Review: Bryan Madsen <bryan@instructure.com>
QA-Review: Matt Fairbourn <mfairbourn@instructure.com>
Landon Wilkins