FIX: S3 store has_been_uploaded? was not taking into account s3 bucket path (#9810)

In some cases, between Discourse forums the hostname of a URL could match if they are hosting S3 files on the same bucket but the S3 bucket path might not. So e.g. https://testbucket.somesite.com/testpath/some/file/url.png vs https://testbucket.somesite.com/prodpath/some/file/url.png. So has_been_uploaded? was returning true for the second URL, even though it may have been uploaded on a different Discourse forum. This is a very rare case but must be accounted for, because this impacts UrlHelper.is_local which mistakenly thinks the file has already been downloaded and thus allows the URL to be cooked, where we want to return the full URL to be downloaded using PullHotlinkedImages.
2025-02-25 18:55:32 -06:00 · 2020-05-20 10:40:38 +10:00
parent 0a700d81fc
commit 72f139191e
3 changed files with 70 additions and 3 deletions
--- a/spec/multisite/s3_store_spec.rb
+++ b/spec/multisite/s3_store_spec.rb
@@ -217,4 +217,47 @@ RSpec.describe 'Multisite s3 uploads', type: :multisite do
      end
    end
  end
+
+  describe "#has_been_uploaded?" do
+    before do
+      SiteSetting.s3_region = 'us-west-1'
+      SiteSetting.s3_upload_bucket = "s3-upload-bucket/test"
+      SiteSetting.s3_access_key_id = "s3-access-key-id"
+      SiteSetting.s3_secret_access_key = "s3-secret-access-key"
+      SiteSetting.enable_s3_uploads = true
+    end
+
+    let(:store) { FileStore::S3Store.new }
+    let(:client) { Aws::S3::Client.new(stub_responses: true) }
+    let(:resource) { Aws::S3::Resource.new(client: client) }
+    let(:s3_bucket) { resource.bucket(SiteSetting.s3_upload_bucket) }
+    let(:s3_helper) { store.s3_helper }
+
+    it "returns false for blank urls" do
+      url = ""
+      expect(store.has_been_uploaded?(url)).to eq(false)
+    end
+
+    it "returns true if the base hostname is the same for both urls" do
+      url = "https://s3-upload-bucket.s3.dualstack.us-west-1.amazonaws.com/test/original/2X/d/dd7964f5fd13e1103c5244ca30abe1936c0a4b88.png"
+      expect(store.has_been_uploaded?(url)).to eq(true)
+    end
+
+    it "returns false if the base hostname is the same for both urls BUT the bucket name is different in the path" do
+      bucket = "someotherbucket"
+      url = "https://s3-upload-bucket.s3.dualstack.us-west-1.amazonaws.com/#{bucket}/original/2X/d/dd7964f5fd13e1103c5244ca30abe1936c0a4b88.png"
+      expect(store.has_been_uploaded?(url)).to eq(false)
+    end
+
+    it "returns false if the hostnames do not match and the s3_cdn_url is blank" do
+      url = "https://www.someotherhostname.com/test/original/2X/d/dd7964f5fd13e1103c5244ca30abe1936c0a4b88.png"
+      expect(store.has_been_uploaded?(url)).to eq(false)
+    end
+
+    it "returns true if the s3_cdn_url is present and matches the url hostname" do
+      SiteSetting.s3_cdn_url = "https://www.someotherhostname.com"
+      url = "https://www.someotherhostname.com/test/original/2X/d/dd7964f5fd13e1103c5244ca30abe1936c0a4b88.png"
+      expect(store.has_been_uploaded?(url)).to eq(true)
+    end
+  end
 end