Class: Gitlab::HotlinkingDetector

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/hotlinking_detector.rb

Constant Summary collapse

IMAGE_FORMATS = 
%w[image/jpeg image/apng image/png image/webp image/svg+xml image/*].freeze
MEDIA_FORMATS = 
%w[video/webm video/ogg video/* application/ogg audio/webm audio/ogg audio/wav audio/*].freeze
CSS_FORMATS = 
%w[text/css].freeze
INVALID_FORMATS = 
(IMAGE_FORMATS + MEDIA_FORMATS + CSS_FORMATS).freeze
INVALID_FETCH_MODES = 
%w[cors no-cors websocket].freeze

Class Method Summary collapse

Class Method Details

.intercept_hotlinking?(request) ⇒ Boolean

Returns:

  • (Boolean) 


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/gitlab/hotlinking_detector.rb', line 12

def intercept_hotlinking?(request)
  request_accepts = parse_request_accepts(request)

  # Block attempts to embed as JS
  return true if sec_fetch_invalid?(request)

  # If no Accept header was set, skip the rest
  return false if request_accepts.empty?

  # Workaround for IE8 weirdness
  return false if IMAGE_FORMATS.include?(request_accepts.first) && request_accepts.include?("application/x-ms-application")

  # Block all other media requests if the first format is a media type
  return true if INVALID_FORMATS.include?(request_accepts.first)

  false

rescue ActionDispatch::Http::MimeNegotiation::InvalidType, Mime::Type::InvalidMimeType
  # Malformed requests with invalid MIME types prevent the checks from
  # being executed correctly, so we should intercept those requests.
  true
end