Audit-finding rationale lives in commit messages and the audit report,
not in the code. url_validatable.rb keeps its docstring because the
two-tier blocklist + DNS-rebinding caveats are subtle enough that a
reader benefits from the explanation right next to the code.
Pathname#join does not normalize `..` segments, and an absolute-path
argument silently overrides the base. The user-data archive import
flow read attacker-controlled `file_name` and manifest `files` paths
directly into `files_directory.join(...)` and
`import_directory.join(...)`, then attached the resulting file to an
Import / Export / RawDataArchive record the attacker could download.
Any authenticated user reaching POST /settings/users/import could read
any file the Rails process can read (env vars, master.key, AWS creds
on cloud) and exfiltrate it via the imports index download link.
Adds Users::ImportData::PathSafety with two helpers:
- safe_basename_path strips path components for `files/` lookups
- safe_relative_path enforces base-dir containment for nested manifest paths
Updated callers:
- Users::ImportData::Imports#restore_import_file
- Users::ImportData::Exports#restore_export_file
- Users::ImportData::RawDataArchives#restore_archive_file
- Users::ImportData::V2Handler#safe_manifest_path used by all manifest-driven readers
* Update stuff
* Extract insights controller logic to services
* Fix failing specs
* Refactorings
* Add indicies with if_not_exists to migrations
* Recalculate tracks transportation modes upon settings change
* Block transportation modes settings form while a recalculation is in progress.
* Add top visited locations
* Bit of a refactoring
* Update navbar
* Add activity heatmap feature and update insights header
* Add activity streak to insights page and changelog
* Add caching for insights page
* Preheat cache for insights
* Move digest cache preheating to a service
Eugene Burmakin