Securing uploads

Author: AlyHKafoury

app/controllers/admin/private_assets_controller.rb

@@ -0,0 +1,8 @@
+class PrivateAssetsController < Admin::BaseController
+	def download
+      if ["png", "jpg", "jpeg", "bmp", "gif"].include? params[:extension] and ["id_document_file", "id_bill_file"].include? params[:filetype]
+      	send_file "#{Rails.root}/uploads/asset/#{params[:filetype]}/file/#{params[:id]}/#{params[:filename]}.#{params[:extension]}", type: "image/#{params[:extension]}", disposition: 'inline'
+      end
+    end
+end
+

app/models/admin/ability.rb

@@ -24,6 +24,7 @@ def initialize(user)
       can :manage, ::Withdraws::Bank
       can :manage, ::Withdraws::Satoshi
       can :manage, ::Withdraws::Ether
+      can :download, Admin::PrivateAssetsController
 
     end
   end

config/environments/production.rb

@@ -20,7 +20,7 @@
   # config.action_dispatch.rack_cache = true
 
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_assets = false
+  config.serve_static_assets = true
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor = Uglifier.new(:mangle => false)

config/initializers/carrierwave.rb

@@ -1,4 +1,7 @@
 CarrierWave.configure do |config|
   config.storage = :file
+  config.permissions = 0600
+  config.directory_permissions = 0700
   config.cache_dir = "#{Rails.root}/tmp/uploads"
+  config.root = Rails.root
 end

config/routes/admin.rb

@@ -40,4 +40,8 @@
     resource :deposits, :only => :show
     resource :withdraws, :only => :show
   end
+
 end
+
+get "/uploads/asset/:filetype/file/:id/:filename.:extension" , controller: "private_assets" , action: "download"
+

init.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+sed -e "s/\${domain_url}/$DOMAIN/" -i config/application.yml
+sed -e "s/\${rpc_url}/$RPCUSER:$RPCPASS@$RPCHOST:$RPCPORT/" -i config/currencies.yml
+
+bundle exec rake db:create
+bundle exec rake db:migrate
+bundle exec rake db:seed
+rm -rf /peatio/tmp/pids/*
+bundle exec rake daemons:start
+bundle exec rails server