pulibrary / orangelight

95%

main: 95%

LAST BUILD ON BRANCH multipart-file

branch: multipart-file

CHANGE BRANCH

x

Reset

• multipart-file
• 1918-header-small-screen
• 2174-submit-btnsearch-bar
• 2825_link_to_dataset
• 2965-partOf
• 3036-mobile-back-btn
• 3230_do_not_show_detailed_status
• 3302-main-branch-failure-v10
• 3302-main-branch-failure-v12
• 3302-main-branch-failure-v9
• 3302-main-circleci
• 3333-bookmark
• 3346-3347-remove-unused-links
• 3349_capture_more_in_clancy_errors
• 3446-lower-abc-size
• 3450_mapset_multiple_viewers
• 3456_stackmap_bug
• 3479-open-plasma
• 3503_address_deprecations
• 3505-electronic-delivery
• 3512-requestsjs
• 3523_purge_bookmarks_solr
• 3546-update-blacklight-marc
• 3557-resource-sharing
• 3557-resource-sharing-pc
• 3567-request-form
• 3567-request-toggle-onoff
• 3615-accessibility-docs
• 3648-remove-copyfield
• 3748-algo-switch-ui
• 3789-biased-results-form-b
• 3804-recap-guest-user
• 3808-search-algo
• 3888-metadata-visibility
• 3900-update
• 3913-availability-js-fetch
• 3913-availability-js-remove-title
• 3918-ga-cookie-domain
• 3979-catalog-header
• 3988-scsb-search-results
• 4001-scsb-search-use-bibdata-status
• 4081-bootstrap5-BL8-rebase
• 4095-FaST-subject-facet-keyword
• 4130-cleanup
• 4302-remove-engineering-ranking
• 4321-test-plan
• 4356-remove-cdl
• 4359-put-back-lighthouse
• 4430-print
• 4440-relevance
• 4453-update-where-to=find-it
• 4489-citation-display
• 4535-record-email-portfolio
• 4557-honeybadger-env
• 4565-remove-alert-health-check
• 4566-set-pagination
• 4567-feedback-options-main
• 4576-remove-online-badge-finding-aids
• 4578-holdings-locations-sorting
• 4581-handle-patron-errors
• 4601-update-search-widgets-record-page
• 4608-LuxDataTable
• 4640-skip-links-main
• 4641-form-validation
• 4641-modal-form-submit-close
• 4641-partof
• 4641-submit-form-once
• 4667-remove-old-stackmap-code
• 4675-copy-seleced-combobox
• 4692-bl-range-limit
• 4733-publication-facet-suggest
• 4749-nodejs
• 4753-improve-wcag-compliance-tests
• 4760-bookmark-all-tab-order
• 4768-constraint-button-height
• 4779-stackmap-gtag
• 4781-place-of-publication-facet
• 4845-indent-place-of-publication
• 4846-css-deprecations
• 4855-holding-location
• 4886-ephemera-viewer
• 4911-remove-browse-link-results
• 4912-lux-cards-search-results-v2
• 4917-access-options-badges
• 4919-online-option-count
• 4920-rounded-thumbnails
• 4929-status
• 4930-modify-available-display
• 4943-remove-at
• 5002-available
• 5014-style-fixes
• 5021-2-call-num-reduction
• 5021-3-map-icon-same-line
• 5021-5-some-available-green
• 5021-7-more-locations
• 5021-8-bookmark-spacing
• 5021-9-bookmark-right-align
• 5033-adjust-search
• 5045-5095-lux-text-style-availability-cherry
• 5045-font-weights
• 5045-strong-lux-text-style-search-results
• 5050-1-round-cards
• 5050-2-center-locations
• 5050-3-bottom-justify
• 5050-4-green-availability
• 5058-spacing
• 5061-scsb-unavailable
• 5065-holdings-card
• 5066-bookmark-button
• 5068-round-other
• 5069-box-proportions
• 5071-add-padding
• 5072-metadata-spacing
• 5086-online-padding
• 5096-center-thumbnail
• 5097-copies-spacing
• 5104-remove-fa
• 5112-remove-unused-space-electronic-resources
• 5119-scsb-search-results
• 5121-available-online-font
• 5122-boilerplate-text
• 5129-odd-print
• 5136-deprecation
• 5136-deprecation-new
• 5141-gray-badge-custom
• 5143-iteminfo1-access-restriction
• 5147-some-available
• 5148-orange-highlight
• 5149-odd-print
• 5156-hebrew-display
• 5158-print-collapsed
• 5167-in-library-use
• 5167-location-in-library-use
• 5167-results-page-in-library-use-location
• 5204-fix-search-results-thumbnail-display
• 583_display_take_three
• Blacklight8-upgrade-v2
• accept-item-object
• access-icon-styling
• accessibility-3958-i3677-atkinson-font
• accessibility-template-update
• add-back-fields-to-email-in-bl8
• add-fixtures-both-terms
• add-font-src
• add-reek-to-ci
• add-requests-tag
• add-sass
• add-sidekiq-compatible-submission-hash
• add-status-display-defualt-class
• add_q_to_test
• adjust-padding
• adjust-padding-rebase
• advanced-search
• advanced-search-facet-spacing
• advanced-search-no-rows
• advanced_search_translation_bug
• aeon-constituent-record-metadata
• allow_language_facet_in_facet_suggest_query
• applicationjs-require-tree
• archival-item-icon
• authority-vocab-updates-v2
• availability-label
• availability-update-cleanup-bug
• avoid-expensive-factorybot-initialize
• badge
• bibdata_i2679_hierarchical_facet_bug
• big-availability-badge
• blacklight-8-8-1
• blacklight-8-8-3
• blacklight-8.7.0
• blacklight-8.8
• blacklight-backport-testing
• blacklight-deprecations
• blacklight-marc
• blacklight8-upgrade
• blaklight-v-readme
• bookmark-all-cls
• bookmark-all-fix
• bookmark-button
• bootstrap-5.3
• browsables-index
• browse-related-items
• browsing-spec-selectors
• browsing-spec-v2
• bundle-exec-mem
• bundle-update
• bundle-update-01042025
• bundle-update-03142025
• bundle-update-05272025
• bundle-update-07022025
• bundle-update-3-4-1
• button-request
• cache-facet-values-for-advanced
• call-number-font-regression
• call-number-font-regression-feature-branch
• call-number-link
• call-numbers-in-cards
• capistrano-dev-group
• capybara_improvements
• card-widths
• catalog-indexer-staging2
• center-icon
• change_comment_form
• christinach-patch-1
• ci_check
• ci_test
• circleci-resource-class
• citeproc_bug_empty_authors
• clean_up_scss_comments
• cleanup-remove-unused-method2
• cleanup-unused-def
• clear-cdl-request-item
• codeql-docs
• config-test
• constraints
• content-security-policy
• coverage-in-ci-only
• csp-exclude-vite
• csp-v2
• data-temp-location-code-RES_SHARE
• databases-icon
• dependabot/bundler/actionpack-7.1.5.1
• dependabot/bundler/activerecord-7.2.2.2
• dependabot/bundler/activestorage-7.2.2.2
• dependabot/bundler/json-2.10.2
• dependabot/bundler/net-imap-0.5.7
• dependabot/bundler/nokogiri-1.18.3
• dependabot/bundler/nokogiri-1.18.8
• dependabot/bundler/nokogiri-1.18.9
• dependabot/bundler/rack-3.1.10
• dependabot/bundler/rack-3.1.12
• dependabot/bundler/rack-3.1.16
• dependabot/bundler/thor-1.4.0
• dependabot/bundler/uri-1.0.3
• dependabot/npm_and_yarn/babel/runtime-7.26.10
• dependabot/npm_and_yarn/nanoid-3.3.8
• dependabot/npm_and_yarn/vite-5.4.12
• dependabot/npm_and_yarn/vite-6.1.2
• dependabot/npm_and_yarn/vite-6.2.3
• dependabot/npm_and_yarn/vite-6.2.4
• dependabot/npm_and_yarn/vite-6.2.5
• dependabot/npm_and_yarn/vite-6.2.6
• dependabot/npm_and_yarn/vite-6.2.7
• dependabot/npm_and_yarn/vite-6.3.6
• deprecated
• deprecated-synonym-factory
• dialog-style
• doc-content-warning
• dont-download-franklin-gothic-urw
• dry-enum-value
• duplicate-visually-hidden
• eastasian_cjk
• email_portfolio_link
• email_portfolio_link_fresh
• end-of-list
• ephemera-empty-link
• erblint-accessibility
• even-more-deprecations
• extract-eligibility-classes
• fix-cas-login-for-devs
• fix-circleci-chrome
• fix-ezproxy-and-finding-aids
• fix-icon-centering-firefox
• fix-my-bug
• fix-pending-test
• fix_chromedriver_tests_locally
• flash_revisited
• footer-black-color
• friendly-id
• gc-profiler
• gen-reek-file
• generate-reek
• git-hooks
• globe-spacing
• google_tag_manager
• grey-holding-notes-details
• grey_author_bg
• group-holdings-by-library-and-location-2
• h1_on_record
• header-in-container
• hitting_right_js-test
• holding-card-hover-and-focus-styles
• holding-card-padding
• holding-card-width
• holding-details-black-and-with-spacing
• holding-location-scsb-component
• holding_location_component
• holding_location_default
• holding_notes
• holdings-show-display
• i2613-env
• i2889_bookmark_limit-v2
• i3192_oversize_cd_browse
• i3328_feedback_bar
• i3329_ask_a_question
• i3338-non-search-param
• i3351-search-bar-on-advanced
• i3367-view-larger
• i3371_run_in_browser
• i3412_built_in_advanced_search_form
• i3421-no-more-old-borrow-direct-v2
• i3426-harmful-language-followup
• i3428-new-stackmap-language-2
• i3433_electronic_access
• i3476_prod_update
• i3476_qa_update
• i3498_requests_html_bug
• i3535-remove-route
• i3554-missing-illiad-elements
• i3555_illiad_oclc
• i3561_map_volume_info
• i3565_display_653_as_text
• i3569-illiad-request-process
• i3573_mini_profiler
• i3574-aeon-thesis-author
• i3583-marquand
• i3597-aeon-multiple-items
• i3599_too_many_aeon
• i3610_do_not_block_db_with_rake_tasks
• i3629_use_env_for_redis_db
• i3645-numismatics-builtin-advanced-2
• i3664-json-dsl-error
• i3668
• i3677-atkinson-font
• i3702_edit_search_advanced_rebased
• i3810-banner
• i3823-group1-doc-algo
• i3835-highlighting-doc
• i3864-ayn-sorting
• i3900-marquand-carrel
• i3909-libanswers-api
• i3977_affiliates_can_request_on_order_and_in_process_items
• i4025-turn-on-facet-suggest-feature
• i4052_add_content_advice
• i4080_facets_advanced_search
• i4106-facets-on-left-side
• i4138_left_anchored_search
• i4138_left_anchored_search_ii
• i4176_remove_unused_methods
• i4187_previous_next_to_view_component
• i4196_remove_alma_hold_request
• i4250_recap_eligibility
• i4294_refactor_requests_patron
• i4294_refactor_requests_patron_iii
• i4306_sort_bookmarks_by_lib
• i4322_unsafe_redirect
• i4428_use_citeproc_for_citations
• i4429-citation-one-less-solr-call
• i4438_marquand_ineligible_for_ill
• i4449_browse_list_ordering
• i4471_bookmark_fix_on_bl_7
• i4472-backwards-compatible-retrieve-a-solr-doc
• i4485-numismatics-form
• i4486_view_component_for_email
• i4499_catalog_qa
• i4523_close_suggest_correction_modal
• i4525-display-holdings-from-bound-withs
• i4568-pagination-bookmarks
• i4595-more-in-series
• i4597-language-facet
• i4597-language-facet-v2
• i4609-sidekiq-emails
• i4635-numismatics-values
• i4637-series-title-search
• i4655-server-side-validation
• i4674_advanced_search_or_facets
• i4676_advanced_search_facet_dropdown_arrow
• i4699_patron_hash
• i4709_complex_booleans_in_advanced_search
• i4718_recap_delivery
• i4719_advanced_search_keyboard_navigation
• i4719_cont_scrolling_after_return
• i4728_include_place_of_pub_advanced_search
• i4728_show_all_pub_locations_adv_search
• i4731_facet_suggest_bug_fix
• i4765_edit_advanced_search
• i4774-question-mark
• i4806_advanced_boolean_behavior
• i4866_add_chicago_note_citations
• i4866_chicago_style_citations
• i4872_guided_search_view_component
• i4879_test_against_staging
• i4906-remove-search-terms-numismatics
• i4909_languages_for_json_ld
• i5126-numismatics-values
• i5176-fix
• i5201-marquand-rescue-non-json
• i6126_signoz_datadog_apm
• illiad_patron_refactor
• increase-online-options-text-size
• increase-test-coverage
• increase_more_info_contrast
• inherit_record_mailer
• json5
• json5-parse
• keep-one-stub-holding-locations
• kicks
• lando-redis
• language-source-on-show
• left_anchor_iii
• libanswers-harmful-language-form
• libmaps_implementation
• libmaps_test
• library_display-search-results
• libre-franklin-consolidated
• light-aeon-refactor
• lighthouse-back
• lint-js-tests
• load7.1-configs
• location_services
• long-commented
• lux-5.5.1
• lux-6.1.6
• lux-6.9.2
• lux-upgrade-5.8.1
• lux-wrapper-width
• mailcatcher_on_qa_config
• mailcatcher_on_qa_config_bl8
• main
• map-icon-svg
• merge_availability_experiment
• microform-facet-icon
• mini-profiler
• mobile-layout-shifts
• modal
• more-deprecations
• more-remote-locations
• more_deprecation
• move-excessive-paging
• move-feedback-form-to-forms
• move-holding-location-under-request
• new-component-for-subjectify
• new-map-pin-icon
• no-add-facet-fields-to-solr-request
• no-bots-for-many-facets
• no-framework-defaults
• no-holdings-2
• no-location-has
• no-more-babel
• no-network-exceptions
• no-repeated-library-name
• no-sticky-harmful-content-bar
• node24
• nodejs-deploy-server
• numismatics-search-builder-move
• open-group-by-param
• orangelight-pos-workcycle-07072025
• original_language_of_translation_facet
• outline-bookmark-icon
• paging_recap_request_emails
• partOf-4666-jquery_ujs
• partial-remove-jquery_ujs
• physical-holding-component
• pickup-PT
• plugin-rubocop-rspec-rails
• postgres-container-error
• prevent-icon-cutoff
• process-vocabulary-catalog_controller-more-fields
• rails-7-2
• rbsc2fire
• record-page-ephemera-thumbnail
• redundant_globe
• refactor-boolean
• refactor-jquery-from-google-books
• refactor-more-ctx
• refactor-physical-holdings-markup
• refactor-search-location-display
• refactor-search-location-display-2
• refactor_bibliographic_display
• refactor_holding_block_search
• refactor_holding_location_stub
• refactor_illiad_patron
• refactor_patron_iv
• refactor_patron_v
• refactor_stub_raw_from_catalog
• refactor_top_field_render
• remote-storage-update
• remove-PN-from-pickup
• remove-aeon-openurl-method
• remove-blacklight7-compat-layer
• remove-chosen
• remove-commented-code
• remove-div
• remove-double-negative
• remove-faker
• remove-file
• remove-jquery-again
• remove-launchy
• remove-long-skipped-tests
• remove-more-commented-code
• remove-old-features
• remove-partner-system-id
• remove-pivot-facet-customization
• remove-postgres-auth
• remove-redundant-icon
• remove-request-mockup
• remove-ruby-enable-disable-test
• remove-tooltip
• remove-unsupported-attribute
• remove-unused-gem
• remove-unused-hidden_fields_holding
• remove-unused-holding-location-label
• remove-unused-locals
• remove-unused-method
• remove-unused-methods
• remove-unused-test-helper-method
• remove-unused-uv-class
• remove_advanced_search_views
• remove_blacklight_facet_from_controller_level_helpers
• render-document-partials-2
• render-document-sidebar-partial
• replace-pull-right-left
• report-icon
• request-button-back-open-group
• request-location-object
• requestable-form-component
• requests-docs
• requests-form-v5
• requests_test_refactor
• require_identifier
• restrictions_markup
• revert
• revert-4700-sidekiq-email
• revert-4971-status-unavailable-4929
• revert-blacklight8-upgrade
• route-requests-refactor
• router-finish-refactor
• ruby-3-4
• ruby-gem-updates
• ruby3-3
• sandbergja-patch-1
• schema
• see-less
• see-more-size
• send-request-submissions-as-hashes
• separate-modal-body-footer
• set-sample-itembarcode
• show-page-on-site
• sidekiq-email
• sidekiq-gem
• simple_solr_index_for_bool_tests
• simplify-advanced-search-solr-query
• simplify_collection_code_checks
• solargraph
• solfconf-update
• solr_query_spike
• solrschema-changes
• sort-holding-groups
• source-language-flipper
• source_language_limit
• special-collections
• sql-injection-vulnerability
• squeezable
• stackmap-check
• stackmap-factory
• stackmap_concern
• stackmap_pending_spec
• start-using-requests-holding-object-more
• status-display-default
• status-unavailable-4929
• string-rtl
• stringex-update
• subjectify-refactor-v2
• subjectify-refactor-v3
• subjectify-v1-refactor
• tag_request_specs
• temporary_stackmap
• test-main-branch
• test_search_constraint_fix
• thesis-coins-status
• timecop
• title_starts_with
• translation-fixtures
• translations-flipper
• try-remove-search-fields
• try-removing-aeon-from-application-helper
• unused-font
• update-aeon-diagram
• update-availabilityjs
• update-available-green
• update-bots
• update-browser-tools
• update-bunlder-v
• update-chrome-circleci
• update-config
• update-dart-sprockets
• update-dependencies
• update-dependencies-yarn
• update-fixtures1
• update-fixtures2
• update-fixtures3
• update-fixturev5
• update-footer-and-lux-version
• update-footer-with-new-Library-links
• update-jquery
• update-lux
• update-lux6.9.1
• update-qa-staging-deploy
• update-readme-bl-version
• update-schema
• update-solr-configs
• update-solrschema
• update-thumbnail-display-ephemera
• update-unavailable-availabilityjs
• update_account_docs
• update_advanced_search_translations
• update_bookmarks_doc
• update_robots
• update_solr_conf
• update_solr_config
• update_vite
• updates
• upgrade-alma-gem
• upgrade-dependencies-2024-05-03
• upgrade-eslint9
• upgrade-zeitwerk
• upgrade_gems
• upgrade_node
• use-blacklight-color-sin-requests
• use-blacklight-fix
• use-holding-object-more
• use-init-params
• use-libre-franklin
• use-lux-6.8.2
• use-solr-params-for-notes-publisher
• use_patron_for_requests_router
• use_rails_config_for_devise_secret_key
• use_search_service_in_rescue
• vendor_test_not_pending
• view-comp-api-slot
• view-component-slots2
• view-component3
• vitest
• wording_updates
• wrap-partials-in-index-document-component
• yarn-upgrade
• yarn-upgrade-05272025
• yarn-upgrade-dependencies
• zeitwerk
• zeitwerk-upgrade

Build # 2d9d2978-cc59-410e-b0a2-90826072e6b0

Build Type

Pull #5128

circleci

Committed by sandbergja

Commit Message

[#5124] Reject requests that contain file uploads

While these file uploads are very limited with regards to how much damage they can
do directly (they are not uploaded to a folder that is served to the web, they are
deleted very quickly by the Rack tempfile reaper or ruby gc very quickly, etc.),
they can set off OIT's security sensors leading to our VMs being quarantined, which
is a threat to the availability of the catalog service.

Users don't need to upload files to the catalog, so let's just reject requests
of this type.

Rack has a nice seam for this: it allows us to supply a tempfile factory to customize
how we store these uploaded files on disk.  This commit simply raises an exception
as our implementation of this factory; I could imagine that implementing a factory
that returns a file handle to /dev/null could work as an alternative approach.

Closes #5124

Pull Request Pull Request #5128: [#5124] Reject requests that contain file uploads

Run Details

11 of 11 new or added lines in 1 file covered. (100.0%)

6025 of 6315 relevant lines covered (95.41%)

1520.41 hits per line