Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
s3_private_direct_upload
Advanced tools
Easily generate a form that allows you to upload directly to Amazon S3. Multi file uploading supported by jquery-fileupload.
Code extracted from Ryan Bates' gallery-jquery-fileupload.
Add this line to your application's Gemfile:
gem 's3_direct_upload'
Then add a new initalizer with your AWS credentials:
config/initializers/s3_direct_upload.rb
S3DirectUpload.config do |c|
c.access_key_id = "" # your access key id
c.secret_access_key = "" # your secret access key
c.bucket = "" # your bucket name
c.region = nil # region prefix of your bucket url (optional), eg. "s3-eu-west-1"
c.url = nil # S3 API endpoint (optional), eg. "https://#{c.bucket}.s3.amazonaws.com/"
end
Make sure your AWS S3 CORS settings for your bucket look something like this:
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>http://0.0.0.0:3000</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
In production the AllowedOrigin key should be your domain.
Add the following js and css to your asset pipeline:
application.js.coffee
#= require s3_direct_upload
application.css
//= require s3_direct_upload_progress_bars
Create a new view that uses the form helper s3_uploader_form
:
<%= s3_uploader_form callback_url: model_url, callback_param: "model[image_url]", id: "myS3Uploader" do %>
<%= file_field_tag :file, multiple: true %>
<% end %>
Note: Its required that the file_field_tag is named 'file'.
Then in your application.js.coffee, call the S3Uploader jQuery plugin on the element you created above:
jQuery ->
$("#myS3Uploader").S3Uploader()
Optionally, you can also place this template in the same view for the progress bars:
<script id="template-upload" type="text/x-tmpl">
<div id="file-{%=o.unique_id%}" class="upload">
{%=o.name%}
<div class="progress"><div class="bar" style="width: 0%"></div></div>
</div>
</script>
callback_url:
url that is POST'd to after file is uploaded to S3. If you don't specify this option, no callback to the server will be made after the file has uploaded to S3.callback_method:
Defaults to POST. Use PUT and remove the multiple option from your file field to update a model.callback_param:
parameter value for the POST in which the key will be the URL of the file on S3. If for example this is set to "model[image_url]" then the data posted would be model[image_url] : http://bucketname.s3.amazonws.com/filename.ext
key:
key on s3. defaults to "uploads/{timestamp}-{unique_id}-#{SecureRandom.hex}/${filename}"
. {timestamp}
and {unique_id}
are special substitution params that will be populated by the javascript with values for the current upload. ${filename}
is a special s3 param that will be populated with the original upload file name. Needs to be at least "${filename}"
. It is highly recommended to use both {unique_id}
, which will prevent collisions when uploading files with the same name (such as from a mobile device, where every photo is named image.jpg), and a server-generated random value such as #{SecureRandom.hex}
, which adds further collision protection with other uploaders.key_starts_with:
constraint on key on s3. Defaults to uploads/
. if you change the key
option, make sure this starts with what you put there. If you set this as a blank string the upload path to s3 can be anything - not recommended!acl:
acl for files uploaded to s3, defaults to "public-read"max_file_size:
maximum file size, defaults to 500.megabytesid:
html id for the form, its recommended that you give the form an id so you can reference with the jQuery plugin.class:
optional html class for the form.data:
Optional html dataIt is recommended that you persist the image_url that is sent back from the POST request (to the url given to the post
option and as the key given in the as
option). So to access your files later.
One way to do this is to make sure you have resources model
in your routes file, and add the image_url
(or whatever you would like to name it) attribute to your model, and then make sure you have the create action in your controller for that model.
You could then have your create action render a javascript file like this: create.js.erb
<% if @model.new_record? %>
alert("Failed to upload model: <%= j @model.errors.full_messages.join(', ').html_safe %>");
<% else %>
$("#container").append("<%= j render(@model) %>");
<% end %>
So that javascript code would be executed after the model instance is created, without a page refresh. See @rbates's gallery-jquery-fileupload) for an example of that method.
Note: the POST request to the rails app also includes the following parameters filesize
, filetype
, filename
and filepath
.
Feel free to override the styling for the progress bars in s3_direct_upload_progress_bars.css, look at the source for inspiration.
Also feel free to write your own js to interface with jquery-file-upload. You might want to do this to do custom validations on the files before it is sent to S3 for example.
To do this remove s3_direct_upload
from your application.js and include the necessary jquery-file-upload scripts in your asset pipeline (they are included in this gem automatically):
#= require jquery-fileupload/basic
#= require jquery-fileupload/vendor/tmpl
Use the javascript in s3_direct_upload
as a guide.
path:
manual path for the files on your s3 bucket. Example: path/to/my/files/on/s3
Note: Your path MUST start with the option you put in your form builder for key_starts_with
, or else you will get S3 permission errors. The file path in your s3 bucket will be path + key
.additional_data:
You can send additional data to your rails app in the persistence POST request. This would be accessible in your params hash as params[:key][:value]
Example: {key: value}
remove_completed_progress_bar:
By default, the progress bar will be removed once the file has been successfully uploaded. You can set this to false
if you want to keep the progress bar.remove_failed_progress_bar:
By default, the progress bar will not be removed when uploads fail. You can set this to true
if you want to remove the progress bar.before_add:
Callback function that executes before a file is added to the queue. It is passed file object and expects true
or false
to be returned. This could be useful if you would like to validate the filenames of files to be uploaded for example. If true is returned file will be uploaded as normal, false will cancel the upload.progress_bar_target:
The jQuery selector for the element where you want the progress bars to be appended to. Default is the form element.click_submit_target:
The jQuery selector for the element you wish to add a click handler to do the submitting instead of submiting on file open.jQuery ->
$("#myS3Uploader").S3Uploader
path: 'path/to/my/files/on/s3'
additional_data: {key: 'value'}
remove_completed_progress_bar: false
before_add: myCallBackFunction() # must return true or false if set
progress_bar_target: $('.js-progress-bars')
click_submit_target: $('.submit-target')
This demonstrates how to use progress_bar_target and allow_multiple_files (only works with false option - single file) to show only one progress bar without script template.
jQuery ->
$("#myS3Uploader").S3Uploader
progress_bar_target: $('.js-progress-bars')
allow_multiple_files: false
Target for progress bar
<div class="upload js-progress-bars">
<div class="progress">
<div class="bars"> </div>
</div>
</div>
You can change the settings on your form later on by accessing the jQuery instance:
jQuery ->
v = $("#myS3Uploader").S3Uploader()
...
v.path("new/path/") #only works when the key_starts_with option is blank. Not recommended.
v.additional_data("newdata")
s3_uploads_start
is fired once when any batch of uploads is starting.
$('#myS3Uploader').bind 's3_uploads_start', (e) ->
alert("Uploads have started")
When a file has been successfully uploaded to S3, the s3_upload_complete
is triggered on the form. A content
object is passed along with the following attributes :
url
The full URL to the uploaded file on S3.filename
The original name of the uploaded file.filepath
The path to the file (without the filename or domain)filesize
The size of the uploaded file.filetype
The type of the uploaded file.This hook could be used for example to fill a form hidden field with the returned S3 url :
$('#myS3Uploader').bind "s3_upload_complete", (e, content) ->
$('#someHiddenField').val(content.url)
When an error occured during the transferm the s3_upload_failed
is triggered on the form with the same content
object is passed for the successful upload with the addition of the error_thrown
attribute. The most basic way to handle this error would be to display an alert message to the user in case the upload fails :
$('#myS3Uploader').bind "s3_upload_failed", (e, content) ->
alert("#{content.filename} failed to upload : #{content.error_thrown}")
When all uploads finish in a batch an s3_uploads_complete
event will be triggered on document
, so you could do something like:
$(document).bind 's3_uploads_complete', ->
alert("All Uploads completed")
In addition, the regular rails ajax callbacks will trigger on the form with regards to the POST to the server.
$('#myS3Uploader').bind "ajax:success", (e, data) ->
alert("server was notified of new file on S3; responded with '#{data}")
You may be processing the files upon upload and reuploading them to another bucket or directory. If so you can remove the originali files by running a rake task.
First, add the fog gem to your Gemfile
and run bundle
:
require 'fog'
Then, run the rake task to delete uploads older than 2 days:
$ rake s3_direct_upload:clean_remote_uploads
Deleted file with key: "uploads/20121210T2139Z_03846cb0329b6a8eba481ec689135701/06 - PCR_RYA014-25.jpg"
Deleted file with key: "uploads/20121210T2139Z_03846cb0329b6a8eba481ec689135701/05 - PCR_RYA014-24.jpg"
$
Optionally customize the prefix used for cleaning (default is uploads/#{2.days.ago.strftime('%Y%m%d')}
):
config/initalizers/s3_direct_upload.rb
S3DirectUpload.config do |c|
# ...
c.prefix_to_clean = "my_path/#{1.week.ago.strftime('%y%m%d')}"
end
Alternately, if you'd prefer for S3 to delete your old uploads automatically, you can do so by setting your bucket's Lifecycle Configuration.
This is just a simple gem that only really provides some javascript and a form helper. This gem could go all sorts of ways based on what people want and how people contribute. Ideas:
This gem is basically a small wrapper around code that Ryan Bates wrote for Railscast#383. Most of the code in this gem was extracted from gallery-jquery-fileupload.
Thank you Ryan Bates!
This code also uses the excellecnt jQuery-File-Upload, which is included in this gem by its rails counterpart jquery-fileupload-rails
FAQs
Unknown package
We found that s3_private_direct_upload demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.