From fb74a1dfd463e3ed01bc671bf36338ee511c8711 Mon Sep 17 00:00:00 2001
From: Yohta Kimura <yota.kimura@gree.net>
Date: Tue, 5 Sep 2023 17:25:02 +0900
Subject: [PATCH 1/3] add skip_ssrf_protection config

---
 lib/carrierwave/downloader/base.rb        |  2 +-
 lib/carrierwave/uploader/configuration.rb |  2 ++
 spec/downloader/base_spec.rb              | 25 +++++++++++++++++------
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/lib/carrierwave/downloader/base.rb b/lib/carrierwave/downloader/base.rb
index 8a1f7112e..3c54ceeb5 100644
--- a/lib/carrierwave/downloader/base.rb
+++ b/lib/carrierwave/downloader/base.rb
@@ -94,7 +94,7 @@ def process_uri(source)
       #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
       #
       def skip_ssrf_protection?(uri)
-        false
+        @uploader.skip_ssrf_protection
       end
     end
   end
diff --git a/lib/carrierwave/uploader/configuration.rb b/lib/carrierwave/uploader/configuration.rb
index adf722460..de1c9fc22 100644
--- a/lib/carrierwave/uploader/configuration.rb
+++ b/lib/carrierwave/uploader/configuration.rb
@@ -47,6 +47,7 @@ module Configuration
         add_config :cache_only
         add_config :download_retry_count
         add_config :download_retry_wait_time
+        add_config :skip_ssrf_protection
 
         # set default values
         reset_config
@@ -216,6 +217,7 @@ def reset_config
             config.ensure_multipart_form = true
             config.download_retry_count = 0
             config.download_retry_wait_time = 5
+            config.skip_ssrf_protection = false
           end
         end
       end
diff --git a/spec/downloader/base_spec.rb b/spec/downloader/base_spec.rb
index eb4fa5c3e..a906423f8 100644
--- a/spec/downloader/base_spec.rb
+++ b/spec/downloader/base_spec.rb
@@ -267,14 +267,27 @@
   end
 
   describe "#skip_ssrf_protection?" do
-    let(:uri) { 'http://localhost/test.jpg' }
-    before do
-      WebMock.stub_request(:get, uri).to_return(body: file)
-      allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
+    context "when ssrf_protection is skipped" do
+      let(:uri) { 'http://localhost/test.jpg' }
+      before do
+        WebMock.stub_request(:get, uri).to_return(body: file)
+        allow(subject).to receive(:skip_ssrf_protection?).and_return(true)
+      end
+
+      it "allows local request to be made" do
+        expect(subject.download(uri).read).to eq 'this is stuff'
+      end
     end
 
-    it "allows local request to be made" do
-      expect(subject.download(uri).read).to eq 'this is stuff'
+    context 'skip_ssrf_protection configuration' do
+      it 'defaults to false' do
+        expect(subject.skip_ssrf_protection?(uri)).to be_falsey
+      end
+
+      it 'can be configured by skip_ssrf_protection config' do
+        uploader.skip_ssrf_protection = true
+        expect(subject.skip_ssrf_protection?(uri)).to be_truthy
+      end
     end
   end
 end

From 09166964b5d2a5ea1cb9346ae8e202f8259457e1 Mon Sep 17 00:00:00 2001
From: Yohta Kimura <kitakita7617@gmail.com>
Date: Tue, 12 Sep 2023 08:37:32 +0900
Subject: [PATCH 2/3] mention skip_ssrf_protection in README

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 59b24386a..e0ff6f9d6 100644
--- a/README.md
+++ b/README.md
@@ -659,7 +659,7 @@ end
 ## Testing with CarrierWave
 
 It's a good idea to test your uploaders in isolation. In order to speed up your
-tests, it's recommended to switch off processing in your tests, and to use the
+tests, it's recommended to switch off processing in your tests, disable SSRF protection, and to use the
 file storage. In Rails you could do that by adding an initializer with:
 
 ```ruby
@@ -667,6 +667,7 @@ if Rails.env.test? or Rails.env.cucumber?
   CarrierWave.configure do |config|
     config.storage = :file
     config.enable_processing = false
+    config.skip_ssrf_protection = true
   end
 end
 ```

From 0196b2113703c33140d37f53bfd090daefecd8a7 Mon Sep 17 00:00:00 2001
From: Mitsuhiro Shibuya <mit.shibuya@gmail.com>
Date: Sun, 3 Dec 2023 18:32:49 +0900
Subject: [PATCH 3/3] Update README.md to indicate skip_ssrf_protection should
 be used only when necessary

Co-authored-by: Yohta Kimura <38206553+rajyan@users.noreply.github.com>
---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e0ff6f9d6..8932cf24a 100644
--- a/README.md
+++ b/README.md
@@ -659,7 +659,11 @@ end
 ## Testing with CarrierWave
 
 It's a good idea to test your uploaders in isolation. In order to speed up your
-tests, it's recommended to switch off processing in your tests, disable SSRF protection, and to use the
+tests, it's recommended to switch off processing in your tests, and to use the file storage.
+Also, you can disable SSRF protection at your own risk using the `skip_ssrf_protection` configuration.
+
+In Rails you could do that by adding an initializer with:
+
 file storage. In Rails you could do that by adding an initializer with:
 
 ```ruby