Fix broken icons (#985)

* Quick fix for production 500 errors
* Update Ruby version
* Fix SVG icons

Author: RickCarlino

.ruby-version

@@ -1 +1 @@
-2.3.3
+2.6.1

Dockerfile

@@ -2,7 +2,7 @@
 # Image name: openfarm-webapp
 #
 
-FROM       ruby:2.3.3
+FROM       ruby:2.6.1
 MAINTAINER https://github.com/FarmBot/OpenFarm
 
 ENV     PHANTOM_JS_VERSION 1.9.8

app/assets/stylesheets/styles/components/crop_searches/_crop_searches.scss

@@ -5,8 +5,7 @@
     margin: 1em 0;
   }
 
-  .crop-results-container {
-  }
+  .crop-results-container {}
 
   .guide-results-container {
     background-color: $openfarm-blue-grey;
@@ -16,6 +15,11 @@
   }
 }
 
+div.crop-icon-wrapper svg {
+  width: 26px;
+  height: 26px;
+}
+
 /*@import "crop_searches/_crop_results.css.scss";
 @import "crop_searches/_crop_result.css.scss";
 @import "crop_searches/_guide_results.css.scss";

app/helpers/application_helper.rb

@@ -1,6 +1,8 @@
 module ApplicationHelper
+  DEFAULT_ICON_PATH = Rails.root.join("app", "assets", "images", "generic-plant.svg")
+  DEFAULT_ICON      = File.read(DEFAULT_ICON_PATH)
+
   def load_generic_plant_icon
-    file_path = Rails.root.join("app", "assets", "images", "generic-plant.svg")
-    h File.read(file_path)
+    raw(DEFAULT_ICON)
   end
 end

app/models/guide_search.rb

@@ -37,12 +37,15 @@ def with_user(user)
     return self unless user
 
     @order = {
-      'compatibilities.score' => {
-        order: 'desc',
-        nested_filter: {
-          term: { 'compatibilities.user_id' => user.id }
-        }
-      }
+      # THIS IS CRASHING ON PRODUCTION AND I DONT
+      # KNOW WHY :( - RC 17 APR 19
+      #
+      # 'compatibilities.score' => {
+      #   order: 'desc',
+      #   nested_filter: {
+      #     term: { 'compatibilities.user_id' => user.id }
+      #   }
+      # }
     }
 
     self

app/mutations/crops/create_crop.rb

@@ -13,7 +13,13 @@ class CreateCrop < Mutations::Command
         optional do
           array :common_names
           string :binomial_name
-          string :svg_icon
+          # Temporarily disabled for security reasons (XSS attack vector)
+          #
+          # Fix this by:
+          #  * adding a CSP that disallows the use of arbitrary <script/> tags
+          #  * Removing all use of inline <script/> tags
+          #
+          # string :svg_icon
           string :description
           string :sun_requirements
           string :sowing_method

app/views/crops/_crop_form.html.erb

@@ -225,11 +225,9 @@
         <label for="crop[icon]" class="right">Manage icon</label>
       </div>
       <div class="columns small-8 medium-8">
-        <img
-        width="64"
-        height="64"
-        ng-src="data:image/svg+xml;utf8,{{ crop.svg_icon }}">
-        </img>
+        <div class="crop-icon-wrapper">
+          <%= raw(@crop.svg_icon ? @crop.svg_icon : load_generic_plant_icon) %>
+        </div>
         <svg-button on-change="addSvg($svg)">
         </svg-button>
       </div>

app/views/crops/show.html.erb

@@ -50,15 +50,15 @@
           <td><%= render partial: '/crops/exists_or_edit', locals: {obj: @crop.description} %></td>
         </tr>
         <tr>
-          <td><%= I18n.t('crops.companions') %></td>
+          <td>
+            <%= I18n.t('crops.companions') %>
+          </td>
           <td>
             <% @crop.companions.all.each do |comp| %>
               <%= link_to comp do %>
-                <img
-                  width="24"
-                  height="24"
-                  ng-src="data:image/svg+xml;utf8,<%= comp.svg_icon ? comp.svg_icon : load_generic_plant_icon %>">
-                  </img>
+                <div class="crop-icon-wrapper">
+                  <%= raw(comp.svg_icon ? comp.svg_icon : load_generic_plant_icon) %>
+                </div>
                 <%= comp.name %>
               <% end %>
             <% end  %></td>

config/initializers/content_security_policy.rb

@@ -0,0 +1,13 @@
+
+Rails.application.config.content_security_policy do |policy|
+  # policy.default_src :self, :https
+  # policy.font_src    :self, :https, :data
+  # policy.img_src     :self, :https, :data
+  # policy.object_src  :none
+
+  # WE SHOULD ENABLE THIS ONE - RC 17 APR 19
+  # policy.script_src  :self, "http://www.google-analytics.com/analytics.js"
+
+  # policy.style_src   :self, :https, :unsafe_inline
+  # policy.report_uri  "/csp-violation-report-endpoint"
+end

scripts/bootstrap.sh

@@ -18,14 +18,14 @@ echo "--- INSTALLING RVM ---"
 
 gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys D39DC0E3
 
-curl -sSL https://get.rvm.io | bash -s stable --quiet-curl --ruby=2.3.3
+curl -sSL https://get.rvm.io | bash -s stable --quiet-curl --ruby=2.6.1
 
-echo "--- INSTALLING RUBY 2.3.3 ---"
+echo "--- INSTALLING RUBY 2.6.1 ---"
 
 source /home/vagrant/.rvm/scripts/rvm
 
 rvm reload
-rvm --default use 2.3.3
+rvm --default use 2.6.1
 
 echo "--- INSTALLING ELASTICSEARCH ---"