From ebe602ad1c86ad53d7c7ab7537dbbb52e3496ddf Mon Sep 17 00:00:00 2001 From: Sylvain Date: Tue, 2 Jun 2020 19:18:57 +0200 Subject: [PATCH] WIP: enforce mime type checking for uploads --- app/controllers/api/members_controller.rb | 2 +- app/models/import.rb | 1 - app/models/project_cao.rb | 1 - app/models/project_image.rb | 2 - app/models/project_step_image.rb | 2 - app/uploaders/custom_assets_uploader.rb | 4 ++ app/uploaders/event_file_uploader.rb | 5 ++ app/uploaders/event_image_uploader.rb | 5 ++ app/uploaders/import_uploader.rb | 5 ++ app/uploaders/machine_file_uploader.rb | 5 ++ app/uploaders/machine_image_uploader.rb | 4 ++ app/uploaders/plan_file_uploader.rb | 4 ++ app/uploaders/profil_image_uploader.rb | 4 ++ app/uploaders/project_cao_uploader.rb | 4 ++ app/uploaders/project_image_uploader.rb | 4 ++ app/uploaders/space_file_uploader.rb | 5 ++ app/uploaders/space_image_uploader.rb | 4 ++ app/uploaders/training_image_uploader.rb | 4 ++ app/validators/file_mime_type_validator.rb | 79 ---------------------- 19 files changed, 58 insertions(+), 86 deletions(-) delete mode 100644 app/validators/file_mime_type_validator.rb diff --git a/app/controllers/api/members_controller.rb b/app/controllers/api/members_controller.rb index 0a43f6f3d..7bdd65947 100644 --- a/app/controllers/api/members_controller.rb +++ b/app/controllers/api/members_controller.rb @@ -56,7 +56,7 @@ class API::MembersController < API::ApiController if members_service.update(user_params) # Update password without logging out - sign_in(@member, bypass: true) unless current_user.id != params[:id].to_i + bypass_sign_in(@member) unless current_user.id != params[:id].to_i render :show, status: :ok, location: member_path(@member) else render json: @member.errors, status: :unprocessable_entity diff --git a/app/models/import.rb b/app/models/import.rb index e70297926..a0cf83923 100644 --- a/app/models/import.rb +++ b/app/models/import.rb @@ -10,7 +10,6 @@ class Import < ApplicationRecord belongs_to :user validates :attachment, file_size: { maximum: Rails.application.secrets.max_import_size&.to_i || 5.megabytes.to_i } - validates :attachment, file_mime_type: { content_type: %w[text/csv text/comma-separated-values application/vnd.ms-excel] } after_commit :proceed_import, on: [:create] diff --git a/app/models/project_cao.rb b/app/models/project_cao.rb index 0878d3d77..e558648f5 100644 --- a/app/models/project_cao.rb +++ b/app/models/project_cao.rb @@ -5,5 +5,4 @@ class ProjectCao < Asset mount_uploader :attachment, ProjectCaoUploader validates :attachment, file_size: { maximum: Rails.application.secrets.max_cao_size&.to_i || 5.megabytes.to_i } - validates :attachment, file_mime_type: { content_type: ENV['ALLOWED_MIME_TYPES'].split(' ') } end diff --git a/app/models/project_image.rb b/app/models/project_image.rb index f9d548e2c..c0d4873d5 100644 --- a/app/models/project_image.rb +++ b/app/models/project_image.rb @@ -4,6 +4,4 @@ class ProjectImage < Asset include ImageValidatorConcern mount_uploader :attachment, ProjectImageUploader - - validates :attachment, file_mime_type: { content_type: /image/ } end diff --git a/app/models/project_step_image.rb b/app/models/project_step_image.rb index 871708c13..d2b7832bf 100644 --- a/app/models/project_step_image.rb +++ b/app/models/project_step_image.rb @@ -4,6 +4,4 @@ class ProjectStepImage < Asset include ImageValidatorConcern mount_uploader :attachment, ProjectImageUploader - - validates :attachment, file_mime_type: { content_type: /image/ } end diff --git a/app/uploaders/custom_assets_uploader.rb b/app/uploaders/custom_assets_uploader.rb index b986a5b10..eaf71585f 100644 --- a/app/uploaders/custom_assets_uploader.rb +++ b/app/uploaders/custom_assets_uploader.rb @@ -51,6 +51,10 @@ class CustomAssetsUploader < CarrierWave::Uploader::Base %w[pdf png jpeg jpg ico] end + def content_type_whitelist + [%r{image/}, 'application/pdf'] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. # def filename diff --git a/app/uploaders/event_file_uploader.rb b/app/uploaders/event_file_uploader.rb index 4c7eca842..a3ee56493 100644 --- a/app/uploaders/event_file_uploader.rb +++ b/app/uploaders/event_file_uploader.rb @@ -44,6 +44,11 @@ class EventFileUploader < CarrierWave::Uploader::Base %w[pdf] end + def content_type_whitelist + %w[application/pdf] + end + + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. # def filename diff --git a/app/uploaders/event_image_uploader.rb b/app/uploaders/event_image_uploader.rb index 51312c2e2..fc9a07104 100644 --- a/app/uploaders/event_image_uploader.rb +++ b/app/uploaders/event_image_uploader.rb @@ -62,6 +62,11 @@ class EventImageUploader < CarrierWave::Uploader::Base %w[jpg jpeg gif png] end + def content_type_whitelist + [%r{image/}] + end + + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. def filename diff --git a/app/uploaders/import_uploader.rb b/app/uploaders/import_uploader.rb index 63eba3db3..34a7cbd73 100644 --- a/app/uploaders/import_uploader.rb +++ b/app/uploaders/import_uploader.rb @@ -25,4 +25,9 @@ class ImportUploader < CarrierWave::Uploader::Base def extension_whitelist %w[csv] end + + def content_type_whitelist + %w[text/csv] + end + end diff --git a/app/uploaders/machine_file_uploader.rb b/app/uploaders/machine_file_uploader.rb index 5eb7fce4f..2f58bc1ff 100644 --- a/app/uploaders/machine_file_uploader.rb +++ b/app/uploaders/machine_file_uploader.rb @@ -44,6 +44,11 @@ class MachineFileUploader < CarrierWave::Uploader::Base %w[pdf] end + def content_type_whitelist + %w[application/pdf] + end + + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. # def filename diff --git a/app/uploaders/machine_image_uploader.rb b/app/uploaders/machine_image_uploader.rb index f26110632..a4243da35 100644 --- a/app/uploaders/machine_image_uploader.rb +++ b/app/uploaders/machine_image_uploader.rb @@ -54,6 +54,10 @@ class MachineImageUploader < CarrierWave::Uploader::Base %w[jpg jpeg gif png] end + def content_type_whitelist + [%r{image/}] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. def filename diff --git a/app/uploaders/plan_file_uploader.rb b/app/uploaders/plan_file_uploader.rb index 8baf514e1..77f834ac6 100644 --- a/app/uploaders/plan_file_uploader.rb +++ b/app/uploaders/plan_file_uploader.rb @@ -44,6 +44,10 @@ class PlanFileUploader < CarrierWave::Uploader::Base %w[pdf png jpeg jpg] end + def content_type_whitelist + [%r{image/}, 'application/pdf'] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. # def filename diff --git a/app/uploaders/profil_image_uploader.rb b/app/uploaders/profil_image_uploader.rb index d1a57709a..bc14af25a 100644 --- a/app/uploaders/profil_image_uploader.rb +++ b/app/uploaders/profil_image_uploader.rb @@ -58,6 +58,10 @@ class ProfilImageUploader < CarrierWave::Uploader::Base %w[jpg jpeg gif png] end + def content_type_whitelist + [%r{image/}] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. def filename diff --git a/app/uploaders/project_cao_uploader.rb b/app/uploaders/project_cao_uploader.rb index d78c32f68..8ff5cdd0f 100644 --- a/app/uploaders/project_cao_uploader.rb +++ b/app/uploaders/project_cao_uploader.rb @@ -25,4 +25,8 @@ class ProjectCaoUploader < CarrierWave::Uploader::Base def extension_whitelist ENV['ALLOWED_EXTENSIONS'].split(' ') end + + def content_type_whitelist + ENV['ALLOWED_MIME_TYPES'].split(' ') + end end diff --git a/app/uploaders/project_image_uploader.rb b/app/uploaders/project_image_uploader.rb index 28d3fd9e3..d013b112b 100644 --- a/app/uploaders/project_image_uploader.rb +++ b/app/uploaders/project_image_uploader.rb @@ -32,6 +32,10 @@ class ProjectImageUploader < CarrierWave::Uploader::Base %w[jpg jpeg gif png] end + def content_type_whitelist + [%r{image/}] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. def filename diff --git a/app/uploaders/space_file_uploader.rb b/app/uploaders/space_file_uploader.rb index 5d707df58..ba732df9a 100644 --- a/app/uploaders/space_file_uploader.rb +++ b/app/uploaders/space_file_uploader.rb @@ -44,6 +44,11 @@ class SpaceFileUploader < CarrierWave::Uploader::Base %w[pdf] end + def content_type_whitelist + %w[application/pdf] + end + + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. # def filename diff --git a/app/uploaders/space_image_uploader.rb b/app/uploaders/space_image_uploader.rb index 134525d11..dd77c38fc 100644 --- a/app/uploaders/space_image_uploader.rb +++ b/app/uploaders/space_image_uploader.rb @@ -54,6 +54,10 @@ class SpaceImageUploader < CarrierWave::Uploader::Base %w[jpg jpeg gif png] end + def content_type_whitelist + [%r{image/}] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. def filename diff --git a/app/uploaders/training_image_uploader.rb b/app/uploaders/training_image_uploader.rb index c9d1b0f55..9e06ab500 100644 --- a/app/uploaders/training_image_uploader.rb +++ b/app/uploaders/training_image_uploader.rb @@ -54,6 +54,10 @@ class TrainingImageUploader < CarrierWave::Uploader::Base %w[jpg jpeg gif png] end + def content_type_whitelist + [%r{image/}] + end + # Override the filename of the uploaded files: # Avoid using model.id or version_name here, see uploader/store.rb for details. def filename diff --git a/app/validators/file_mime_type_validator.rb b/app/validators/file_mime_type_validator.rb deleted file mode 100644 index 7e25e2562..000000000 --- a/app/validators/file_mime_type_validator.rb +++ /dev/null @@ -1,79 +0,0 @@ -# frozen_string_literal: true - -# Based on: https://gist.github.com/1298417 -class FileMimeTypeValidator < ActiveModel::EachValidator - MESSAGES = { content_type: :wrong_content_type }.freeze - CHECKS = [:content_type].freeze - - DEFAULT_TOKENIZER = ->(value) { value.split(//) } - RESERVED_OPTIONS = %i[content_type tokenizer].freeze - - def initialize(options) - super - - end - - def check_validity! - keys = CHECKS & options.keys - raise ArgumentError, 'Patterns unspecified. Specify the :content_type option.' if keys.empty? - - keys.each do |key| - value = options[key] - raise ArgumentError, ":#{key} must be a String or a Regexp or an Array" unless valid_content_type_option?(value) - - next unless key.is_a?(Array) && key == :content_type - - options[key].each do |val| - raise ArgumentError, "#{val} must be a String or a Regexp" unless val.is_a?(String) || val.is_a?(Regexp) - end - end - end - - def validate_each(record, attribute, value) - raise(ArgumentError, 'A CarrierWave::Uploader::Base object was expected') unless value.is_a? CarrierWave::Uploader::Base - - value = (options[:tokenizer] || DEFAULT_TOKENIZER).call(value) if value.is_a?(String) - return if value.length.zero? - - CHECKS.each do |key| - next unless check_value = options[key] - - do_validation(value, check_value, key, record, attribute) if key == :content_type - end - end - - def help - Helper.instance - end - - class Helper - include Singleton - include ActionView::Helpers::NumberHelper - end - - private - - def valid_content_type_option?(content_type) - return true if %w[Array String Regexp].include?(content_type.class.to_s) - - false - end - - def do_validation(value, pattern, key, record, attribute) - if pattern.is_a?(String) || pattern.is_a?(Regexp) - return if value.file.content_type.send((pattern.is_a?(String) ? '==' : '=~'), pattern) - else - valid_list = pattern.map do |p| - value.file.content_type.send((p.is_a?(String) ? '==' : '=~'), p) - end - return if valid_list.include?(true) - end - - errors_options = options.except(*RESERVED_OPTIONS) - - default_message = options[MESSAGES[key]] - errors_options[:message] ||= default_message if default_message - - record.errors.add(attribute, MESSAGES[key], errors_options) - end -end