WIP: enforce mime type checking for uploads

2025-01-20 09:52:19 +01:00 · 2020-06-02 19:18:57 +02:00 · 2020-06-02 19:18:57 +02:00 · ebe602ad1c
commit ebe602ad1c
parent 45013be950
19 changed files with 58 additions and 86 deletions
--- a/app/controllers/api/members_controller.rb
+++ b/app/controllers/api/members_controller.rb
@ -56,7 +56,7 @@ class API::MembersController < API::ApiController

    if members_service.update(user_params)
      # Update password without logging out
-      sign_in(@member, bypass: true) unless current_user.id != params[:id].to_i
+      bypass_sign_in(@member) unless current_user.id != params[:id].to_i
      render :show, status: :ok, location: member_path(@member)
    else
      render json: @member.errors, status: :unprocessable_entity
--- a/app/models/import.rb
+++ b/app/models/import.rb
@ -10,7 +10,6 @@ class Import < ApplicationRecord
  belongs_to :user

  validates :attachment, file_size: { maximum: Rails.application.secrets.max_import_size&.to_i || 5.megabytes.to_i }
-  validates :attachment, file_mime_type: { content_type: %w[text/csv text/comma-separated-values application/vnd.ms-excel] }

  after_commit :proceed_import, on: [:create]

--- a/app/models/project_cao.rb
+++ b/app/models/project_cao.rb
@ -5,5 +5,4 @@ class ProjectCao < Asset
  mount_uploader :attachment, ProjectCaoUploader

  validates :attachment, file_size: { maximum: Rails.application.secrets.max_cao_size&.to_i || 5.megabytes.to_i }
-  validates :attachment, file_mime_type: { content_type: ENV['ALLOWED_MIME_TYPES'].split(' ') }
 end
--- a/app/models/project_image.rb
+++ b/app/models/project_image.rb
@ -4,6 +4,4 @@
 class ProjectImage < Asset
  include ImageValidatorConcern
  mount_uploader :attachment, ProjectImageUploader
-
-  validates :attachment, file_mime_type: { content_type: /image/ }
 end
--- a/app/models/project_step_image.rb
+++ b/app/models/project_step_image.rb
@ -4,6 +4,4 @@
 class ProjectStepImage < Asset
  include ImageValidatorConcern
  mount_uploader :attachment, ProjectImageUploader
-
-  validates :attachment, file_mime_type: { content_type: /image/ }
 end
--- a/app/uploaders/custom_assets_uploader.rb
+++ b/app/uploaders/custom_assets_uploader.rb
@ -51,6 +51,10 @@ class CustomAssetsUploader < CarrierWave::Uploader::Base
    %w[pdf png jpeg jpg ico]
  end

+  def content_type_whitelist
+    [%r{image/}, 'application/pdf']
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  # def filename
--- a/app/uploaders/event_file_uploader.rb
+++ b/app/uploaders/event_file_uploader.rb
@ -44,6 +44,11 @@ class EventFileUploader < CarrierWave::Uploader::Base
    %w[pdf]
  end

+  def content_type_whitelist
+    %w[application/pdf]
+  end
+
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  # def filename
--- a/app/uploaders/event_image_uploader.rb
+++ b/app/uploaders/event_image_uploader.rb
@ -62,6 +62,11 @@ class EventImageUploader < CarrierWave::Uploader::Base
    %w[jpg jpeg gif png]
  end

+  def content_type_whitelist
+    [%r{image/}]
+  end
+
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  def filename
--- a/app/uploaders/import_uploader.rb
+++ b/app/uploaders/import_uploader.rb
@ -25,4 +25,9 @@ class ImportUploader < CarrierWave::Uploader::Base
  def extension_whitelist
    %w[csv]
  end
+
+  def content_type_whitelist
+    %w[text/csv]
+  end
+
 end
--- a/app/uploaders/machine_file_uploader.rb
+++ b/app/uploaders/machine_file_uploader.rb
@ -44,6 +44,11 @@ class MachineFileUploader < CarrierWave::Uploader::Base
    %w[pdf]
  end

+  def content_type_whitelist
+    %w[application/pdf]
+  end
+
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  # def filename
--- a/app/uploaders/machine_image_uploader.rb
+++ b/app/uploaders/machine_image_uploader.rb
@ -54,6 +54,10 @@ class MachineImageUploader < CarrierWave::Uploader::Base
    %w[jpg jpeg gif png]
  end

+  def content_type_whitelist
+    [%r{image/}]
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  def filename
--- a/app/uploaders/plan_file_uploader.rb
+++ b/app/uploaders/plan_file_uploader.rb
@ -44,6 +44,10 @@ class PlanFileUploader < CarrierWave::Uploader::Base
    %w[pdf png jpeg jpg]
  end

+  def content_type_whitelist
+    [%r{image/}, 'application/pdf']
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  # def filename
--- a/app/uploaders/profil_image_uploader.rb
+++ b/app/uploaders/profil_image_uploader.rb
@ -58,6 +58,10 @@ class ProfilImageUploader < CarrierWave::Uploader::Base
    %w[jpg jpeg gif png]
  end

+  def content_type_whitelist
+    [%r{image/}]
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  def filename
--- a/app/uploaders/project_cao_uploader.rb
+++ b/app/uploaders/project_cao_uploader.rb
@ -25,4 +25,8 @@ class ProjectCaoUploader < CarrierWave::Uploader::Base
  def extension_whitelist
    ENV['ALLOWED_EXTENSIONS'].split(' ')
  end
+
+  def content_type_whitelist
+    ENV['ALLOWED_MIME_TYPES'].split(' ')
+  end
 end
--- a/app/uploaders/project_image_uploader.rb
+++ b/app/uploaders/project_image_uploader.rb
@ -32,6 +32,10 @@ class ProjectImageUploader < CarrierWave::Uploader::Base
    %w[jpg jpeg gif png]
  end

+  def content_type_whitelist
+    [%r{image/}]
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  def filename
--- a/app/uploaders/space_file_uploader.rb
+++ b/app/uploaders/space_file_uploader.rb
@ -44,6 +44,11 @@ class SpaceFileUploader < CarrierWave::Uploader::Base
    %w[pdf]
  end

+  def content_type_whitelist
+    %w[application/pdf]
+  end
+
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  # def filename
--- a/app/uploaders/space_image_uploader.rb
+++ b/app/uploaders/space_image_uploader.rb
@ -54,6 +54,10 @@ class SpaceImageUploader < CarrierWave::Uploader::Base
    %w[jpg jpeg gif png]
  end

+  def content_type_whitelist
+    [%r{image/}]
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  def filename
--- a/app/uploaders/training_image_uploader.rb
+++ b/app/uploaders/training_image_uploader.rb
@ -54,6 +54,10 @@ class TrainingImageUploader < CarrierWave::Uploader::Base
    %w[jpg jpeg gif png]
  end

+  def content_type_whitelist
+    [%r{image/}]
+  end
+
  # Override the filename of the uploaded files:
  # Avoid using model.id or version_name here, see uploader/store.rb for details.
  def filename
--- a/app/validators/file_mime_type_validator.rb
+++ b/app/validators/file_mime_type_validator.rb
@ -1,79 +0,0 @@
-# frozen_string_literal: true
-
-# Based on: https://gist.github.com/1298417
-class FileMimeTypeValidator < ActiveModel::EachValidator
-  MESSAGES  = { content_type: :wrong_content_type }.freeze
-  CHECKS    = [:content_type].freeze
-
-  DEFAULT_TOKENIZER = ->(value) { value.split(//) }
-  RESERVED_OPTIONS  = %i[content_type tokenizer].freeze
-
-  def initialize(options)
-    super
-
-  end
-
-  def check_validity!
-    keys = CHECKS & options.keys
-    raise ArgumentError, 'Patterns unspecified. Specify the :content_type option.' if keys.empty?
-
-    keys.each do |key|
-      value = options[key]
-      raise ArgumentError, ":#{key} must be a String or a Regexp or an Array" unless valid_content_type_option?(value)
-
-      next unless key.is_a?(Array) && key == :content_type
-
-      options[key].each do |val|
-        raise ArgumentError, "#{val} must be a String or a Regexp" unless val.is_a?(String) || val.is_a?(Regexp)
-      end
-    end
-  end
-
-  def validate_each(record, attribute, value)
-    raise(ArgumentError, 'A CarrierWave::Uploader::Base object was expected') unless value.is_a? CarrierWave::Uploader::Base
-
-    value = (options[:tokenizer] || DEFAULT_TOKENIZER).call(value) if value.is_a?(String)
-    return if value.length.zero?
-
-    CHECKS.each do |key|
-      next unless check_value = options[key]
-
-      do_validation(value, check_value, key, record, attribute) if key == :content_type
-    end
-  end
-
-  def help
-    Helper.instance
-  end
-
-  class Helper
-    include Singleton
-    include ActionView::Helpers::NumberHelper
-  end
-
-  private
-
-  def valid_content_type_option?(content_type)
-    return true if %w[Array String Regexp].include?(content_type.class.to_s)
-
-    false
-  end
-
-  def do_validation(value, pattern, key, record, attribute)
-    if pattern.is_a?(String) || pattern.is_a?(Regexp)
-      return if value.file.content_type.send((pattern.is_a?(String) ? '==' : '=~'), pattern)
-    else
-      valid_list = pattern.map do |p|
-        value.file.content_type.send((p.is_a?(String) ? '==' : '=~'), p)
-      end
-      return if valid_list.include?(true)
-    end
-
-    errors_options = options.except(*RESERVED_OPTIONS)
-
-    default_message = options[MESSAGES[key]]
-    errors_options[:message] ||= default_message if default_message
-
-    record.errors.add(attribute, MESSAGES[key], errors_options)
-  end
-end