active_storage_validations
active_storage_validations copied to clipboard
Security when using direct uploads?
When using direct uploads, ActiveStorage will delay identifying the file into a background job, spawned only after the file has been attached. Currently, the initial blob's content_type
is determined solely based on the extension of the uploaded file, and I believe this value will be the one that's used by active_storage_vaidations
. In this case, if my app is accepting only images, a malicious user could upload a non-image file by giving it an image extension (e.g. jpg, png).
I don't know what we can do to prevent this issue. Maybe you can try to analyze the file later on the server and check if it's an image and if not - delete the file.
Gem doesn't support validation on the frontend, and of course, if you want to add it - all community will appreciate it.
Hi @igorkasyanchuk So does this mean we cannot do any validations with ActiveStorage? That's a bummer. I am in the process of migrating from Shrine because I like that with AS I don't have to alter the structure of the models. I thought I could use this gem for validations but I am direct-uploading to DigitalOcean. With Shrine I had some validations but admittedly I wasn't doing direct uploads, so I don't know if there is the same issue with Shrine (@janko is there?)
Any workaround? I am only interested in validating that the file is an image between a min and a max file size.
This gem doesn't do any validations using JS. So for direct uploads, it doesn't work
Sorry for the confusion, I wasn't referring to js validations (I use Uppy for that) but server side validations. I got the file size validation working, it was a silly mistake from my part. Thanks for the gem!
closing this since it's too old, and JS validations is out of scope of this gem