Security when using direct uploads?

[janko]

When using direct uploads, ActiveStorage will delay identifying the file into a background job, spawned only after the file has been attached. Currently, the initial blob's content_type is determined solely based on the extension of the uploaded file, and I believe this value will be the one that's used by active_storage_vaidations. In this case, if my app is accepting only images, a malicious user could upload a non-image file by giving it an image extension (e.g. jpg, png).

[igorkasyanchuk]

I don't know what we can do to prevent this issue. Maybe you can try to analyze the file later on the server and check if it's an image and if not - delete the file.

Gem doesn't support validation on the frontend, and of course, if you want to add it - all community will appreciate it.

[vitobotta]

Hi @igorkasyanchuk So does this mean we cannot do any validations with ActiveStorage? That's a bummer. I am in the process of migrating from Shrine because I like that with AS I don't have to alter the structure of the models. I thought I could use this gem for validations but I am direct-uploading to DigitalOcean. With Shrine I had some validations but admittedly I wasn't doing direct uploads, so I don't know if there is the same issue with Shrine (@janko is there?)

Any workaround? I am only interested in validating that the file is an image between a min and a max file size.

[igorkasyanchuk]

This gem doesn't do any validations using JS. So for direct uploads, it doesn't work

[vitobotta]

Sorry for the confusion, I wasn't referring to js validations (I use Uppy for that) but server side validations. I got the file size validation working, it was a silly mistake from my part. Thanks for the gem!

[igorkasyanchuk]

closing this since it's too old, and JS validations is out of scope of this gem