Merge pull request #318 from okriuchykhin/ok_SCI_736

Add whitelisting of supported image types [SCI-736]
2025-11-08 07:21:03 +08:00 · 2016-11-28 09:32:49 +01:00 · 2016-11-28 09:32:49 +01:00 · 31f6379866
commit 31f6379866
parent d0b86de3a4 74f6455a8f
3 changed files with 6 additions and 2 deletions
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -114,7 +114,8 @@ class AssetsController < ApplicationController
      fields: s3_post.fields
    })

-    if (asset.file_content_type =~ /^image\//) == 0
+    if (asset.file_content_type =~
+      %r{/^image\/#{Constants::WHITELISTED_IMAGE_TYPES.join("|")}/}) == 0
      asset.file.options[:styles].each do |style, option|
        s3_post = S3_BUCKET.presigned_post(
          key: asset.file.path(style)[1..-1],
--- a/app/models/asset.rb
+++ b/app/models/asset.rb
@ -138,7 +138,8 @@ class Asset < ActiveRecord::Base
  end

  def is_image?
-    !(self.file.content_type =~ /^image/).nil?
+    !(file.content_type =~
+      %r{/^image\/#{Constants::WHITELISTED_IMAGE_TYPES.join("|")}/}).nil?
  end

  def text?
--- a/config/initializers/constants.rb
+++ b/config/initializers/constants.rb
@ -201,6 +201,8 @@ class Constants
    'text/plain'
  ].freeze

+  WHITELISTED_IMAGE_TYPES = ['gif', 'jpeg', 'png', 'svg+xml', 'bmp'].freeze
+
  # Very basic regex to check for validity of emails
  BASIC_EMAIL_REGEX = URI::MailTo::EMAIL_REGEXP