Home Block dotfiles in carrierwave
Reply: 1

Block dotfiles in carrierwave

Philipp Meissner
1#
Philipp Meissner Published in 2018-02-02 11:20:01Z

I want to allow uploading (all possible) image files through a carrierwave uploader.

Unfortunately it's possible that dotfiles such as .DS_STORE might get passed to the uploader. I tried adding an explicit whitelist to only allow image-formats that I know of, but that didn't help.

def extension_whitelist
  %w(jpg jpeg gif png)
end

Also tried running all the files through a regexp and only allow matches

def extension_whitelist
  [/^[^\.].*$/]
end

This also did not work. Adding a blacklist was no help either

def extension_blacklist
  %w(.ds_store .DS_STORE ds_store DS_STORE)
end

Here's my model

class LocalImage < ActiveRecord::Base
  mount_uploader :image_file, ImageUploader
  process_in_background :image_file

  validates_integrity_of :image_file
end

Here's the uploader in question

class ImageUploader < CarrierWave::Uploader::Base
  include CarrierWave::MiniMagick
  include ::CarrierWave::Backgrounder::Delay

  storage :file

  def store_dir
    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
  end
end

I added the backlist/whitelist definitions and tested them all through (had the server restarted in between to ensure no caching issues). Also tested through the console but the model is always valid and does not throw an error upon create!ing.

path = "path_to_file/.DS_STORE"
File.exists?(path) # => true

local_image = LocalImage.new(image_file: File.open(path, 'rb'))
local_image.valid? # => true
local_image.save! # => true

LocalImage.create!(image_file: File.open(path, 'rb'))
# => <LocalImage id: 22325, code: nil, image_id: nil, image_file: ".DS_STORE", created_at: "2018-02-02 11:19:25", updated_at: "2018-02-02 11:19:25", import_filename: ".ds_store">

Running

  • Rails 4.2.0
  • Carrierwave 0.10.0
  • carrierwave_backgrounder 0.4.2
  • mini_magick 4.4.0
Philipp Meissner
2#
Philipp Meissner Reply to 2018-02-02 12:20:10Z

As stated here the method extension_whitelist only existed from version 0.11 on, so the version I am using didn't have this change yet. I could fix the validation by either upgrading carrierwave to 0.11 or renaming my extension_whitelist to extension_white_list. (Same with blacklist -> black_list).

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.301634 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO