active_storage_validations 1.3.3 → 1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5908eeb81003dac14877a0427050b3db222977413379a2c55382676272115e4
-  data.tar.gz: 5a49abac59e29c7ba055284fd437a8c1872f9e200c0b7491c613dae8f5152438
+  metadata.gz: '0539919d5597eda332d4c989c432986009f1944e0ab62251882cc250fa6f021a'
+  data.tar.gz: 8d7566007ede3adf24a60297c20d7a39b28e211bc00f5158148f3c2cdf0a82e5
 SHA512:
-  metadata.gz: b46c3457c3042e514e9401eb011d2c9bfd880ff3c42d38595b3e33010b95f57e5310bffbbc6af350aacbb55accf3f60cd33b3f7333ee33fceed105aac4e49d64
-  data.tar.gz: bebee3a79850fa031e4f8cbdd8d16aec5212e3214d17da6f38f72feb4713320f1ba2b351ba331ac155e0aa637632a50781d36749983aa643fa5f9591ba4a86ea
+  metadata.gz: 364050c102e1fa3feac404972479edf30eb25d7df969e7593afae838ffe556bb0cb69693c94ad8ced10b056b0d8b5c232800bc3885bdc37984c9cf51a836bff1
+  data.tar.gz: 7350e9ffb7d0c93bc233561ab3457aec477f988c447708498d791f559440a08207cfddf245b2b835716f978d2d8171f4c71252697183df5284ee8f33ce136540

data/lib/active_storage_validations/content_type_validator.rb

@@ -56,23 +56,32 @@ module ActiveStorageValidations
       @attachable_filename = attachable_filename(attachable).to_s
     end
 
+    # Check if the provided content_type is authorized and not spoofed against
+    # the file io.
     def is_valid?(record, attribute, attachable)
-      extension_matches_content_type?(record, attribute, attachable) &&
-        authorized_content_type?(record, attribute, attachable) &&
+      authorized_content_type?(record, attribute, attachable) &&
         not_spoofing_content_type?(record, attribute, attachable)
     end
 
-    def extension_matches_content_type?(record, attribute, attachable)
-      return true if !@attachable_filename || !@attachable_content_type
-
-      extension = @attachable_filename.split('.').last
-      possible_extensions = Marcel::TYPE_EXTS[@attachable_content_type]
-      return true if possible_extensions && extension.downcase.in?(possible_extensions)
-
-      errors_options = initialize_and_populate_error_options(options, attachable)
-      add_error(record, attribute, ERROR_TYPES.first, **errors_options)
-      false
-    end
+    # Dead code that we keep here for some time, maybe we will find a solution
+    # to this check later? (November 2024)
+    #
+    # We do not perform any validations against the extension because it is an
+    # unreliable source of truth. For example, a `.csv` file could have its
+    # `text/csv` content_type changed to  `application/vnd.ms-excel` because
+    # it had been opened by Excel at some point, making the file extension vs
+    # file content_type check invalid.
+    # def extension_matches_content_type?(record, attribute, attachable)
+    #   return true if !@attachable_filename || !@attachable_content_type
+
+    #   extension = @attachable_filename.split('.').last
+    #   possible_extensions = Marcel::TYPE_EXTS[@attachable_content_type]
+    #   return true if possible_extensions && extension.downcase.in?(possible_extensions)
+
+    #   errors_options = initialize_and_populate_error_options(options, attachable)
+    #   add_error(record, attribute, ERROR_TYPES.first, **errors_options)
+    #   false
+    # end
 
     def authorized_content_type?(record, attribute, attachable)
       attachable_content_type_is_authorized = @authorized_content_types.any? do |authorized_content_type|

data/lib/active_storage_validations/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ActiveStorageValidations
-  VERSION = '1.3.3'
+  VERSION = '1.3.4'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: active_storage_validations
 version: !ruby/object:Gem::Version
-  version: 1.3.3
+  version: 1.3.4
 platform: ruby
 authors:
 - Igor Kasyanchuk
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-12 00:00:00.000000000 Z
+date: 2024-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activejob