file_validators 1.2.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b2c81af7c7d23418b0c6e37eea387759dda91a48
-  data.tar.gz: a50cac956a66ac32de2c01b15ffe3be6b5acfbfe
+  metadata.gz: b2a185e059287eb886b2f0aca6f8654d0860f97d
+  data.tar.gz: 087b21a3812ec49de9dd0df345521792631b2925
 SHA512:
-  metadata.gz: 6f6a8749bea73140878064b29e78a79b938076d28b42dcec160f955867d297d8d79cb01e3ec533cdef3571678f85f887071e267734f830fb095038f97b9eadb6
-  data.tar.gz: f1e3491b792d054b3e515944b64b0fe2fdb1bce5f1a62c2d1ad3b54494a8787e9536e8d5b0870a165f477a4b0d67d09c8d105bb376ca04e03eae387c4673731c
+  metadata.gz: ba536373220e03c3e4da79095baad18015dfec6f152cca7fca98f8ba0b1c9b64488b6f447497153e959d3eb1980f07015b32f2c1717638fda8002bb99232d1c7
+  data.tar.gz: cf6d97528247cae02d8c42824c42938e37e57b2ff73045cd429ecb601c23784ce058afe3ef8969994ef83f7366482132818b724b2c00c0a28390d52650a5fb4a

data/.travis.yml

@@ -1,9 +1,9 @@
 language: ruby
 rvm:
-  - 2.1.2
-  - 2.0.0
+  - 2.2.2
   - 1.9.3
 gemfile:
+  - gemfiles/activemodel_4.2.gemfile
   - gemfiles/activemodel_4.1.gemfile
   - gemfiles/activemodel_4.0.gemfile
   - gemfiles/activemodel_3.2.gemfile

data/Appraisals

@@ -16,4 +16,8 @@ end
 
 appraise 'activemodel-4.1' do
   gem 'activemodel', '4.1.6'
-end
+end
+
+appraise 'activemodel-4.2' do
+  gem 'activemodel', '4.2.3'
+end

data/README.md

@@ -15,7 +15,7 @@ Any module that uses ActiveModel, for example ActiveRecord, can use these file v
 * ActiveModel versions: 3 and 4.
 * Rails versions: 3 and 4.
 
-It has been tested to work with Carrierwave, Paperclip, Dragonfly etc file uploading solutions.
+It has been tested to work with Carrierwave, Paperclip, Dragonfly, Refile etc file uploading solutions.
 Validations works both before and after uploads.
 
 ## Installation
@@ -135,7 +135,17 @@ validates :attachment, file_content_type: { allow: [/^image\/.*/, 'video/mp4'] }
 # proc/lambda example
 validates :video, file_content_type: { allow: lambda { |record| record.content_types } }
 ```
-* `exclude`: Forbidden content types. Can be a single content type or an array.  Each type can be a String or a Regexp. It also accepts `proc`. See `:allow` options examples.
+* `exclude`: Forbidden content types. Can be a single content type or an array. Each type
+can be a String or a Regexp. It also accepts `proc`. See `:allow` options examples.
+* `mode`: `:strict` or `:relaxed`. `:strict` mode can detect content type based on the contents
+of the files. It also detects media type spoofing (see more in [security](#security)).
+`:relaxed` mode uses file name to detect the content type using `mime-types` gem.
+If mode option is not set then the validator uses form supplied content type.
+```ruby
+# string
+validates :avatar, file_content_type: { allow: 'image/jpeg', mode: :strict }
+validates :avatar, file_content_type: { allow: 'image/jpeg', mode: :relaxed }
+```
 * `message`: The message to display when the uploaded file has an invalid content type.
 You will get `types` as a replacement. You can write error messages without using any replacement.
 ```ruby
@@ -157,15 +167,20 @@ validates :avatar, file_content_type: { allow: /^image\/.*/, exclude: ['image/pn
 
 ## Security
 
-This gem uses file command to get the content type based on the content of the file rather
+This gem can use Unix file command to get the content type based on the content of the file rather
 than the extension. This prevents fake content types inserted in the request header.
 
 It also prevents file media type spoofing. For example, user may upload a .html document as 
 a part of the EXIF header of a valid JPEG file. Content type validator will identify its content type
 as `image/jpeg` and, without spoof detection, it may pass the validation and be saved as .html document
-thus exposing your application to a security vulnerability. Media type spoof detector wont let that happen. It will not allow a file having `image/jpeg` content type to be saved as `text/plain`. It checks only media type mismatch, for example `text` of `text/plain` and `image` of `image/jpeg`. So it will not prevent `image/jpeg` from saving as `image/png` as both have the same `image` media type.
+thus exposing your application to a security vulnerability. Media type spoof detector wont let that happen.
+It will not allow a file having `image/jpeg` content type to be saved as `text/plain`. It checks only media
+type mismatch, for example `text` of `text/plain` and `image` of `image/jpeg`. So it will not prevent
+`image/jpeg` from saving as `image/png` as both have the same `image` media type.
 
-**note**: Media type spoof detection is integrated in the [content type validator](#file-content-type-validator). This means without content type validation spoof detection wont be enabled.
+**note**: This security feature is disabled by default. To enable it, first add `cocaine` gem in
+your Gemfile and then add `mode: :strict` option in [content type validations](#file-content-type-validator).
+`:strict` mode may not work in direct file uploading systems as the file is not passed along with the form.
 
 ## i18n Translations
 
@@ -211,6 +226,28 @@ en:
           tb: "TB"
 ```
 
+## Further Instructions
+
+If you are using `:strict` or `:relaxed` mode, for content types which are not supported
+by mime-types gem, you need to register those content types. For example, you can register
+`.docx` in the initializer:
+```Ruby
+# config/initializers/mime_types.rb
+Mime::Type.register "application/vnd.openxmlformats-officedocument.wordprocessingml.document", :docx
+```
+
+If you want to see what content type `:strict` mode returns, run this command in the shell:
+```Shell
+$ file -b --mime-type your-file.xxx
+```
+
+## Issues
+
+**Carrierwave** - You are adding file validators to a model, then you are recommended to keep extension_white_list &/
+extension_black_list in the uploaders (in case you don't have, add that method).
+As of this writing (see [issue](https://github.com/carrierwaveuploader/carrierwave/issues/361)), Carrierwave
+uploaders start processing a file immediately after its assignment (even before the validators are called).
+
 ## Tests
 
 ```ruby

data/file_validators.gemspec

@@ -19,8 +19,8 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'activemodel', '>= 3.0'
   s.add_dependency 'mime-types', '>= 1.0'
-  s.add_dependency 'cocaine', '~> 0.5.4'
 
+  s.add_development_dependency 'cocaine', '~> 0.5.4'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec', '~> 3.1.0'
   s.add_development_dependency 'coveralls'

data/gemfiles/activemodel_4.2.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal"
+gem "activemodel", "4.2.3"
+
+gemspec :path => "../"

data/lib/file_validators/utils/content_type_detector.rb

@@ -1,4 +1,7 @@
-require 'cocaine'
+begin
+  require 'cocaine'
+rescue LoadError
+end
 
 module FileValidators
   module Utils
@@ -30,6 +33,8 @@ module FileValidators
       def content_type_from_file_command
         type = begin
           Cocaine::CommandLine.new('file', '-b --mime-type :file').run(file: @file_path)
+        rescue NameError => e
+          puts "file_validators: Add 'cocaine' gem as you are using file content type validations in strict mode"
         rescue Cocaine::CommandLineError => e
           # TODO: log command failure
           DEFAULT_CONTENT_TYPE

data/lib/file_validators/utils/media_type_spoof_detector.rb

@@ -25,7 +25,7 @@ module FileValidators
 
       def has_extension?
         # the following code replaced File.extname(@file_name).present? because it cannot
-        # return the extension of a file named '.html', '.jpg' etc
+        # return the extension of a extension-only file names, e.g. '.html', '.jpg' etc
         @file_name.split('.').length > 1
       end
 

data/lib/file_validators/validators/file_content_type_validator.rb

@@ -13,13 +13,12 @@ module ActiveModel
 
       def validate_each(record, attribute, value)
         unless value.blank?
-          file_path = get_file_path(value)
-          file_name = get_file_name(value)
-          content_type = detect_content_type(file_path)
+          mode = option_value(record, :mode)
+          content_type = get_content_type(value, mode)
           allowed_types = option_content_types(record, :allow)
           forbidden_types = option_content_types(record, :exclude)
 
-          validate_media_type(record, attribute, content_type, file_name)
+          validate_media_type(record, attribute, content_type, get_file_name(value)) if mode == :strict
           validate_whitelist(record, attribute, content_type, allowed_types)
           validate_blacklist(record, attribute, content_type, forbidden_types)
         end
@@ -55,8 +54,19 @@ module ActiveModel
         end
       end
 
-      def detect_content_type(file_path)
-        FileValidators::Utils::ContentTypeDetector.new(file_path).detect
+      def get_content_type(value, mode)
+        case mode
+        when :strict
+          file_path = get_file_path(value)
+          FileValidators::Utils::ContentTypeDetector.new(file_path).detect
+        when :relaxed
+          file_name = get_file_name(value)
+          MIME::Types.type_for(file_name).first
+        else
+          value = JSON.parse(value) if value.is_a?(String)
+          value = OpenStruct.new(value) if value.is_a?(Hash)
+          value.content_type
+        end
       end
 
       def option_content_types(record, key)
@@ -103,6 +113,12 @@ module ActiveModel
       # * +exclude+: Forbidden content types.
       # * +message+: The message to display when the uploaded file has an invalid
       #   content type.
+      # * +mode+: :strict or :relaxed.
+      #   :strict mode validates the content type based on the actual contents
+      #   of the files. Thus it can detect media type spoofing.
+      #   :relaxed validates the content type based on the file name using
+      #   the mime-types gem. It's only for sanity check.
+      #   If mode is not set then it uses form supplied content type.
       # * +if+: A lambda or name of an instance method. Validation will only
       #   be run is this lambda or method returns true.
       # * +unless+: Same as +if+ but validates if lambda or method returns false.

data/lib/file_validators/validators/file_size_validator.rb

@@ -15,6 +15,8 @@ module ActiveModel
       def validate_each(record, attribute, value)
         unless value.blank?
           options.slice(*CHECKS.keys).each do |option, option_value|
+            value = JSON.parse(value) if value.is_a?(String)
+            value = OpenStruct.new(value) if value.is_a?(Hash)
             option_value = option_value.call(record) if option_value.is_a?(Proc)
             unless valid_size?(value.size, option, option_value)
               record.errors.add(attribute,

data/lib/file_validators/version.rb

@@ -1,3 +1,3 @@
 module FileValidators
-  VERSION = '1.2.0'
+  VERSION = '2.0.0'
 end

data/spec/fixtures/spoofed.jpg

@@ -0,0 +1 @@
+a sample text

data/spec/integration/file_content_type_validation_integration_spec.rb

@@ -12,6 +12,7 @@ describe 'File Content Type integration with ActiveModel' do
     @chubby_bubble_path = File.join(File.dirname(__FILE__), '../fixtures/chubby_bubble.jpg')
     @chubby_cute_path = File.join(File.dirname(__FILE__), '../fixtures/chubby_cute.png')
     @sample_text_path = File.join(File.dirname(__FILE__), '../fixtures/sample.txt')
+    @spoofed_file_path = File.join(File.dirname(__FILE__), '../fixtures/spoofed.jpg')
   end
 
   context ':allow option' do
@@ -40,7 +41,7 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { allow: /^image\/.*/ }
+          validates :avatar, file_content_type: { allow: /^image\/.*/, mode: :strict }
         end
       end
 
@@ -68,7 +69,7 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { allow: ['image/jpeg', 'text/plain'] }
+          validates :avatar, file_content_type: { allow: ['image/jpeg', 'text/plain'], mode: :strict }
         end
       end
 
@@ -96,7 +97,8 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { allow: lambda { |record| ['image/jpeg', 'text/plain'] } }
+          validates :avatar, file_content_type: { allow: lambda { |record| ['image/jpeg', 'text/plain'] },
+                                                  mode: :strict }
         end
       end
 
@@ -126,7 +128,7 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { exclude: 'image/jpeg' }
+          validates :avatar, file_content_type: { exclude: 'image/jpeg', mode: :strict }
         end
       end
 
@@ -147,7 +149,7 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { exclude: /^image\/.*/ }
+          validates :avatar, file_content_type: { exclude: /^image\/.*/, mode: :strict }
         end
       end
 
@@ -175,7 +177,7 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { exclude: ['image/jpeg', 'text/plain'] }
+          validates :avatar, file_content_type: { exclude: ['image/jpeg', 'text/plain'], mode: :strict }
         end
       end
 
@@ -203,7 +205,7 @@ describe 'File Content Type integration with ActiveModel' do
       before :all do
         Person.class_eval do
           Person.reset_callbacks(:validate)
-          validates :avatar, file_content_type: { exclude: lambda { |record| /^image\/.*/ } }
+          validates :avatar, file_content_type: { exclude: lambda { |record| /^image\/.*/ }, mode: :strict }
         end
       end
 
@@ -227,7 +229,7 @@ describe 'File Content Type integration with ActiveModel' do
     before :all do
       Person.class_eval do
         Person.reset_callbacks(:validate)
-        validates :avatar, file_content_type: { allow: /^image\/.*/, exclude: 'image/png' }
+        validates :avatar, file_content_type: { allow: /^image\/.*/, exclude: 'image/png', mode: :strict }
       end
     end
 
@@ -243,4 +245,123 @@ describe 'File Content Type integration with ActiveModel' do
       it { is_expected.not_to be_valid }
     end
   end
+
+  context ':mode option' do
+    context 'strict mode' do
+      before :all do
+        Person.class_eval do
+          Person.reset_callbacks(:validate)
+          validates :avatar, file_content_type: { allow: 'image/jpeg', mode: :strict }
+        end
+      end
+
+      subject { Person.new }
+
+      context 'with valid file' do
+        it 'validates the file' do
+          subject.avatar = Rack::Test::UploadedFile.new(@cute_path, 'image/jpeg')
+          expect(subject).to be_valid
+        end
+      end
+
+      context 'with spoofed file' do
+        it 'invalidates the file' do
+          subject.avatar = Rack::Test::UploadedFile.new(@spoofed_file_path, 'image/jpeg')
+          expect(subject).not_to be_valid
+        end
+      end
+    end
+
+    context 'relaxed mode' do
+      before :all do
+        Person.class_eval do
+          Person.reset_callbacks(:validate)
+          validates :avatar, file_content_type: { allow: 'image/jpeg', mode: :relaxed }
+        end
+      end
+
+      subject { Person.new }
+
+      context 'with valid file' do
+        it 'validates the file' do
+          subject.avatar = Rack::Test::UploadedFile.new(@cute_path, 'image/jpeg')
+          expect(subject).to be_valid
+        end
+      end
+
+      context 'with spoofed file' do
+        it 'validates the file' do
+          subject.avatar = Rack::Test::UploadedFile.new(@spoofed_file_path, 'image/jpeg')
+          expect(subject).to be_valid
+        end
+      end
+    end
+
+    context 'default mode' do
+      before :all do
+        Person.class_eval do
+          Person.reset_callbacks(:validate)
+          validates :avatar, file_content_type: { allow: 'image/jpeg' }
+        end
+      end
+
+      subject { Person.new }
+
+      context 'with valid file' do
+        it 'validates the file' do
+          subject.avatar = Rack::Test::UploadedFile.new(@cute_path, 'image/jpeg')
+          expect(subject).to be_valid
+        end
+      end
+
+      context 'with spoofed file' do
+        it 'invalidates the file' do
+          subject.avatar = Rack::Test::UploadedFile.new(@spoofed_file_path, 'image/jpeg')
+          expect(subject).to be_valid
+        end
+      end
+    end
+  end
+
+  context 'image data as json string' do
+    before :all do
+      Person.class_eval do
+        Person.reset_callbacks(:validate)
+        validates :avatar, file_content_type: { allow: 'image/jpeg' }
+      end
+    end
+
+    subject { Person.new }
+
+    context 'for invalid content type' do
+      before { subject.avatar = "{\"filename\":\"img140910_88338.GIF\",\"content_type\":\"image/gif\",\"size\":13150}" }
+      it { is_expected.not_to be_valid }
+    end
+
+    context 'for valid content type' do
+      before { subject.avatar = "{\"filename\":\"img140910_88338.jpg\",\"content_type\":\"image/jpeg\",\"size\":13150}" }
+      it { is_expected.to be_valid }
+    end
+  end
+
+  context 'image data as hash' do
+    before :all do
+      Person.class_eval do
+        Person.reset_callbacks(:validate)
+        validates :avatar, file_content_type: { allow: 'image/jpeg' }
+      end
+    end
+
+    subject { Person.new }
+
+    context 'for invalid content type' do
+      before { subject.avatar = { "filename":"img140910_88338.GIF", "content_type":"image/gif", "size":13150 } }
+      it { is_expected.not_to be_valid }
+    end
+
+    context 'for valid content type' do
+      before { subject.avatar = { "filename":"img140910_88338.jpg", "content_type":"image/jpeg", "size":13150 } }
+      it { is_expected.to be_valid }
+    end
+  end
 end

data/spec/integration/file_size_validator_integration_spec.rb

@@ -206,4 +206,46 @@ describe 'File Size Validator integration with ActiveModel' do
       it { is_expected.to be_valid }
     end
   end
+
+  context 'image data as json string' do
+    before :all do
+      Person.class_eval do
+        Person.reset_callbacks(:validate)
+        validates :avatar, file_size: { greater_than: 20.kilobytes }
+      end
+    end
+
+    subject { Person.new }
+
+    context 'when file size is less than the specified size' do
+      before { subject.avatar = "{\"filename\":\"img140910_88338.GIF\",\"content_type\":\"image/gif\",\"size\":13150}" }
+      it { is_expected.not_to be_valid }
+    end
+
+    context 'when file size within the specified size' do
+      before { subject.avatar = "{\"filename\":\"img140910_88338.GIF\",\"content_type\":\"image/gif\",\"size\":33150}" }
+      it { is_expected.to be_valid }
+    end
+  end
+
+  context 'image data as hash' do
+    before :all do
+      Person.class_eval do
+        Person.reset_callbacks(:validate)
+        validates :avatar, file_size: { greater_than: 20.kilobytes }
+      end
+    end
+
+    subject { Person.new }
+
+    context 'when file size is less than the specified size' do
+      before { subject.avatar = { "filename":"img140910_88338.GIF", "content_type":"image/gif", "size":13150 } }
+      it { is_expected.not_to be_valid }
+    end
+
+    context 'when file size within the specified size' do
+      before { subject.avatar = { "filename":"img140910_88338.GIF", "content_type":"image/gif", "size":33150 } }
+      it { is_expected.to be_valid }
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -1,5 +1,6 @@
 ENV['RAILS_ENV'] ||= 'test'
 
+require 'active_support'
 require 'active_support/core_ext'
 require_relative '../lib/file_validators'
 require 'rspec'

data/spec/support/matchers/allow_content_type.rb

@@ -1,8 +1,8 @@
 RSpec::Matchers.define :allow_file_content_type do |content_type, validator, message|
   match do |model|
     value = double('file', path: content_type, original_filename: content_type)
-    model.any_instance.stub(:read_attribute_for_validation).and_return(value)
-    validator.stub(:detect_content_type).and_return(content_type)
+    allow_any_instance_of(model).to receive(:read_attribute_for_validation).and_return(value)
+    allow(validator).to receive(:get_content_type).and_return(content_type)
     dummy = model.new
     validator.validate(dummy)
     if message.present?

data/spec/support/matchers/allow_file_size.rb

@@ -1,7 +1,7 @@
 RSpec::Matchers.define :allow_file_size do |size, validator, message|
   match do |model|
     value = double('file', size: size)
-    model.any_instance.stub(:read_attribute_for_validation).and_return(value)
+    allow_any_instance_of(model).to receive(:read_attribute_for_validation).and_return(value)
     dummy = model.new
     validator.validate(dummy)
     if message.present?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: file_validators
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Ahmad Musaffa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-28 00:00:00.000000000 Z
+date: 2015-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -45,7 +45,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.4
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -130,6 +130,7 @@ files:
 - gemfiles/activemodel_3.2.gemfile
 - gemfiles/activemodel_4.0.gemfile
 - gemfiles/activemodel_4.1.gemfile
+- gemfiles/activemodel_4.2.gemfile
 - lib/file_validators.rb
 - lib/file_validators/locale/en.yml
 - lib/file_validators/utils/content_type_detector.rb
@@ -141,6 +142,7 @@ files:
 - spec/fixtures/chubby_cute.png
 - spec/fixtures/cute.jpg
 - spec/fixtures/sample.txt
+- spec/fixtures/spoofed.jpg
 - spec/integration/combined_validators_integration_spec.rb
 - spec/integration/file_content_type_validation_integration_spec.rb
 - spec/integration/file_size_validator_integration_spec.rb
@@ -172,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: ActiveModel file validators
@@ -181,6 +183,7 @@ test_files:
 - spec/fixtures/chubby_cute.png
 - spec/fixtures/cute.jpg
 - spec/fixtures/sample.txt
+- spec/fixtures/spoofed.jpg
 - spec/integration/combined_validators_integration_spec.rb
 - spec/integration/file_content_type_validation_integration_spec.rb
 - spec/integration/file_size_validator_integration_spec.rb