Add processable image validator #168
Conversation
|
@gr8bit could you please help me with a review? Difficult to focus on this right now because of current situation in Ukraine |
|
Hi @kukicola, I dealt with this exact subject (I think) a few days ago and I'd like your opinion on this issue: rails/marcel#76 |
|
@gr8bit I'm not sure if we should call it a Marcel issue. Those fallbacks are probably there for some reason. If it was up to me I would suggest making Anyway, I would treat that as a separate thing. Minetype validation is still not enough here. Consider a file with magicbytes matching PNG file but the rest of the file is garbage (corrupted image, random bytes, malicious code, whatever). Validation should also fail in this case. That's why calling |
|
@kukicola Thank you for the feedback, I'll incorporate that in the issue. |
|
@gr8bit Yes but it can be used also just to check if the image is safe to display somewhere (even without processing). I agree, that |
I fully understand that. :D My point of view on it is: you cannot know if the user can actually display it - it might be something that ImageMagick can handle but the user's browser (or "application") cannot (some new formats or even aged ones like Ghostscript). So I was thinking: the only thing we can ensure using Vips/IM is: they can handle it, that's why think processable might be a good fit. |
|
ok I agree, I'll update PR to "processable" later today |
kukicola
force-pushed
the
add-real-image-validator
branch
from
856c87d
to
7c6fc69
Compare
|
@gr8bit done, please take a look |
| @@ -1,10 +1,12 @@ | |||
| class OnlyImage < ApplicationRecord | |||
| has_one_attached :image | |||
| has_one_attached :proc_image | |||
| has_one_attached :another_image | |||
There was a problem hiding this comment.
| has_one_attached :another_image | |
| has_one_attached :another_image | |
| e = OnlyImage.new | ||
| e.image.attach(image_1920x1080_file) | ||
| e.proc_image.attach(image_1920x1080_file) | ||
| e.another_image.attach(tar_file_with_image_content_type) |
There was a problem hiding this comment.
I think we should add a negative test here as well, ensuring that a processable_image: false will accept the .tar file as png as suggested by file extension and type.
You're fast, I tried my best to keep up. ;) |
kukicola
force-pushed
the
add-real-image-validator
branch
from
7c6fc69
to
956f662
Compare
|
I have a lot of time today :) fixes done |
|
@igorkasyanchuk everything looks fine in my opinion, this PR could be merged. |
|
very good, I have checked your discussion, and to me all looks good. |
Content type validation isn't enough to ensure that what users upload is an image and can be manipulated by MiniMagick or Vips. So my idea is to add additional validator which can check if a file can be processed by the library.
For simplicity, I used
Metadataclass which has necessary methods. It probably should be extracted to separate class but I didn't want to make a huge refactor along the wayIt should solve the following issues:
#91
#62
#130 (partially, since it's only for images, for all other files we can extend ContentTypeValidator to read a file and use
Marcel::MimeType.for)