-
-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add processable image validator #168
Add processable image validator #168
Conversation
@gr8bit could you please help me with a review? Difficult to focus on this right now because of current situation in Ukraine |
Hi @kukicola, I dealt with this exact subject (I think) a few days ago and I'd like your opinion on this issue: rails/marcel#76 |
@gr8bit I'm not sure if we should call it a Marcel issue. Those fallbacks are probably there for some reason. If it was up to me I would suggest making Anyway, I would treat that as a separate thing. Minetype validation is still not enough here. Consider a file with magicbytes matching PNG file but the rest of the file is garbage (corrupted image, random bytes, malicious code, whatever). Validation should also fail in this case. That's why calling |
@kukicola Thank you for the feedback, I'll incorporate that in the issue. |
@gr8bit Yes but it can be used also just to check if the image is safe to display somewhere (even without processing). I agree, that |
I fully understand that. :D My point of view on it is: you cannot know if the user can actually display it - it might be something that ImageMagick can handle but the user's browser (or "application") cannot (some new formats or even aged ones like Ghostscript). So I was thinking: the only thing we can ensure using Vips/IM is: they can handle it, that's why think processable might be a good fit. |
ok I agree, I'll update PR to "processable" later today |
856c87d
to
7c6fc69
Compare
@gr8bit done, please take a look |
@@ -1,10 +1,12 @@ | |||
class OnlyImage < ApplicationRecord | |||
has_one_attached :image | |||
has_one_attached :proc_image | |||
has_one_attached :another_image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
has_one_attached :another_image | |
has_one_attached :another_image | |
e = OnlyImage.new | ||
e.image.attach(image_1920x1080_file) | ||
e.proc_image.attach(image_1920x1080_file) | ||
e.another_image.attach(tar_file_with_image_content_type) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should add a negative test here as well, ensuring that a processable_image: false
will accept the .tar file as png as suggested by file extension and type.
You're fast, I tried my best to keep up. ;) |
7c6fc69
to
956f662
Compare
I have a lot of time today :) fixes done |
@igorkasyanchuk everything looks fine in my opinion, this PR could be merged. |
very good, I have checked your discussion, and to me all looks good. |
Content type validation isn't enough to ensure that what users upload is an image and can be manipulated by MiniMagick or Vips. So my idea is to add additional validator which can check if a file can be processed by the library.
For simplicity, I used
Metadata
class which has necessary methods. It probably should be extracted to separate class but I didn't want to make a huge refactor along the wayIt should solve the following issues:
#91
#62
#130 (partially, since it's only for images, for all other files we can extend ContentTypeValidator to read a file and use
Marcel::MimeType.for
)