Please sign in to comment.
Don't call `#send` in form object to build file inputs
Before this commit, Simple Form was calling `#send` in the form object to check whether the resulting object was an attachment. That made the library open to DOS, information disclousure and execution of unintended action attacks if a form was built with user input. ```erb <%= simple_form_for @user do |f| %> <%= f.label @user_supplied_string %> ... <% end %> ``` The solution is try to figure out if an input is of type file by checking for methods present in the most popular Ruby Gems for file uploads. The current supported Gems are: `activestorage`, `carrierwave`, `paperclip`, `shrine` and `refile`. The code is relying on public APIs so it should be fine for now. It would be nice to have a single API to perform this check, so we'll suggest one for those libraries. Co-Authored-By: Felipe Renan <firstname.lastname@example.org>
- Loading branch information...
Showing with 91 additions and 32 deletions.
- +14 −0 CHANGELOG.md
- +2 −2 Gemfile.lock
- +0 −3 lib/generators/simple_form/templates/config/initializers/simple_form.rb
- +21 −4 lib/simple_form.rb
- +21 −2 lib/simple_form/form_builder.rb
- +1 −1 lib/simple_form/version.rb
- +13 −20 test/form_builder/general_test.rb
- +18 −0 test/support/models.rb
- +1 −0 test/test_helper.rb
|@@ -1,4 +1,4 @@|
|# frozen_string_literal: true|
|VERSION = "4.1.0".freeze|
|VERSION = "5.0.0".freeze|