Active Storage - Direct Upload Validation

[ghiculescu]

This PR is a proposed architecture for validation in Active Storage. It builds on @georgeclaghorn's proposed architecture here: #35390 (comment)

It leans heavily on #35390 - most of the code from that PR is included in it, with some light refactoring.

---

How it works

There were four high level points in the proposed architecture:

To start, we’d offer validations for the most commonly-validated blob attributes, content_type and byte_size

I included the validators in #35390 mostly unchanged.

The direct upload preflight blob creation request already sends content_type and byte_size attributes. We’d validate these attributes upfront, refusing to create a blob record and return a signed direct upload URL if they’re invalid.

To do this, Active Storage needs to know the model to run validations for. This is passed as a new data attribute, data-direct-upload-model. It's handled automatically if you use FormBuilder#file_field, or you can add it manually.

This attribute eventually makes its way to ActiveStorage::Blob#valid_with?, which returns true if:

• There's no Active Storage validators on the model, or:
• All Active Storage validators would pass with the given blob.

A validator is an "Active Storage validator" if it's a subclass of ActiveStorage::Validations::BaseValidator.

Tests for this are here.

because only server-side validation is secure, we’d need to validate content_type again on attach

I haven't explicitly tested for this yet but I believe #35390 handles it.

I don’t think we need to validate byte_size again on attach because signed direct upload URLs account for the Content-Length header. If I’m wrong about that and we have to validate byte_size again, fine. Same as above.

If the validator is defined, we validate it :)

---

I'm adding @abhchand as a co-author since I used so much of #35390

Co-authored-by: Abhishek Chandrasekhar me@abhchand.me

[ghiculescu]

I don't love this, but can't think of a safer way to get the model here.

[louim]

Hey @ghiculescu,

See here how to setup the commit(s) with co-authoring. In your case, that would mean adding: Co-authored-by: Abhishek Chandrasekhar <me@abhchand.me> at the bottom of the commits messages you want to co-author.

[ghiculescu]

@louim done - thanks!

[abhchand]

Hey @ghiculescu , just stopping by to say thanks for including me as an author on the commit. That's nice of you!

If I find time between work and personal life I'll try to weigh in here, but those two things are keeping me pretty busy at the moment :)

[ghiculescu]

@georgeclaghorn I would love to include this in Rails 7. Do you have any feedback on the direction taken here or anything else you'd like to see included? (let me know if there's a better person to direct this question to)

[rails-bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

[brunoprietog]

Any news on this? I would love to have it in rails 7

[reckerswartz]

@ghiculescu can you also add other validators?

like

presence: true
limit: { min: 1, max: 3 }

[tomrossi7]

Anything I can do to help get this PR moving along? We would love to see this get merged into Rails and are happy to commit resources to help!

[ghiculescu]

@tomrossi7 if you're interested in fixing up the conflicts and trying to move this forward, I can give you access to my fork?

[seanpdoyle]

Could this be a signed reference (like what Turbo Rails does for Stream names) to prevent tampering?

Similarly, could the model: Post option be signed in the same way?

[seanabrahams]

Would also need a helper method for when not using FormBuilder:

<input type=file data-direct-upload-url="<%= rails_direct_uploads_url %>" data-direct-upload-model="<%= rails_direct_uploads_signed_model('Post') %>" />

[seanabrahams]

I also don't see how just the model is sufficient. Shouldn't it be model.attribute as models can have more than one attached attribute:

class User < ApplicationRecord
  has_one_attached :avatar
  has_one_attached :cover_photo
  has_many_attached :highlights
end

[seanabrahams]

Could this be a signed reference (like what Turbo Rails does for Stream names) to prevent tampering?

Similarly, could the model: Post option be signed in the same way?

Yes, it could use ActiveStorage.verifier.

Could do something like:

if options[:direct_upload_model_and_attribute] # Note change in name from direct_upload_model to direct_upload_model_and_attribute
  options["data-direct-upload-model-and-attribute"] = ActiveStorage.verifier.generate(options.delete(:direct_upload_model_and_attribute))

ActiveStorage.verifier.generate("User.avatar")
=> "BAhJIhBVc2VyLmF2YXRhcgY6BkVU--a6f0ee7e289bbf19f91634986e33c15298a6f408"
ActiveStorage.verifier.verified("BAhJIhBVc2VyLmF2YXRhcgY6BkVU--a6f0ee7e289bbf19f91634986e33c15298a6f408")
=> "User.avatar"

[rails-bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Thank you for your contributions.

[seanabrahams]

Let's see if we can make some progress on this.

[seanabrahams]

Should this be:

    validates :avatar, attachment_content_type: { in: %w[image/jpeg image/png] }
    validates :avatar, attachment_content_type: { not: %w[application/pdf] }

?

[seanabrahams]

    validates :avatar, attachment_content_type: %w[image/jpeg image/png]
    validates :avatar, attachment_content_type: "image/jpeg"

?

[seanabrahams]

Would also need a helper method for when not using FormBuilder:

<input type=file data-direct-upload-url="<%= rails_direct_uploads_url %>" data-direct-upload-model="<%= rails_direct_uploads_signed_model('Post') %>" />

[seanabrahams]

I also don't see how just the model is sufficient. Shouldn't it be model.attribute as models can have more than one attached attribute:

class User < ApplicationRecord
  has_one_attached :avatar
  has_one_attached :cover_photo
  has_many_attached :highlights
end

[ghiculescu]

@seanabrahams i don’t have much capacity to work on this at the moment, would you like to take it over?

[seanabrahams]

@ghiculescu I'll see what I can do 👍