Merge pull request #1844 from Nyangawa/fix-file-validator

fix: enforce tempfile to be a Tempfile object
ruby-grape · Dec 14, 2018 · b368380 · b368380
2 parents 766cdb5 + d307fa1
commit b368380
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 * Your contribution here.
 * [#1833](https://github.com/ruby-grape/grape/pull/1833): Allows to set the `ParamBuilder` globally - [@myxoh](https://github.com/myxoh).
+* [#1844](https://github.com/ruby-grape/grape/pull/1844): Fix: enforce `:tempfile` to be a `Tempfile` object in `File` validator - [@Nyangawa](https://github.com/Nyangawa).
 
 #### Fixes
 

diff --git a/lib/grape/validations/types/file.rb b/lib/grape/validations/types/file.rb
@@ -19,7 +19,7 @@ def value_coerced?(value)
           # Rack::Request creates a Hash with filename,
           # content type and an IO object. Do a bit of basic
           # duck-typing.
-          value.is_a?(::Hash) && value.key?(:tempfile)
+          value.is_a?(::Hash) && value.key?(:tempfile) && value[:tempfile].is_a?(Tempfile)
         end
       end
     end

diff --git a/spec/grape/validations/validators/coerce_spec.rb b/spec/grape/validations/validators/coerce_spec.rb
@@ -397,6 +397,10 @@ def self.parsed?(value)
         post '/upload', file: 'not a file'
         expect(last_response.status).to eq(400)
         expect(last_response.body).to eq('file is invalid')
+
+        post '/upload', file: { filename: 'fake file', tempfile: '/etc/passwd' }
+        expect(last_response.status).to eq(400)
+        expect(last_response.body).to eq('file is invalid')
       end
 
       it 'Nests integers' do