[Rails] Active Storage how to validate file type

rails_active_storage_how_to_validate_file_type.md

Rails Active Storage how to restrict uploadable file types

Active Storage doesn't have validations yet.

We can restrict the accepted file types in the form:

<div class="field">
  <%= f.label :deliverable %>
  <%= f.file_field :deliverable, direct_upload: true, 
    accept: 'application/pdf, 
    application/zip,application/vnd.openxmlformats-officedocument.wordprocessingml.document' %>
 </div>

And add a custom validation in the model:

class Item
  has_one_attached :document

  validate :correct_document_mime_type

  private

  def correct_document_mime_type
    if document.attached? && !document.content_type.in?(%w(application/msword application/pdf))
      errors.add(:document, 'Must be a PDF or a DOC file')
    end
  end
end

Source: https://stackoverflow.com/questions/48349072/ruby-on-rails-active-storage-how-to-accept-only-pdf-and-doc?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

You'll have to use some other approach to validate whether the attachment is what it claims to be.

If you're working with images, then imagemagick is probably an obvious choice.

the way I'd do it is

1. have a 'validated' column in my model (default false)
2. kick off a background job on create (or if the image changes)
3. use imageMagick to validate the image
4. update validated=true if it passes, delete if not

@ConfusedVorlon thank you for the suggestion! I'm a bit confused that secure content type validation is not part of ActiveStorage though. We just had a big Rails app pentested and (apart from a handful of hosting configurations), the ActiveStorage type insecurity was the ONLY thing the security company found.

Edit: actually, it seems it is secure. After create and committing the ActiveStorage::Attachment, it calls the identify() method on the Blob, which determines the Mime type by itself, overwriting the previously supplied one and setting the field "identified" to true in the meta hash of the Blob. It seems we're making some kind of mistake here... Have to dig deeper.

Storing stuff is a job for your suitcase.
Checking that there isn't a bomb in there is a job for the xray, the mass spectrometer and security team at the airport.

They're just completely separate jobs.

Add to that the fact that you could be storing images, word documents, music files, videos, gifs, pdfs, .mmw files (a custom file format for one of my apps) or a gazillion other things. It would be ridiculous for rails to try to build secure validation for all those types into their 'suitcase' functionality.

Yes, but sticking to your example, the security team checks all the deposited suitcases before storing them (in the planes). The airport needs to handle both checking and storage.

In reality, Rails is a secure web framework, so I was confused it simply seemed not to offer the xray. It does though, sometimes we seem to cause "empty" uploads which cannot be analyzed (because they're empty), so that's a fault on my site. Rails' xray is in place and works. :)

undefined method `content_type' for #ActiveStorage::Attached::Many:0x00007fdb4cbce6f0
How to resolve this?

@b-nik, Rails 6 has fixed the issue (Store newly-uploaded files on save rather than assignment). rails/rails@e8682c5

Of the two available gems I went with https://github.com/aki77/activestorage-validator as it is much simpler. You probably don't even need the gem as you could just bring in the validator class.