-
-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Validation] spoofing_protection
on has_many_attached
runs on unchanged attachments
#328
Comments
Hi again @sakif-imtiaz, x.attach(a)
x.save
...
x.attach(b)
x.save And that the validations were run on both after_save { attachment_changes[name.to_s]&.save }
after_commit(on: %i[ create update ]) { attachment_changes.delete(name.to_s).try(:upload) } Or maybe I got your issue wrong? |
I encountered the same issue since 1.3.5. I don't believe it is due to the spoofing protection, but rather the content type validation.
As you can see above, I have attempted to attach a bogus/blank image, and that causes all of the existing attachments to show up in the changes list. Since version 1.3.5 we are downloading the blob in order to determine the content type. So, as above, we download the all of the existing attachments again. |
I can't reproduce this anymore ( I promise I checked a couple ways before I wrote this ). But I'm beginning to suspect what I saw was a problem with how we implemented active-storage direct upload. I'm on vacation now for a couple weeks, I could try and verify it with fresh eyes after that and resubmit if I find anything? |
Oh! I didn't see your comment before my latest one. Then it's not just the crazy pills I've been taking diligently, I probably saw the same thing you did. |
@evaniainbrooks @sakif-imtiaz thanks for adding context, I think we need to change the way we validate the content_type again for better perf and not having this issue. |
Alright I got it, # Attaches one or more +attachables+ to the record.
#
# If the record is persisted and unchanged, the attachments are saved to
# the database immediately. Otherwise, they'll be saved to the DB when the
# record is next saved.
#
# document.images.attach(params[:images]) # Array of ActionDispatch::Http::UploadedFile objects
# document.images.attach(params[:signed_blob_id]) # Signed reference to blob from direct upload
# document.images.attach(io: File.open("/path/to/racecar.jpg"), filename: "racecar.jpg", content_type: "image/jpeg")
# document.images.attach([ first_blob, second_blob ])
def attach(*attachables)
record.public_send("#{name}=", blobs + attachables.flatten)
if record.persisted? && !record.changed?
return if !record.save
end
record.public_send("#{name}")
end https://github.com/rails/rails/blob/main/activestorage/lib/active_storage/attached/many.rb#L4 Therefore it adds previously saved blobs to the |
Hi @evaniainbrooks @sakif-imtiaz |
Hi @evaniainbrooks & @sakif-imtiaz, |
When I've got this on a model, And I add another attach another photo
validates :photos, content_type: { with: %r{\Aimage/.*\z}, spoofing_protection: true }
It'll run the validation on all the existing photos too. It looks like that means it would completely download each of the photos. I'm wondering we can skip blobs that we can tell aren't changed?
I tried adding a
reject
at the end ofActiveStorageValidations::ASVAttachable#attachables_from_changes
that seems to work:The text was updated successfully, but these errors were encountered: