From d72f0c6dd25b6ef5843a32533f313927e73a655b Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 18 Jan 2021 12:34:52 +0100 Subject: [PATCH 1/2] Add authorized content type for pj --- .../champs/piece_justificative_champ.rb | 4 + .../initializers/authorized_content_types.rb | 84 +++++++++++++++++++ .../champs/piece_justificative_champ_spec.rb | 7 ++ 3 files changed, 95 insertions(+) create mode 100644 config/initializers/authorized_content_types.rb diff --git a/app/models/champs/piece_justificative_champ.rb b/app/models/champs/piece_justificative_champ.rb index a5b1eff82..53e97854d 100644 --- a/app/models/champs/piece_justificative_champ.rb +++ b/app/models/champs/piece_justificative_champ.rb @@ -23,6 +23,10 @@ class Champs::PieceJustificativeChamp < Champ size: { less_than: MAX_SIZE }, if: -> { !type_de_champ.skip_pj_validation } + validates :piece_justificative_file, + content_type: AUTHORIZED_CONTENT_TYPES, + if: -> { !type_de_champ.skip_content_type_pj_validation } + def main_value_name :piece_justificative_file end diff --git a/config/initializers/authorized_content_types.rb b/config/initializers/authorized_content_types.rb new file mode 100644 index 000000000..8ad0f0503 --- /dev/null +++ b/config/initializers/authorized_content_types.rb @@ -0,0 +1,84 @@ +AUTHORIZED_CONTENT_TYPES = [ + # multimedia + 'image/jpeg', # multimedia x 1467465 + 'image/png', # multimedia x 126662 + 'image/tiff', # multimedia x 3985 + 'image/bmp', # multimedia x 3656 + 'video/mp4', # multimedia x 2075 + 'image/webp', # multimedia x 529 + 'video/quicktime', # multimedia x 486 + 'image/gif', # multimedia x 463 + 'video/3gpp', # multimedia x 216 + 'image/vnd.dwg', # multimedia x 137 auto desk + 'audio/mpeg', # multimedia x 26 + 'video/x-ms-wm', # multimedia x 15 video microsoft ? + + # application / program + 'application/json', # program x 6653577 + 'application/zip', # program x 25831 + 'application/octet-stream', # program x 8923 autodesk, citadel + 'text/x-adasrc', # program x 5116 agricultaral data + 'application/x-ole-storage', # program x 5015 msg message microsoft + 'application/x-zip-compressed', # program x 3242 + 'text/csv', # program x 1901 + 'message/rfc822', # program x 1622 .msg + 'application/x-7z-compressed', # program x 1359 + 'application/vnd.rar', # program x 1344 + 'application/x-x509-ca-cert', # program x 631 + 'application/xml', # program x 314 + 'text/x-log', # program x 188 + 'application/gpx+xml', # program x 51 + 'binary/octet-stream', # program x 48 + 'application/octetstream', # program x 41 + 'application/postscript', # program x 38 + 'application/x-rar', # program x 37 + 'octet/stream', # program x 33 + 'text/tab-separated-values', # program x 30 + 'application/gzip', # program x 24 + 'application/x-dbf', # inconnu x 24 dbase table file format (dbf) + 'applicaton/octet-stream', # program x 17 + 'application/vnd.google-earth.kml+xml', # autre x 10 transfert de point google + 'text/xml', # program x 10 + + # text / sheet / presentation + 'application/pdf', # text x 4628654 + 'application/vnd.ms-excel', # text x 166674 + 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', # text x 103879 + 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', # text x 86336 + 'application/vnd.oasis.opendocument.text', # text x 46229 + 'application/msword', # text x 30167 + 'text/plain', # text x 24477 + 'application/vnd.oasis.opendocument.spreadsheet', # text x 15218 + 'application/vnd.openxmlformats-officedocument.presentationml.presentation', # text x 3231 + 'application/vnd.ms-excel.sheet.macroenabled.12', # text x 1487 + 'application/rtf', # text x 1438 + 'application/vnd.apple.pages', # text x 609 + 'application/vnd.oasis.opendocument.graphics', # text x 535 + 'application/vnd.ms-powerpoint', # text x 363 + 'application/vnd.oasis.opendocument.presentation', # text x 169 + 'application/oxps', # inconnu x 149 openxml ? + 'application/vnd.apple.numbers', # text x 144 + 'application/x-iwork-pages-sffpages', # text x 139 + 'application/vnd.ms-publisher', # text x 100 + 'application/vnd.oasis.opendocument.text-template', # text x 100 + 'application/vnd.openxmlformats-officedocument.wordprocessingml.template', # text x 75 + 'application/vnd.ms-word.document.macroenabled.12', # text x 61 + 'application/vnd.openxmlformats-officedocument.spreadsheetml.template', # text x 59 + 'application/vnd.openxmlformats-officedocument.presentationml.slideshow', # text x 32 + 'application/x-pdf', # text x 30 + 'application/kswps', # inconnu x 26 , text ? + 'application/x-iwork-numbers-sffnumbers', # text x 25 + 'text/rtf', # text x 25 + 'image/pdf', # text x 23 + 'application/vnd.ms-xpsdocument', # text x 23 + 'application/vnd.ms-excel.sheet.binary.macroenabled.12', # text x 21 + 'application/vnd.ms-powerpoint.presentation.macroenabled.12', # text x 15 + 'application/x-msword', # text x 15 + 'application/vnd.oasis.opendocument.spreadsheet-template', # text x 14 + 'application/vnd.oasis.opendocument.text-master', # text x 12 + 'text/pdf', # text x 12 + 'application/x-abiword', # text x 11 + 'application/x-iwork-keynote-sffnumbers', # text x 11 + 'application/x-iwork-keynote-sffkey', # text x 10 + 'application/vnd.sun.xml.writer' # text x 10 +] diff --git a/spec/models/champs/piece_justificative_champ_spec.rb b/spec/models/champs/piece_justificative_champ_spec.rb index 56d716ba3..9886224d1 100644 --- a/spec/models/champs/piece_justificative_champ_spec.rb +++ b/spec/models/champs/piece_justificative_champ_spec.rb @@ -22,6 +22,7 @@ describe Champs::PieceJustificativeChamp do context "by default" do it { is_expected.to validate_size_of(:piece_justificative_file).less_than(Champs::PieceJustificativeChamp::MAX_SIZE) } + it { is_expected.to validate_content_type_of(:piece_justificative_file).rejecting('application/x-ms-dos-executable') } it { expect(champ_pj.type_de_champ.skip_pj_validation).to be_falsy } end @@ -30,6 +31,12 @@ describe Champs::PieceJustificativeChamp do it { is_expected.not_to validate_size_of(:piece_justificative_file).less_than(Champs::PieceJustificativeChamp::MAX_SIZE) } end + + context "when content-type validation is disabled" do + before { champ_pj.type_de_champ.update(skip_content_type_pj_validation: true) } + + it { is_expected.not_to validate_content_type_of(:piece_justificative_file).rejecting('application/x-ms-dos-executable') } + end end describe "#for_export" do From 685534e8274727283c5ee443074ffae64539577a Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Mon, 18 Jan 2021 13:50:24 +0100 Subject: [PATCH 2/2] Add content validation for avis and messages --- app/models/avis.rb | 8 ++++++++ app/models/commentaire.rb | 5 ++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/app/models/avis.rb b/app/models/avis.rb index 51da59ce1..62d89b8ad 100644 --- a/app/models/avis.rb +++ b/app/models/avis.rb @@ -24,6 +24,14 @@ class Avis < ApplicationRecord has_one_attached :piece_justificative_file has_one_attached :introduction_file + validates :piece_justificative_file, + content_type: AUTHORIZED_CONTENT_TYPES, + size: { less_than: 20.megabytes } + + validates :introduction_file, + content_type: AUTHORIZED_CONTENT_TYPES, + size: { less_than: 20.megabytes } + validates :email, format: { with: Devise.email_regexp, message: "n'est pas valide" }, allow_nil: true validates :claimant, presence: true validates :piece_justificative_file, size: { less_than: 20.megabytes } diff --git a/app/models/commentaire.rb b/app/models/commentaire.rb index de8988d47..d55a5ce69 100644 --- a/app/models/commentaire.rb +++ b/app/models/commentaire.rb @@ -22,7 +22,10 @@ class Commentaire < ApplicationRecord has_one_attached :piece_jointe validates :body, presence: { message: "ne peut ĂȘtre vide" } - validates :piece_jointe, size: { less_than: 20.megabytes } + + validates :piece_jointe, + content_type: AUTHORIZED_CONTENT_TYPES, + size: { less_than: 20.megabytes } default_scope { order(created_at: :asc) } scope :updated_since?, -> (date) { where('commentaires.updated_at > ?', date) }