Merge pull request #5844 from betagouv/check_content_type

Restreint les content type autorisé des pièces jointes
This commit is contained in:
LeSim 2021-01-18 17:35:03 +01:00 committed by GitHub
commit ec1f6a7bfb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 107 additions and 1 deletions

View file

@ -24,6 +24,14 @@ class Avis < ApplicationRecord
has_one_attached :piece_justificative_file
has_one_attached :introduction_file
validates :piece_justificative_file,
content_type: AUTHORIZED_CONTENT_TYPES,
size: { less_than: 20.megabytes }
validates :introduction_file,
content_type: AUTHORIZED_CONTENT_TYPES,
size: { less_than: 20.megabytes }
validates :email, format: { with: Devise.email_regexp, message: "n'est pas valide" }, allow_nil: true
validates :claimant, presence: true
validates :piece_justificative_file, size: { less_than: 20.megabytes }

View file

@ -23,6 +23,10 @@ class Champs::PieceJustificativeChamp < Champ
size: { less_than: MAX_SIZE },
if: -> { !type_de_champ.skip_pj_validation }
validates :piece_justificative_file,
content_type: AUTHORIZED_CONTENT_TYPES,
if: -> { !type_de_champ.skip_content_type_pj_validation }
def main_value_name
:piece_justificative_file
end

View file

@ -22,7 +22,10 @@ class Commentaire < ApplicationRecord
has_one_attached :piece_jointe
validates :body, presence: { message: "ne peut être vide" }
validates :piece_jointe, size: { less_than: 20.megabytes }
validates :piece_jointe,
content_type: AUTHORIZED_CONTENT_TYPES,
size: { less_than: 20.megabytes }
default_scope { order(created_at: :asc) }
scope :updated_since?, -> (date) { where('commentaires.updated_at > ?', date) }

View file

@ -0,0 +1,84 @@
AUTHORIZED_CONTENT_TYPES = [
# multimedia
'image/jpeg', # multimedia x 1467465
'image/png', # multimedia x 126662
'image/tiff', # multimedia x 3985
'image/bmp', # multimedia x 3656
'video/mp4', # multimedia x 2075
'image/webp', # multimedia x 529
'video/quicktime', # multimedia x 486
'image/gif', # multimedia x 463
'video/3gpp', # multimedia x 216
'image/vnd.dwg', # multimedia x 137 auto desk
'audio/mpeg', # multimedia x 26
'video/x-ms-wm', # multimedia x 15 video microsoft ?
# application / program
'application/json', # program x 6653577
'application/zip', # program x 25831
'application/octet-stream', # program x 8923 autodesk, citadel
'text/x-adasrc', # program x 5116 agricultaral data
'application/x-ole-storage', # program x 5015 msg message microsoft
'application/x-zip-compressed', # program x 3242
'text/csv', # program x 1901
'message/rfc822', # program x 1622 .msg
'application/x-7z-compressed', # program x 1359
'application/vnd.rar', # program x 1344
'application/x-x509-ca-cert', # program x 631
'application/xml', # program x 314
'text/x-log', # program x 188
'application/gpx+xml', # program x 51
'binary/octet-stream', # program x 48
'application/octetstream', # program x 41
'application/postscript', # program x 38
'application/x-rar', # program x 37
'octet/stream', # program x 33
'text/tab-separated-values', # program x 30
'application/gzip', # program x 24
'application/x-dbf', # inconnu x 24 dbase table file format (dbf)
'applicaton/octet-stream', # program x 17
'application/vnd.google-earth.kml+xml', # autre x 10 transfert de point google
'text/xml', # program x 10
# text / sheet / presentation
'application/pdf', # text x 4628654
'application/vnd.ms-excel', # text x 166674
'application/vnd.openxmlformats-officedocument.wordprocessingml.document', # text x 103879
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', # text x 86336
'application/vnd.oasis.opendocument.text', # text x 46229
'application/msword', # text x 30167
'text/plain', # text x 24477
'application/vnd.oasis.opendocument.spreadsheet', # text x 15218
'application/vnd.openxmlformats-officedocument.presentationml.presentation', # text x 3231
'application/vnd.ms-excel.sheet.macroenabled.12', # text x 1487
'application/rtf', # text x 1438
'application/vnd.apple.pages', # text x 609
'application/vnd.oasis.opendocument.graphics', # text x 535
'application/vnd.ms-powerpoint', # text x 363
'application/vnd.oasis.opendocument.presentation', # text x 169
'application/oxps', # inconnu x 149 openxml ?
'application/vnd.apple.numbers', # text x 144
'application/x-iwork-pages-sffpages', # text x 139
'application/vnd.ms-publisher', # text x 100
'application/vnd.oasis.opendocument.text-template', # text x 100
'application/vnd.openxmlformats-officedocument.wordprocessingml.template', # text x 75
'application/vnd.ms-word.document.macroenabled.12', # text x 61
'application/vnd.openxmlformats-officedocument.spreadsheetml.template', # text x 59
'application/vnd.openxmlformats-officedocument.presentationml.slideshow', # text x 32
'application/x-pdf', # text x 30
'application/kswps', # inconnu x 26 , text ?
'application/x-iwork-numbers-sffnumbers', # text x 25
'text/rtf', # text x 25
'image/pdf', # text x 23
'application/vnd.ms-xpsdocument', # text x 23
'application/vnd.ms-excel.sheet.binary.macroenabled.12', # text x 21
'application/vnd.ms-powerpoint.presentation.macroenabled.12', # text x 15
'application/x-msword', # text x 15
'application/vnd.oasis.opendocument.spreadsheet-template', # text x 14
'application/vnd.oasis.opendocument.text-master', # text x 12
'text/pdf', # text x 12
'application/x-abiword', # text x 11
'application/x-iwork-keynote-sffnumbers', # text x 11
'application/x-iwork-keynote-sffkey', # text x 10
'application/vnd.sun.xml.writer' # text x 10
]

View file

@ -22,6 +22,7 @@ describe Champs::PieceJustificativeChamp do
context "by default" do
it { is_expected.to validate_size_of(:piece_justificative_file).less_than(Champs::PieceJustificativeChamp::MAX_SIZE) }
it { is_expected.to validate_content_type_of(:piece_justificative_file).rejecting('application/x-ms-dos-executable') }
it { expect(champ_pj.type_de_champ.skip_pj_validation).to be_falsy }
end
@ -30,6 +31,12 @@ describe Champs::PieceJustificativeChamp do
it { is_expected.not_to validate_size_of(:piece_justificative_file).less_than(Champs::PieceJustificativeChamp::MAX_SIZE) }
end
context "when content-type validation is disabled" do
before { champ_pj.type_de_champ.update(skip_content_type_pj_validation: true) }
it { is_expected.not_to validate_content_type_of(:piece_justificative_file).rejecting('application/x-ms-dos-executable') }
end
end
describe "#for_export" do