discourse/lib/validators/upload_validator.rb

# frozen_string_literal: true

require "file_helper"

class UploadValidator < ActiveModel::Validator
  def validate(upload)
    # staff can upload any file in PM
    if (upload.for_private_message && SiteSetting.allow_staff_to_upload_any_file_in_pm)
      return true if upload.user&.staff?
    end

    # check the attachment blocklist
    if upload.for_group_message && SiteSetting.allow_all_attachments_for_group_messages
      return upload.original_filename =~ SiteSetting.blocked_attachment_filenames_regex
    end

    extension = File.extname(upload.original_filename)[1..-1] || ""

    if upload.for_site_setting && upload.user&.staff? &&
         FileHelper.is_supported_image?(upload.original_filename)
      return true
    end

    if upload.for_gravatar && FileHelper.supported_gravatar_extensions.include?(extension)
      maximum_image_file_size(upload)
      return true
    end

    return true if changing_upload_security?(upload)

    if is_authorized?(upload, extension)
      if FileHelper.is_supported_image?(upload.original_filename)
        authorized_image_extension(upload, extension)
        maximum_image_file_size(upload)
      else
        authorized_attachment_extension(upload, extension)
        maximum_attachment_file_size(upload)
      end
    end
  end

  # this should only be run on existing records, and covers cases of
  # upload.update_secure_status being run outside of the creation flow,
  # where some cases e.g. have exemptions on the extension enforcement
  def changing_upload_security?(upload)
    !upload.new_record? &&
      upload.changed_attributes.keys.all? do |attribute|
        %w[secure security_last_changed_at security_last_changed_reason].include?(attribute)
      end
  end

  def is_authorized?(upload, extension)
    extension_authorized?(upload, extension, authorized_extensions(upload))
  end

  def authorized_image_extension(upload, extension)
    extension_authorized?(upload, extension, authorized_images(upload))
  end

  def maximum_image_file_size(upload)
    maximum_file_size(upload, "image")
  end

  def authorized_attachment_extension(upload, extension)
    extension_authorized?(upload, extension, authorized_attachments(upload))
  end

  def maximum_attachment_file_size(upload)
    maximum_file_size(upload, "attachment")
  end

  private

  def extensions_to_set(exts)
    extensions = Set.new

    exts
      .gsub(/[\s\.]+/, "")
      .downcase
      .split("|")
      .each { |extension| extensions << extension unless extension.include?("*") }

    extensions
  end

  def authorized_extensions(upload)
    extensions =
      if upload.for_theme
        SiteSetting.theme_authorized_extensions
      elsif upload.for_export
        SiteSetting.export_authorized_extensions
      else
        SiteSetting.authorized_extensions
      end
    extensions_to_set(extensions)
  end

  def authorized_images(upload)
    authorized_extensions(upload) & FileHelper.supported_images
  end

  def authorized_attachments(upload)
    authorized_extensions(upload) - FileHelper.supported_images
  end

  def authorizes_all_extensions?(upload)
    if upload.user&.staff?
      return true if SiteSetting.authorized_extensions_for_staff.include?("*")
    end
    extensions =
      if upload.for_theme
        SiteSetting.theme_authorized_extensions
      elsif upload.for_export
        SiteSetting.export_authorized_extensions
      else
        SiteSetting.authorized_extensions
      end
    extensions.include?("*")
  end

  def extension_authorized?(upload, extension, extensions)
    return true if authorizes_all_extensions?(upload)

    staff_extensions = Set.new
    if upload.user&.staff?
      staff_extensions = extensions_to_set(SiteSetting.authorized_extensions_for_staff)
      return true if staff_extensions.include?(extension.downcase)
    end

    unless authorized = extensions.include?(extension.downcase)
      message =
        I18n.t(
          "upload.unauthorized",
          authorized_extensions: (extensions | staff_extensions).to_a.join(", "),
        )
      upload.errors.add(:original_filename, message)
    end

    authorized
  end

  def maximum_file_size(upload, type)
    return if !upload.validate_file_size

    max_size_kb =
      if upload.for_export
        SiteSetting.max_export_file_size_kb
      else
        SiteSetting.get("max_#{type}_size_kb")
      end

    max_size_bytes = max_size_kb.kilobytes

    if upload.filesize > max_size_bytes
      message =
        I18n.t(
          "upload.#{type}s.too_large_humanized",
          max_size: ActiveSupport::NumberHelper.number_to_human_size(max_size_bytes),
        )
      upload.errors.add(:filesize, message)
    end
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4. 2022-03-21 10:28:52 -04:00			`require "file_helper"`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00
DEV: Upgrading Discourse to Zeitwerk (#8098) Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. We no longer need to use Rails "require_dependency" anywhere and instead can just use standard Ruby patterns to require files. This is a far reaching change and we expect some followups here. 2019-10-02 00:01:53 -04:00			`class UploadValidator < ActiveModel::Validator`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`def validate(upload)`
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting 2017-06-12 16:41:29 -04:00			`# staff can upload any file in PM`
FEATURE: Upload Site Settings. (#6573) 2018-11-14 02:03:02 -05:00			`if (upload.for_private_message && SiteSetting.allow_staff_to_upload_any_file_in_pm)`
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting 2017-06-12 16:41:29 -04:00			`return true if upload.user&.staff?`
			`end`

FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist. 2020-07-26 20:23:54 -04:00			`# check the attachment blocklist`
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting 2017-06-12 16:41:29 -04:00			`if upload.for_group_message && SiteSetting.allow_all_attachments_for_group_messages`
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist. 2020-07-26 20:23:54 -04:00			`return upload.original_filename =~ SiteSetting.blocked_attachment_filenames_regex`
always strip s/mime signatures in incoming emails 2016-06-27 16:26:05 -04:00			`end`
FEATURE: new 'allow_all_attachments_for_group_messages' site setting 2016-02-29 16:39:24 -05:00
FIX: NoMethodError in on extension.upcase when upload's original filename has no extension. 2014-07-14 21:15:17 -04:00			`extension = File.extname(upload.original_filename)[1..-1] \|\| ""`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00
FEATURE: Upload Site Settings. (#6573) 2018-11-14 02:03:02 -05:00			`if upload.for_site_setting && upload.user&.staff? &&`
			`FileHelper.is_supported_image?(upload.original_filename)`
			`return true`
			`end`

FIX: Gravatar uploads being dependent on authorized_extensions. 2019-07-30 23:16:03 -04:00			`if upload.for_gravatar && FileHelper.supported_gravatar_extensions.include?(extension)`
			`maximum_image_file_size(upload)`
			`return true`
			`end`

FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed. 2022-04-20 00:11:39 -04:00			`return true if changing_upload_security?(upload)`

FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`if is_authorized?(upload, extension)`
Rename `FileHelper.is_image?` -> `FileHelper.is_supported_image?`. 2018-09-09 22:22:45 -04:00			`if FileHelper.is_supported_image?(upload.original_filename)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`authorized_image_extension(upload, extension)`
			`maximum_image_file_size(upload)`
			`else`
			`authorized_attachment_extension(upload, extension)`
			`maximum_attachment_file_size(upload)`
			`end`
			`end`
			`end`

FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed. 2022-04-20 00:11:39 -04:00			`# this should only be run on existing records, and covers cases of`
			`# upload.update_secure_status being run outside of the creation flow,`
			`# where some cases e.g. have exemptions on the extension enforcement`
			`def changing_upload_security?(upload)`
			`!upload.new_record? &&`
			`upload.changed_attributes.keys.all? do \|attribute\|`
			`%w[secure security_last_changed_at security_last_changed_reason].include?(attribute)`
			`end`
			`end`

FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`def is_authorized?(upload, extension)`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`extension_authorized?(upload, extension, authorized_extensions(upload))`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def authorized_image_extension(upload, extension)`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`extension_authorized?(upload, extension, authorized_images(upload))`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def maximum_image_file_size(upload)`
			`maximum_file_size(upload, "image")`
			`end`

			`def authorized_attachment_extension(upload, extension)`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`extension_authorized?(upload, extension, authorized_attachments(upload))`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

			`def maximum_attachment_file_size(upload)`
			`maximum_file_size(upload, "attachment")`
			`end`

			`private`

FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`def extensions_to_set(exts)`
			`extensions = Set.new`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`exts`
FIX: uploading custom avatar was always hidden 2016-10-20 13:53:41 -04:00			`.gsub(/[\s\.]+/, "")`
			`.downcase`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`.split("\|")`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`.each { \|extension\| extensions << extension unless extension.include?("*") }`

			`extensions`
			`end`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`def authorized_extensions(upload)`
FIX: create upload record for exported csv files 2018-04-19 07:30:31 -04:00			`extensions =`
			`if upload.for_theme`
			`SiteSetting.theme_authorized_extensions`
			`elsif upload.for_export`
			`SiteSetting.export_authorized_extensions`
			`else`
			`SiteSetting.authorized_extensions`
			`end`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`extensions_to_set(extensions)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorized_images(upload)`
Rename `FileHelper.images` to `FileHelper.supported_images`. 2018-09-09 22:03:44 -04:00			`authorized_extensions(upload) & FileHelper.supported_images`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorized_attachments(upload)`
Rename `FileHelper.images` to `FileHelper.supported_images`. 2018-09-09 22:03:44 -04:00			`authorized_extensions(upload) - FileHelper.supported_images`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00			`end`

FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`def authorizes_all_extensions?(upload)`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`if upload.user&.staff?`
			`return true if SiteSetting.authorized_extensions_for_staff.include?("*")`
			`end`
FIX: create upload record for exported csv files 2018-04-19 07:30:31 -04:00			`extensions =`
			`if upload.for_theme`
			`SiteSetting.theme_authorized_extensions`
			`elsif upload.for_export`
			`SiteSetting.export_authorized_extensions`
			`else`
			`SiteSetting.authorized_extensions`
			`end`
FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`extensions.include?("*")`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`

FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`def extension_authorized?(upload, extension, extensions)`
FEATURE: support uploads for themes This allows themes to bundle various assets 2017-05-09 17:20:28 -04:00			`return true if authorizes_all_extensions?(upload)`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`staff_extensions = Set.new`
			`if upload.user&.staff?`
			`staff_extensions = extensions_to_set(SiteSetting.authorized_extensions_for_staff)`
			`return true if staff_extensions.include?(extension.downcase)`
			`end`

FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00			`unless authorized = extensions.include?(extension.downcase)`
FEATURE: New site setting for additional allowed filetypes for staff (#5364) * FEATURE: New site setting for additional allowed filetypes for staff * Problematic variable name * feedback * small issues * fix indentation * failing tests * Remove message bus and fix minor issues * Missed this message bus 2018-02-19 04:44:24 -05:00			`message =`
			`I18n.t(`
			`"upload.unauthorized",`
			`authorized_extensions: (extensions \| staff_extensions).to_a.join(", "),`
			`)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`upload.errors.add(:original_filename, message)`
			`end`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`authorized`
			`end`

			`def maximum_file_size(upload, type)`
FIX: Allow attr updates of over-size-limit uploads (#18986) 2022-11-11 11:56:11 -05:00			`return if !upload.validate_file_size`

FIX: use hidden setting for max export file size 2018-07-31 01:45:31 -04:00			`max_size_kb =`
			`if upload.for_export`
			`SiteSetting.max_export_file_size_kb`
			`else`
DEV: introduce new API to look up dynamic site setting This removes all uses of both `send` and `public_send` from consumers of SiteSetting and instead introduces a `get` helper for dynamic lookup This leads to much cleaner and safer code long term as we are always explicit to test that a site setting is really there before sending an arbitrary string to the class It also removes a couple of risky stubs from the auth provider test 2019-05-06 21:00:09 -04:00			`SiteSetting.get("max_#{type}_size_kb")`
FIX: use hidden setting for max export file size 2018-07-31 01:45:31 -04:00			`end`
DEV: Prefer `public_send` over `send`. 2019-05-06 21:27:05 -04:00
FIX: error message used wrong filesize 2015-05-03 13:26:54 -04:00			`max_size_bytes = max_size_kb.kilobytes`
FEATURE: support for enabling all upload file types BUGFIX: authorized extensions is now case insensitive 2014-04-29 13:12:35 -04:00
FIX: error message used wrong filesize 2015-05-03 13:26:54 -04:00			`if upload.filesize > max_size_bytes`
FEATURE: Humanize file size error messages (#14398) The file size error messages for max_image_size_kb and max_attachment_size_kb are shown to the user in the KB format, regardless of how large the limit is. Since we are going to support uploading much larger files soon, this KB-based limit soon becomes unfriendly to the end user. For example, if the max attachment size is set to 512000 KB, this is what the user sees: > Sorry, the file you are trying to upload is too big (maximum size is 512000KB) This makes the user do math. In almost all file explorers that a regular user would be familiar width, the file size is shown in a format based on the maximum increment (e.g. KB, MB, GB). This commit changes the behaviour to output a humanized file size instead of the raw KB. For the above example, it would now say: > Sorry, the file you are trying to upload is too big (maximum size is 512 MB) This humanization also handles decimals, e.g. 1536KB = 1.5 MB 2021-09-21 17:59:45 -04:00			`message =`
			`I18n.t(`
			`"upload.#{type}s.too_large_humanized",`
			`max_size: ActiveSupport::NumberHelper.number_to_human_size(max_size_bytes),`
			`)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`upload.errors.add(:filesize, message)`
			`end`
			`end`
			`end`