Thought it'd be good to notice these things in file upload handling. Paperclip is a great gem. However devs seems to ignore some details on content type spoofing and imagemagick vulnerabilities.
AFIK, content spoofing fails on higher level types. For eg, content type validation with 'video/mp4' will also allow a spoofed pdf file as a video. Content type matching works with media type which for both of has same value as 'application'.
Reported an issue here.. but no activities so far: https://github.com/thoughtbot/paperclip/issues/2426
Thought it'd be good to notice these things in file upload handling. Paperclip is a great gem. However devs seems to ignore some details on content type spoofing and imagemagick vulnerabilities.
AFIK, content spoofing fails on higher level types. For eg, content type validation with 'video/mp4' will also allow a spoofed pdf file as a video. Content type matching works with media type which for both of has same value as 'application'. Reported an issue here.. but no activities so far: https://github.com/thoughtbot/paperclip/issues/2426
Also while setting up paperclip most devs won't dig into imagemagick policies or anything which could lead to severe vulnerabilities and dos attacks like https://hackerone.com/reports/390 It'd be nice to look into some imagemagick policies that suit your environment. https://www.imagemagick.org/script/resources.php http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=26801 https://imagetragick.com/#info https://github.com/thoughtbot/paperclip/issues/1513