SECURITY: Make sure uploaded_urls have corresponding upload records

2025-05-21 18:12:32 +08:00 · 2016-07-28 13:54:17 -04:00
parent cf5b756b1a
commit 2891f230d1
8 changed files with 67 additions and 11 deletions
--- a/lib/validators/upload_url_validator.rb
+++ b/lib/validators/upload_url_validator.rb
@ -0,0 +1,11 @@
+class UploadUrlValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    if value.present?
+      uri = URI.parse(value) rescue nil
+
+      unless uri && Upload.exists?(url: value)
+        record.errors[attribute] << (options[:message] || I18n.t('errors.messages.invalid'))
+      end
+    end
+  end
+end