From 4f5a5524860fd950e329f51522f47b9fb4d82264 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sen=C3=A9n=20Rodero=20Rodr=C3=ADguez?=
 <senenrodero@gmail.com>
Date: Wed, 14 Jun 2017 13:10:43 +0200
Subject: [PATCH] Added image content type validation to only allowing jpg
 images.

---
 app/models/budget/investment.rb       |   6 +++---
 spec/fixtures/files/logo_header.gif   | Bin 0 -> 401 bytes
 spec/fixtures/files/logo_header.jpg   | Bin 0 -> 2550 bytes
 spec/models/budget/investment_spec.rb |  24 ++++++++++++++++++++++++
 4 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 spec/fixtures/files/logo_header.gif
 create mode 100644 spec/fixtures/files/logo_header.jpg

diff --git a/app/models/budget/investment.rb b/app/models/budget/investment.rb
index 4a19dd27f..2d2e0c3c6 100644
--- a/app/models/budget/investment.rb
+++ b/app/models/budget/investment.rb
@@ -17,6 +17,8 @@ class Budget
     acts_as_paranoid column: :hidden_at
     include ActsAsParanoidAliases
 
+    has_attached_file :image, styles: { large: "600x600>", medium: "300x300>", thumb: "100x100>" }
+
     belongs_to :author, -> { with_hidden }, class_name: 'User', foreign_key: 'author_id'
     belongs_to :heading
     belongs_to :group
@@ -28,9 +30,6 @@ class Budget
     has_many :comments, as: :commentable
     has_many :milestones
 
-    has_attached_file :image, styles: { large: "600x600>"  ,medium: "300x300>", thumb: "100x100>" }
-    validates_attachment_content_type :image, content_type: /\Aimage\/.*\z/
-
     validates :title, presence: true
     validates :author, presence: true
     validates :description, presence: true
@@ -41,6 +40,7 @@ class Budget
     validates :title, length: { in: 4..Budget::Investment.title_max_length }
     validates :description, length: { maximum: Budget::Investment.description_max_length }
     validates :terms_of_service, acceptance: { allow_nil: false }, on: :create
+    validates_attachment :image, content_type: { content_type: ["image/jpeg"] }
 
     scope :sort_by_confidence_score, -> { reorder(confidence_score: :desc, id: :desc) }
     scope :sort_by_ballots,          -> { reorder(ballot_lines_count: :desc, id: :desc) }
diff --git a/spec/fixtures/files/logo_header.gif b/spec/fixtures/files/logo_header.gif
new file mode 100644
index 0000000000000000000000000000000000000000..4bfddd4104a97cb285d57d8c0230a608a7c62b9e
GIT binary patch
literal 401
zcmV;C0dD?BNk%w1VNd{20Du7ie@WN>|NkNW5kqoiVRU6=Aa`kWXdp*PO;7+K`2+z9
z0096j00000PykQ>00RDukEzS;52Kv4+KaQ^y!#J^;z*X}X#wiWw(bkZa!k$kjpKFB
z_xTP$X;wgChB!eQQ>x;U8B8{x6=lRqy-p?A?4#=ddl_Q#cKkg<%4h^z@oop=ZnYe4
z59jX(dVkM12e{xjRwx)1h?l6vsQBlY7OCe#$x=1AC<Q|(v+1-pvq;kjD(MM{8amlP
zr<1BmY1(>IXH)vQDhf*~IcrvH@amg;x{G)$TWs7rtjv{Z+bev#`fK?z%4xj}oef;c
z?R~M`87__sbgu1pc!=CW`;AV|d}+Q;JnlW85UZcgo|u0C>&eT<>z%u330YB#hsmKi
zb(s(bG<c97hE#<T2~`=w5Yi(}-9~a8=`Z9%l(w!ZI>~Zn$wx3_)?|4TWlobS5yh0b
v&t}heRCdxF+B1vMmq>j$eF~8u)TuovQoUO3r`D}pyL$Z!HmukY1poj$PE@%L

literal 0
HcmV?d00001

diff --git a/spec/fixtures/files/logo_header.jpg b/spec/fixtures/files/logo_header.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..aeed9e52495fc150130413e3f3fae40fd89ca34a
GIT binary patch
literal 2550
zcmb7GdpuNI8{T`*j2UKz*$l}ggWOf)TFIT<hC(TQQYb1BqLWG;!_iDCF}YtNxr9R>
z#w95#iY}yaO^4A$N@WyIH7;k5Q|kNkd-wY7-=259YwhP*@3WuZEcP#Q0g{uQqa6T(
zAmD&pz~Ufa1E3&CIFLXi1B1h0&}fVp7At}yh!F^QF+83qE=eMa!{T^6NrnVVk)@@j
z2@)%0WyrFUWNET+6A*>0L1RQQ7*R42PbB}}v3L)Faeyn}iUMH(f<Y7vF17%2La4$3
zmIEt-!9gfwPJStm`gIP4fzTo#cJT#3K!E^6LXiLfoI!X3=oJIUjlQw~Fp*O}@nE`z
zb7r~`2LPENLuqu-aQOB*NJ`17f8tnu)M-Iy(~CW5^{l@Oxt1>LCuz+LRuk<xGBw>W
z7n&tAYd?B3+(q!5PgyFlR+_l=JHz6ZZi$nb#y(DN?({D!&#rfG$o|R~M16DRaVDmI
zc^d%yTV{1SEqreV1z1Tm8EOo1MvzJ%)F>nXL?aB4@jWmA3N1pCF@it}RSMyULui8-
zXl_E9S(JBBwKvA>=WW*nY~9?7y)@etHf6=jPdl6Ef(rEEFoG|{MS1*n?o*23QoMvB
ztnlTg$ECEWD-CwXuGKG<mX!>D93}6pD;n&KRFbLE8L%#$f7psmIM<Uett@BY+HZ`B
zy_lfTT)&iF+TXLf6^}Zzs%~Ur`Sz~!KztzfjgST`qya#vA1nZ*DJVoh`jW~N73vZV
zq<<FR-0MU(cTI;^cHPD!M_-QKe6$gtKz!QQv8v)oN#%ZjbN%kNx!c9ImQQVZp7uZr
z`sC~s_}fdf-G6O&emLMfxkp=l|ER+x>^c*E%q5ZSE0yc7H_Bx3E(;T%8D%VeULyPE
zp`*`73m?-`(=>T&Hd+)T_|_r#K(r_d4Pw3{1R>;{F(hd{L$|Q2ce`LoDT*?cPqy-<
zS57U#g@kawj7eetd&!!Fx#(@{V>DWJ{enni%`rH-FSR0{D)*_U+YYtoKMl<0!;fiW
z5`II;x_GUeJtAJYyHoi`Uv4vLB-9z&JR*PXk1ULM*TovWC(b{4Ha4|F%k1?u5!Uod
zmcHtJ@^`Xh2zE`YL0R+Ta2v)r(>`g?8FJPZER2*nT~TwrOA#a-VhxFV#UI#7PaQkw
ztmHEnCx2#sti8p-rU_s#0xmkS>-xrwSHI)n=;B;~Aj^EA`{$OnrmgP{^4}`)Oe2d+
zb#}d@S=+58uyT8Hn|52zUD90M`Awf%qe30|iQ1&!P+Z=5xk6^k;rrVwWiLhsrmDg>
zi0&<ZMkA%37wj61XfU(yY}(_YduBSjWTJAB^VLIS3_&;yg!ys45QqX`G|9j>oK@8&
zsjO$^CZ&oYQ>c9FF#6Sz@46PTfCK@bAB-o~U;R)@%lD4*at{~p3U++5X>*MR^@B`z
z_I>tp%F?vG!FCJfR6J|E&fBYhqTozz7{_tPtjSxs>}xf4JLio?RJM)08D>j4DXm=u
z-eR<-)Sg{Xr8%5*C}q0aE&@KXza?xx8k%V3TF*M(-C=S_d+4FJsvGqSKlAu|$59o=
zTQN8+Vz1<z`7MeObhkP;GQO(KP3M53VM@rpilmY=3dA-qt&H@~IfD!9I&Y|Fq+c>G
zT$3txR`r2^Thf^q|0&xrTgtb}Cd@;fH8r>V23PkScSiyfm8LZL^%a<EC4W%TL5rwb
zVCj<ljPWpn?n@s*Prgihw7g)ZIw8}k+MgT2%-%NJrPj5sLHE!``^d_IQN>peE+-#9
zFSo^QXgS4QxnEIo1!=y;F~Vz7Anb+;3HkaUp|AXK6%ZD70HFGYQRw`ne+7=%iiPrr
z=!NJ!^}eUZK?BtRc?&UlMU2zc0nL;mQMTy5+?hCwP{rpl9UJcW>A!9tD6F$nC3L#i
zLaZKi{ra4!*`T($*k>-e)tu}OQ?}{5kn)))CGLzVy@|_})&53><>man?4AgZ0v%Jy
z4W=?zPG)ct+t+DOPdA#NuX)5rshCx6?F?uWMN@2?I#wSiJKTYq_r9Fbw>5jD-Fh~H
zk<>O<*6-3(IXqD9BQaiz3yR_dJk2r=lo*c(4jorQM6_i7fY5bFEXUQX!@+fq`&l%#
zb7i`zpkbBg*wOX?F`637Q8#li_&HLrRd_mx7eLtm^(qpq=Nm@v;!~`Yscy?|Mf%np
zT_XOdV3T&@`%;^#rAJMsg!bU)oM6+k;CK~kJbvXLZeJ}mHT^i{#VNseaOV3V%E=SG
zoJX}UBvlQ;Z)Ar7G_;VqRG;Urd<sTMgv1<Ue=2X<*vp~AI~3zQf0Op@_h9%gJ;Jbg
zCjwCoMw$bOfS6wz2q=?~7G9n5rBK7@NhADalOoMNquPXJBzGBCB>aqM0=hq7zmfM8
zcm9CJxx3uMpJUWJXyInHpM5^^{FFb@4%mfP%jE0~ttz$K%zTpZgqc5XUEoBlxLA0^
z|4``bsST#UTh(uyHfc;J$!WRT>)Y(+nj3c%&Ff~eE>HLA&M2HP-68?W@IB@2s#o4I
z?7etihr8)xaTcNVdf;7iH$o(yHXV4rR??eLd-;O_-=Rq1iUu~COsLYWTM?@}VwjPX
z73eA<h^188AB^GMq)z%jc6T0;D!9Q73R3Fz5F)VH)&2_bfhG)e@+Q4=6qhfYtY+1d
zws-QUgko193I8-8QvacK01-Q&XGNj<es>wrf;2ZgzrD5FzigNwxX%z**syhe`_pIs
z*M@h`b1mscCZSZfB*{WMoPzNhe6&Z2TEMhsD9%8{8RyC7aaACOnN78yrMJ}?uH}0|
zif4V?zIrATt#~_#-d&p)vd=_&ZL*t~#&zjJch$cktk-6Gyl7E`?Y$aa&0Y~vQf<#|
zVstuBQ}%w!9}4yWFNQqury=oM`m@uC6u(=F<*OI8Dnv5Vjm3K#N=s8bJUm|S^-RoM
zrMuZ?i+FSUW;%0+d^7-{X6X>P2$ZJR|5<b5ZBu0E$bAML`JGX(%Ra$tDqbA;2UyJs
At^fc4

literal 0
HcmV?d00001

diff --git a/spec/models/budget/investment_spec.rb b/spec/models/budget/investment_spec.rb
index df32853ad..dda046275 100644
--- a/spec/models/budget/investment_spec.rb
+++ b/spec/models/budget/investment_spec.rb
@@ -29,6 +29,30 @@ describe Budget::Investment do
     end
   end
 
+  describe "#image" do
+
+    describe "extesion" do
+      it "should not be valid with '.png' extension" do
+        investment.image = File.new("spec/fixtures/files/logo_header.png")
+
+        expect(investment).to_not be_valid
+      end
+
+      it "should not be valid with '.gif' extension" do
+        investment.image = File.new("spec/fixtures/files/logo_header.gif")
+
+        expect(investment).to_not be_valid
+      end
+
+      it "should be valid with '.jpg' extension" do
+        investment.image = File.new("spec/fixtures/files/logo_header.jpg")
+
+        expect(investment).to be_valid
+      end
+    end
+
+  end
+
   it "sanitizes description" do
     investment.description = "<script>alert('danger');</script>"
     investment.valid?