0

I am building a rails web application where users can upload images from the browser to cloudinary. I am thinking a bit ahead, and want to prevent users from playing with the parameters being passed, in order not to have undesirable output in may pages (empty images).

In my view I have the code for the cloudinary uploader:

<%= form_tag(some_path, :method => :post) do  %>
 <%= cl_image_upload_tag(:image_id) %>
 ...
<% end %>

Now, when the user upload the image it goes directly to cloudinary, and the process returns :image_id. When the user accepts the image, I receive it in my controller like this:

if params[:image_id].present?
  preloaded = Cloudinary::PreloadedFile.new(params[:image_id])         
  raise "Invalid upload signature" if !preloaded.valid?
 @model.image_id = preloaded.identifier
end

That image ID gets saved in my database for future retrieve.

Now what if the user uses a tool such as "curl", or any other method that would allow him to modify the returned :image_id before submitting it to the controller ? I will have a wrong value in my database that would be difficult to find and an empty image when I try to show it in my pages. What is the best method of avoiding this ?

Regards,

Ganesh Sittampalam
  • 28,821
  • 4
  • 79
  • 98
Yazan Khalaileh
  • 589
  • 6
  • 15
  • When your hypothetical mischievous user uses curl, are they submitting a request to your app or directly to cloudinary? Would it be possible for them to submit directly to cloudinary? – Max Williams Jun 04 '14 at 09:45
  • Hello @MaxWilliams, in the end my user submits a request to my app, after uploading to cloudinary. I am not sure I can go around him submitting to my app, since he will need to accept the picture, in case he uploaded something else by mistake. – Yazan Khalaileh Jun 04 '14 at 09:56
  • Give [this](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet) a look. – Patsy Issa Jun 05 '14 at 07:29
  • 1
    Thanks @PatsyIssa for the link. The idea of storing a random token both in the session and the request and compare them is indeed interesting. I will give it a try and let you know. – Yazan Khalaileh Jun 05 '14 at 11:51

1 Answers1

0

When using cl_image_upload_tag, the value of params[:image_id] will contain a signature. The signature is validated by PreloadedFile#valid? You can know for sure that this public_id and version were returned by Cloudinary. If needed, you can also verify the version (unix timestamp) is reasonably recent.

Tal Lev-Ami
  • 1,417
  • 10
  • 10
  • Two thumbs up! I have to admit that I did not go through the documentation in details yet, and used the code as it is from cloudinary examples... – Yazan Khalaileh Jun 10 '14 at 21:06