Using user editable image URL in application. Security issues.

Question

Hi there.

I am writing an application where users are required to show their photo, however as my server resources are very limited I can not let them upload it to the server.

So I have three major questions:

1. How to properly validate photo URL? At least I can validate with regexp, however I need to check for file ending:

`validates_format_of :photo_url, :with => URI::regexp(%w(http https))`

2. Security issues? XSS?

Even I validate the picture at the moment of creation, hacker can replace image with malicious stuff anytime.

3. Maybe there are free asset stores with API?

Answer 1

1. How to properly validate photo URL?

You can use a plugin that validates the format of an URL or write it your self:

  validates_each :photo_url do |record, attr, value|
    begin
      uri = URI::parse(value)
      record.errors.add(nil, 'Sorry, you may only use http/https links') if (uri.class.to_s =~ /URI::HTTPS?/).nil?
      record.errors.add(nil, 'The url must point to a picture') unless value =~ /\.(png|jpg|jpeg)$/i
    rescue URI::InvalidURIError
      record.errors.add(nil, 'The format of the url is not valid')
    end
  end

2. Security issues? XSS?

There aren't any outstanding security issues as long as you escape the text. <%=h image_tag obj.photo_url %> is safe. Take in mind, that the user can still use a 100MB image that will slow down every visitor.

3. Maybe there are free asset stores with API?

There aren't any that I know of, but rackspace cloud, amazon s3 hosting is pretty cheap. Some image upload plugins have support for these two, so you'll at least save some time.