I am using paperclip to upload files directly to Aws s3 (following this guide: https://devcenter.heroku.com/articles/paperclip-s3 ).
As shown below, a user can view a file in their browser using the "attachment.file.url" method. Is it a security vulnerability to display the s3 url to a user? If so, is there a way to hide this url without streaming the file to the app first or a "download_file" controller action?
production.rb
Rails.application.configure do
config.paperclip_defaults = {
storage: :s3,
s3_credentials: {
bucket: ENV.fetch('S3_BUCKET_NAME'),
access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
s3_region: ENV.fetch('AWS_REGION'),
}
}
end
attachment.rb
class Attachment < ActiveRecord::Base
belongs_to :upload, polymorphic: true
has_attached_file :file
validates_attachment :file, content_type: { content_type: ["image/jpeg", "image/gif", "image/png", "application/pdf", "application/vnd.ms-excel",
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"application/msword",
"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"text/plain"] }
end
view
<h5>File Uploads</h5>
<ul>
<% @attachments.each do |attachment| %>
<li>
<%= link_to attachment.file_file_name, attachment.file.url, :target => '_blank' %>
</li>
<% end %>
</ul>
<%= link_to "Add Files", new_attachment_path(:upload_type => 'Team'), class: "btn btn-md" %>
The S3 URL will be visible to anyone who can use dev tools anyway so exposing it is not a security vulnerability. Some would argue it is bad UX but that is a discussion for another time.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.