Don't allow SVG avatar uploads in the first place

kevinmcconnell · kevinmcconnell · commit 2e4774973989 · 2025-12-04T14:27:28.000Z
diff --git a/app/models/user/avatar.rb b/app/models/user/avatar.rb
@@ -1,13 +1,24 @@
 module User::Avatar
   extend ActiveSupport::Concern
 
+  ALLOWED_AVATAR_CONTENT_TYPES = %w[ image/jpeg image/png image/gif image/webp ].freeze
+
   included do
     has_one_attached :avatar do |attachable|
       attachable.variant :thumb, resize_to_fill: [ 256, 256 ]
     end
+
+    validate :avatar_content_type_allowed
   end
 
   def avatar_thumbnail
     avatar.variable? ? avatar.variant(:thumb) : avatar
   end
+
+  private
+    def avatar_content_type_allowed
+      if avatar.attached? && !ALLOWED_AVATAR_CONTENT_TYPES.include?(avatar.content_type)
+        errors.add(:avatar, "must be a JPEG, PNG, GIF, or WebP image")
+      end
+    end
 end
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
@@ -14,7 +14,7 @@
 
         <label class="avatar btn btn--circle input--file txt-xx-large center fill-white">
           <%= image_tag user_avatar_path(@user), aria: { hidden: "true" }, class: "avatar", size: 128, data: { upload_preview_target: "image" } %>
-          <%= form.file_field :avatar, id: "file", class: "input", accept: "image/*",
+          <%= form.file_field :avatar, id: "file", class: "input", accept: "image/jpeg, image/png, image/gif, image/webp",
                 data: { upload_preview_target: "input", action: "upload-preview#previewImage" } %>
           <span class="for-screen-reader">Profile avatar for <%= @user.name %></span>
         </label>
diff --git a/test/models/user/avatar_test.rb b/test/models/user/avatar_test.rb
@@ -14,4 +14,17 @@ class User::AvatarTest < ActiveSupport::TestCase
     assert_not users(:david).avatar.variable?
     assert_equal users(:david).avatar.blob, users(:david).avatar_thumbnail.blob
   end
+
+  test "allows valid image content types" do
+    users(:david).avatar.attach(io: File.open(file_fixture("moon.jpg")), filename: "test.jpg")
+
+    assert users(:david).valid?
+  end
+
+  test "rejects SVG uploads" do
+    users(:david).avatar.attach(io: File.open(file_fixture("avatar.svg")), filename: "avatar.svg")
+
+    assert_not users(:david).valid?
+    assert_includes users(:david).errors[:avatar], "must be a JPEG, PNG, GIF, or WebP image"
+  end
 end
