From ee833a7f25cf93f533e3b9655ca949a620344a55 Mon Sep 17 00:00:00 2001
From: "David P. Steelman" <dsteelma@umd.edu>
Date: Mon, 20 Aug 2018 15:11:02 -0400
Subject: [PATCH] LIBITD-1135. Updated Paperclip gem to v5.3.0

Updated Paperclip gem from v5.0.0 to v5.3.0 to address gem
vulnerabilities.

Ran "bundle update paperclip" to update related gems.

Fixed a test that began failing due to better file content detection
in the new Rails version (see
https://github.com/thoughtbot/paperclip/pull/2270). Prior to the
upgrade, the test was actually providing a PDF file, but the file was
being rejected because the provided MIME type was given as "text/html".
After the upgrade, the provided MIME type is not trusted, and the file
itself is examined. Since the file provided in the test is actually a
PDF file, the file is correctly identified as a PDF, and is accepted, so
the test failed. Updated the test to use a non-PDF file.

Also removed "before_validation" code in the
"student-applications/app/models/resume.rb" file, as the default
content type detector in Paperclip now performs a similar check
(see https://github.com/thoughtbot/paperclip/blob/v5.3.0/lib/paperclip/content_type_detector.rb).

https://issues.umd.edu/browse/LIBITD-1135
---
 Gemfile                                    |  2 +-
 Gemfile.lock                               | 12 ++++++------
 app/models/resume.rb                       | 12 ------------
 test/controllers/resume_controller_test.rb | 12 ++++++------
 4 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/Gemfile b/Gemfile
index 801365d..ebf8b7c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -52,7 +52,7 @@ gem 'country_select'
 gem 'simple_form'
 gem 'will_paginate-bootstrap'
 
-gem 'paperclip', '~> 5.0.0'
+gem 'paperclip', '~> 5.3.0'
 
 gem 'daemons'
 gem 'delayed_job_active_record'
diff --git a/Gemfile.lock b/Gemfile.lock
index b4315e5..0a9c8c5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -78,10 +78,8 @@ GEM
     capybara-screenshot (1.0.14)
       capybara (>= 1.0, < 3)
       launchy
-    climate_control (0.1.0)
+    climate_control (0.2.0)
     cliver (0.3.2)
-    cocaine (0.5.8)
-      climate_control (>= 0.0.3, < 1.0)
     cocoon (1.2.9)
     coderay (1.1.1)
     concurrent-ruby (1.0.5)
@@ -200,12 +198,12 @@ GEM
     notiffany (0.1.1)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    paperclip (5.0.0)
+    paperclip (5.3.0)
       activemodel (>= 4.2.0)
       activesupport (>= 4.2.0)
-      cocaine (~> 0.5.5)
       mime-types
       mimemagic (~> 0.3.0)
+      terrapin (~> 0.6.0)
     parser (2.3.3.1)
       ast (~> 2.2)
     pg (0.19.0)
@@ -319,6 +317,8 @@ GEM
       net-scp (>= 1.1.2)
       net-ssh (>= 2.8.0)
     terminal-notifier-guard (1.7.0)
+    terrapin (0.6.0)
+      climate_control (>= 0.0.3, < 1.0)
     test_after_commit (1.1.0)
       activerecord (>= 3.2)
     thor (0.20.0)
@@ -373,7 +373,7 @@ DEPENDENCIES
   minitest-rails-capybara
   minitest-reporters
   mocha
-  paperclip (~> 5.0.0)
+  paperclip (~> 5.3.0)
   pg
   poltergeist
   pry-rails
diff --git a/app/models/resume.rb b/app/models/resume.rb
index 93502a9..4183df8 100644
--- a/app/models/resume.rb
+++ b/app/models/resume.rb
@@ -3,18 +3,6 @@
 class Resume < ActiveRecord::Base
   has_attached_file :file
 
-  # fix up the MIME type using server-side detection, to overcome browsers
-  # sometimes sending incorrect Content-Type headers with PDF files
-  # adapted from http://stackoverflow.com/a/7000208/5124907
-  GENERIC_CONTENT_TYPES = ['application/force-download', 'application/octet-stream', 'application/x-download'].freeze
-
-  before_validation(on: [:create, :update]) do |resume|
-    if GENERIC_CONTENT_TYPES.include?(resume.file_content_type)
-      mime_type = MIME::Types.type_for(resume.file_file_name)
-      resume.file_content_type = mime_type.first.content_type if mime_type.first
-    end
-  end
-
   validates_attachment_presence :file
   validates_attachment :file, content_type: { content_type: 'application/pdf' }
 
diff --git a/test/controllers/resume_controller_test.rb b/test/controllers/resume_controller_test.rb
index 9a1200f..7b6f9b3 100644
--- a/test/controllers/resume_controller_test.rb
+++ b/test/controllers/resume_controller_test.rb
@@ -40,7 +40,7 @@ class ResumesControllerTest < ActionController::TestCase
   end
 
   test "should not create a new resume if its not a pdf" do
-    file = fixture_file_upload( "resume.pdf", 'text/html' )
+    file = fixture_file_upload( "resume.notpdf", 'text/html' )
     refute_difference( 'Resume.count' ) do
         post :create, resume: { file: file }
     end
@@ -60,25 +60,25 @@ class ResumesControllerTest < ActionController::TestCase
     get :show, id: resume.id
     assert_response(403)
   end
-  
+
   test 'should not allow anyone not logged in to view a submitted resume' do
-    prospect = prospects(:all_valid) 
+    prospect = prospects(:all_valid)
     prospect.build_resume( file: File.new('test/fixtures/resume.pdf', 'r'))
     prospect.save
 
     get :show, id: prospect.resume_id
     assert_response(403)
   end
-  
+
   test 'should allow authed users to view any resume' do
-    prospect = prospects(:all_valid) 
+    prospect = prospects(:all_valid)
     prospect.build_resume( file: File.new('test/fixtures/resume.pdf', 'r'))
     prospect.save
 
     session[:cas] = { user: "admin" }
     get :show, id: prospect.resume_id
     assert_response :success
-    
+
     resume = Resume.create(file: File.new('test/fixtures/resume.pdf', 'r'))
     get :show, id: resume.id
     assert_response :success