From 3170db9532ac329a7d76086bf802595cbd4d27f3 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Thu, 29 Oct 2020 21:47:39 +0000
Subject: [PATCH] Remove Paperclip URL handlers

See ofn-security issue #33 for details.
---
 config/initializers/paperclip.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb
index 5dd5c644b4..81187d5a09 100644
--- a/config/initializers/paperclip.rb
+++ b/config/initializers/paperclip.rb
@@ -1,3 +1,14 @@
 Paperclip::Attachment.default_options[:source_file_options] = {
   all: "-auto-orient"
 }
+
+url_adapters = [
+  "Paperclip::UriAdapter",
+  "Paperclip::HttpUrlProxyAdapter",
+  "Paperclip::DataUriAdapter"
+]
+
+# Remove Paperclip URL adapters from registered handlers
+Paperclip.io_adapters.registered_handlers.delete_if do |_proc, adapter_class|
+  url_adapters.include? adapter_class.to_s
+end