activestorage 5.2.4.4 → 5.2.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0bc512e307b589b0c1a583a886620e3e47820ee9d5fc72dcd9098f15c39ccd5b
-  data.tar.gz: 5d45410f437c16c89a5fe1c082c95f13b6f606c266531815ca351c88e4a7edf5
+  metadata.gz: 13b52cd35b6dc01b7589a2c6a666628f0dd9022a7003be3b4ccb461854aa8f54
+  data.tar.gz: c5b000e97cc5c5da0800bb963892f20857841d1a6c1d1d41224c7053b340aaaa
 SHA512:
-  metadata.gz: ae16a55d7b9c4457bc2b839c1eda407c73d77f474a78ddddd1abaaa2a1b443f670bb2d14699335c270b34aa441908c998436dd41c648f70028d31e3f10d3e866
-  data.tar.gz: 9759a7cb1f7c951fe481de3bceafa4afc24a567ce94c8c64b01bd535893a58d307807ecdc51db4ae3ca515cbc0318d4ca5c8cd8e66edb3d438abe23ce326174d
+  metadata.gz: 81552bc85fb46cac27886e71abd1434d0e184e8eb6f679642e6cc2589c6c8e1f72aea689ab169407a6467bc03d2a846ed77d36c6ea4ee55102d451fc9be1ade8
+  data.tar.gz: 907cc0d61bf68b93edecfd2caabc06656a5a31b7a64931c98342005ddf8976a0c33d412e376da464f1453a738156efa8769449ffd554f14c08d20bd853329cd6

data/CHANGELOG.md

@@ -1,3 +1,52 @@
+## Rails 5.2.6.3 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+    
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    
+    [CVE-2022-21831]
+
+
+## Rails 5.2.6.2 (February 11, 2022) ##
+
+*   No changes.
+
+
+## Rails 5.2.6.1 (February 11, 2022) ##
+
+*   No changes.
+
+
+## Rails 5.2.6 (May 05, 2021) ##
+
+*   No changes.
+
+
+## Rails 5.2.5 (March 26, 2021) ##
+
+*   Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
+    mime types data.
+
+    *George Claghorn*
+
+*   The Poppler PDF previewer renders a preview image using the original
+    document's crop box rather than its media box, hiding print margins. This
+    matches the behavior of the MuPDF previewer.
+
+    *Vincent Robert*
+
+
+## Rails 5.2.4.6 (May 05, 2021) ##
+
+*   No changes.
+
+
+## Rails 5.2.4.5 (February 10, 2021) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.4 (September 09, 2020) ##
 
 *   No changes.
@@ -8,6 +57,11 @@
 *   [CVE-2020-8162] Include Content-Length in signature for ActiveStorage direct upload
 
 
+## Rails 5.2.4.2 (March 19, 2020) ##
+
+*   No changes.
+
+
 ## Rails 5.2.4.1 (December 18, 2019) ##
 
 *   No changes.

data/app/models/active_storage/variation.rb

@@ -20,6 +20,301 @@
 class ActiveStorage::Variation
   attr_reader :transformations
 
+  class UnsupportedImageProcessingMethod < StandardError; end
+  class UnsupportedImageProcessingArgument < StandardError; end
+
+  SUPPORTED_IMAGE_PROCESSING_METHODS = [
+   "adaptive_blur",
+   "adaptive_resize",
+   "adaptive_sharpen",
+   "adjoin",
+   "affine",
+   "alpha",
+   "annotate",
+   "antialias",
+   "append",
+   "apply",
+   "attenuate",
+   "authenticate",
+   "auto_gamma",
+   "auto_level",
+   "auto_orient",
+   "auto_threshold",
+   "backdrop",
+   "background",
+   "bench",
+   "bias",
+   "bilateral_blur",
+   "black_point_compensation",
+   "black_threshold",
+   "blend",
+   "blue_primary",
+   "blue_shift",
+   "blur",
+   "border",
+   "bordercolor",
+   "borderwidth",
+   "brightness_contrast",
+   "cache",
+   "canny",
+   "caption",
+   "channel",
+   "channel_fx",
+   "charcoal",
+   "chop",
+   "clahe",
+   "clamp",
+   "clip",
+   "clip_path",
+   "clone",
+   "clut",
+   "coalesce",
+   "colorize",
+   "colormap",
+   "color_matrix",
+   "colors",
+   "colorspace",
+   "colourspace",
+   "color_threshold",
+   "combine",
+   "combine_options",
+   "comment",
+   "compare",
+   "complex",
+   "compose",
+   "composite",
+   "compress",
+   "connected_components",
+   "contrast",
+   "contrast_stretch",
+   "convert",
+   "convolve",
+   "copy",
+   "crop",
+   "cycle",
+   "deconstruct",
+   "define",
+   "delay",
+   "delete",
+   "density",
+   "depth",
+   "descend",
+   "deskew",
+   "despeckle",
+   "direction",
+   "displace",
+   "dispose",
+   "dissimilarity_threshold",
+   "dissolve",
+   "distort",
+   "dither",
+   "draw",
+   "duplicate",
+   "edge",
+   "emboss",
+   "encoding",
+   "endian",
+   "enhance",
+   "equalize",
+   "evaluate",
+   "evaluate_sequence",
+   "extent",
+   "extract",
+   "family",
+   "features",
+   "fft",
+   "fill",
+   "filter",
+   "flatten",
+   "flip",
+   "floodfill",
+   "flop",
+   "font",
+   "foreground",
+   "format",
+   "frame",
+   "function",
+   "fuzz",
+   "fx",
+   "gamma",
+   "gaussian_blur",
+   "geometry",
+   "gravity",
+   "grayscale",
+   "green_primary",
+   "hald_clut",
+   "highlight_color",
+   "hough_lines",
+   "iconGeometry",
+   "iconic",
+   "identify",
+   "ift",
+   "illuminant",
+   "immutable",
+   "implode",
+   "insert",
+   "intensity",
+   "intent",
+   "interlace",
+   "interline_spacing",
+   "interpolate",
+   "interpolative_resize",
+   "interword_spacing",
+   "kerning",
+   "kmeans",
+   "kuwahara",
+   "label",
+   "lat",
+   "layers",
+   "level",
+   "level_colors",
+   "limit",
+   "limits",
+   "linear_stretch",
+   "linewidth",
+   "liquid_rescale",
+   "list",
+   "loader",
+   "log",
+   "loop",
+   "lowlight_color",
+   "magnify",
+   "map",
+   "mattecolor",
+   "median",
+   "mean_shift",
+   "metric",
+   "mode",
+   "modulate",
+   "moments",
+   "monitor",
+   "monochrome",
+   "morph",
+   "morphology",
+   "mosaic",
+   "motion_blur",
+   "name",
+   "negate",
+   "noise",
+   "normalize",
+   "opaque",
+   "ordered_dither",
+   "orient",
+   "page",
+   "paint",
+   "pause",
+   "perceptible",
+   "ping",
+   "pointsize",
+   "polaroid",
+   "poly",
+   "posterize",
+   "precision",
+   "preview",
+   "process",
+   "quality",
+   "quantize",
+   "quiet",
+   "radial_blur",
+   "raise",
+   "random_threshold",
+   "range_threshold",
+   "red_primary",
+   "regard_warnings",
+   "region",
+   "remote",
+   "render",
+   "repage",
+   "resample",
+   "resize",
+   "resize_to_fill",
+   "resize_to_fit",
+   "resize_to_limit",
+   "resize_and_pad",
+   "respect_parentheses",
+   "reverse",
+   "roll",
+   "rotate",
+   "sample",
+   "sampling_factor",
+   "saver",
+   "scale",
+   "scene",
+   "screen",
+   "seed",
+   "segment",
+   "selective_blur",
+   "separate",
+   "sepia_tone",
+   "shade",
+   "shadow",
+   "shared_memory",
+   "sharpen",
+   "shave",
+   "shear",
+   "sigmoidal_contrast",
+   "silent",
+   "similarity_threshold",
+   "size",
+   "sketch",
+   "smush",
+   "snaps",
+   "solarize",
+   "sort_pixels",
+   "sparse_color",
+   "splice",
+   "spread",
+   "statistic",
+   "stegano",
+   "stereo",
+   "storage_type",
+   "stretch",
+   "strip",
+   "stroke",
+   "strokewidth",
+   "style",
+   "subimage_search",
+   "swap",
+   "swirl",
+   "synchronize",
+   "taint",
+   "text_font",
+   "threshold",
+   "thumbnail",
+   "tile_offset",
+   "tint",
+   "title",
+   "transform",
+   "transparent",
+   "transparent_color",
+   "transpose",
+   "transverse",
+   "treedepth",
+   "trim",
+   "type",
+   "undercolor",
+   "unique_colors",
+   "units",
+   "unsharp",
+   "update",
+   "valid_image",
+   "view",
+   "vignette",
+   "virtual_pixel",
+   "visual",
+   "watermark",
+   "wave",
+   "wavelet_denoise",
+   "weight",
+   "white_balance",
+   "white_point",
+   "white_threshold",
+   "window",
+   "window_group",
+  ].concat(ActiveStorage.supported_image_processing_methods)
+
+  UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
+
   class << self
     # Returns a Variation instance based on the given variator. If the variator is a Variation, it is
     # returned unmodified. If it is a String, it is passed to ActiveStorage::Variation.decode. Otherwise,
@@ -56,12 +351,15 @@ class ActiveStorage::Variation
   def transform(image)
     ActiveSupport::Notifications.instrument("transform.active_storage") do
       transformations.each do |name, argument_or_subtransformations|
+        validate_transformation(name, argument_or_subtransformations)
         image.mogrify do |command|
           if name.to_s == "combine_options"
             argument_or_subtransformations.each do |subtransformation_name, subtransformation_argument|
+              validate_transformation(subtransformation_name, subtransformation_argument)
               pass_transform_argument(command, subtransformation_name, subtransformation_argument)
             end
           else
+            validate_transformation(name, argument_or_subtransformations)
             pass_transform_argument(command, name, argument_or_subtransformations)
           end
         end
@@ -86,4 +384,58 @@ class ActiveStorage::Variation
     def eligible_argument?(argument)
       argument.present? && argument != true
     end
+
+    def validate_transformation(name, argument)
+      method_name = name.to_s.gsub("-","_")
+
+      unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
+        raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+          One or more of the provided transformation methods is not supported.
+        ERROR
+      end
+
+      if argument.present?
+        if argument.is_a?(String) || argument.is_a?(Symbol)
+          validate_arg_string(argument)
+        elsif argument.is_a?(Array)
+          validate_arg_array(argument)
+        elsif argument.is_a?(Hash)
+          validate_arg_hash(argument)
+        end
+      end
+    end
+
+    def validate_arg_string(argument)
+      if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
+    end
+
+    def validate_arg_array(argument)
+      argument.each do |arg|
+        if arg.is_a?(Integer) || arg.is_a?(Float)
+          next
+        elsif arg.is_a?(String) || arg.is_a?(Symbol)
+          validate_arg_string(arg)
+        elsif arg.is_a?(Array)
+          validate_arg_array(arg)
+        elsif arg.is_a?(Hash)
+          validate_arg_hash(arg)
+        end
+      end
+    end
+
+    def validate_arg_hash(argument)
+      argument.each do |key, value|
+        validate_arg_string(key)
+
+        if value.is_a?(Integer) || value.is_a?(Float)
+          next
+        elsif value.is_a?(String) || value.is_a?(Symbol)
+          validate_arg_string(value)
+        elsif value.is_a?(Array)
+          validate_arg_array(value)
+        elsif value.is_a?(Hash)
+          validate_arg_hash(value)
+        end
+      end
+    end
 end

data/lib/active_storage/engine.rb

@@ -51,6 +51,20 @@ module ActiveStorage
       application/pdf
     )
 
+    default_unsupported_image_processing_arguments = %w(
+      -debug
+      -display
+      -distribute-cache
+      -help
+      -path
+      -print
+      -set
+      -verbose
+      -version
+      -write
+      -write-mask
+    )
+
     config.eager_load_namespaces << ActiveStorage
 
     initializer "active_storage.configs" do
@@ -61,6 +75,8 @@ module ActiveStorage
         ActiveStorage.analyzers  = app.config.active_storage.analyzers || []
         ActiveStorage.paths      = app.config.active_storage.paths || {}
 
+        ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
         ActiveStorage.content_types_allowed_inline = app.config.active_storage.content_types_allowed_inline || []

data/lib/active_storage/gem_version.rb

@@ -9,8 +9,8 @@ module ActiveStorage
   module VERSION
     MAJOR = 5
     MINOR = 2
-    TINY  = 4
-    PRE   = "4"
+    TINY  = 6
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/previewer/poppler_pdf_previewer.rb

@@ -28,8 +28,8 @@ module ActiveStorage
 
     private
       def draw_first_page_from(file, &block)
-        # use 72 dpi to match thumbnail  dimesions of the PDF
-        draw self.class.pdftoppm_path, "-singlefile", "-r", "72", "-png", file.path, &block
+        # use 72 dpi to match thumbnail dimensions of the PDF
+        draw self.class.pdftoppm_path, "-singlefile", "-cropbox", "-r", "72", "-png", file.path, &block
       end
   end
 end

data/lib/active_storage/service/azure_storage_service.rb

@@ -10,8 +10,8 @@ module ActiveStorage
   class Service::AzureStorageService < Service
     attr_reader :client, :blobs, :container, :signer
 
-    def initialize(storage_account_name:, storage_access_key:, container:)
-      @client = Azure::Storage::Client.create(storage_account_name: storage_account_name, storage_access_key: storage_access_key)
+    def initialize(storage_account_name:, storage_access_key:, container:, **options)
+      @client = Azure::Storage::Client.create(storage_account_name: storage_account_name, storage_access_key: storage_access_key, **options)
       @signer = Azure::Storage::Core::Auth::SharedAccessSignature.new(storage_account_name, storage_access_key)
       @blobs = client.blob_client
       @container = container

data/lib/active_storage/service/s3_service.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+gem "aws-sdk-s3", "~> 1.48"
+
 require "aws-sdk-s3"
 require "active_support/core_ext/numeric/bytes"
 

data/lib/active_storage.rb

@@ -50,4 +50,6 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline, default: []
   mattr_accessor :binary_content_type, default: "application/octet-stream"
+  mattr_accessor :supported_image_processing_methods, default: []
+  mattr_accessor :unsupported_image_processing_arguments
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 5.2.4.4
+  version: 5.2.6.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-09 00:00:00.000000000 Z
+date: 2022-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,42 +16,42 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.4
+        version: 5.2.6.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.4
+        version: 5.2.6.3
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.4
+        version: 5.2.6.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.4.4
+        version: 5.2.6.3
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.1
+        version: 1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.1
+        version: 1.0.0
 description: Attach cloud and local files in Rails applications.
 email: david@loudthinking.com
 executables: []
@@ -124,9 +124,9 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.4.4/activestorage
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.4.4/activestorage/CHANGELOG.md
-post_install_message: 
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.6.3/activestorage
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.6.3/activestorage/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -141,8 +141,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.1.6
+signing_key:
 specification_version: 4
 summary: Local and cloud file storage framework.
 test_files: []