activestorage 5.2.6 → 5.2.6.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of activestorage might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/app/models/active_storage/variation.rb +352 -0
- data/lib/active_storage/engine.rb +16 -0
- data/lib/active_storage/gem_version.rb +1 -1
- data/lib/active_storage.rb +2 -0
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 13b52cd35b6dc01b7589a2c6a666628f0dd9022a7003be3b4ccb461854aa8f54
|
4
|
+
data.tar.gz: c5b000e97cc5c5da0800bb963892f20857841d1a6c1d1d41224c7053b340aaaa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 81552bc85fb46cac27886e71abd1434d0e184e8eb6f679642e6cc2589c6c8e1f72aea689ab169407a6467bc03d2a846ed77d36c6ea4ee55102d451fc9be1ade8
|
7
|
+
data.tar.gz: 907cc0d61bf68b93edecfd2caabc06656a5a31b7a64931c98342005ddf8976a0c33d412e376da464f1453a738156efa8769449ffd554f14c08d20bd853329cd6
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,23 @@
|
|
1
|
+
## Rails 5.2.6.3 (March 08, 2022) ##
|
2
|
+
|
3
|
+
* Added image transformation validation via configurable allow-list.
|
4
|
+
|
5
|
+
Variant now offers a configurable allow-list for
|
6
|
+
transformation methods in addition to a configurable deny-list for arguments.
|
7
|
+
|
8
|
+
[CVE-2022-21831]
|
9
|
+
|
10
|
+
|
11
|
+
## Rails 5.2.6.2 (February 11, 2022) ##
|
12
|
+
|
13
|
+
* No changes.
|
14
|
+
|
15
|
+
|
16
|
+
## Rails 5.2.6.1 (February 11, 2022) ##
|
17
|
+
|
18
|
+
* No changes.
|
19
|
+
|
20
|
+
|
1
21
|
## Rails 5.2.6 (May 05, 2021) ##
|
2
22
|
|
3
23
|
* No changes.
|
@@ -20,6 +20,301 @@
|
|
20
20
|
class ActiveStorage::Variation
|
21
21
|
attr_reader :transformations
|
22
22
|
|
23
|
+
class UnsupportedImageProcessingMethod < StandardError; end
|
24
|
+
class UnsupportedImageProcessingArgument < StandardError; end
|
25
|
+
|
26
|
+
SUPPORTED_IMAGE_PROCESSING_METHODS = [
|
27
|
+
"adaptive_blur",
|
28
|
+
"adaptive_resize",
|
29
|
+
"adaptive_sharpen",
|
30
|
+
"adjoin",
|
31
|
+
"affine",
|
32
|
+
"alpha",
|
33
|
+
"annotate",
|
34
|
+
"antialias",
|
35
|
+
"append",
|
36
|
+
"apply",
|
37
|
+
"attenuate",
|
38
|
+
"authenticate",
|
39
|
+
"auto_gamma",
|
40
|
+
"auto_level",
|
41
|
+
"auto_orient",
|
42
|
+
"auto_threshold",
|
43
|
+
"backdrop",
|
44
|
+
"background",
|
45
|
+
"bench",
|
46
|
+
"bias",
|
47
|
+
"bilateral_blur",
|
48
|
+
"black_point_compensation",
|
49
|
+
"black_threshold",
|
50
|
+
"blend",
|
51
|
+
"blue_primary",
|
52
|
+
"blue_shift",
|
53
|
+
"blur",
|
54
|
+
"border",
|
55
|
+
"bordercolor",
|
56
|
+
"borderwidth",
|
57
|
+
"brightness_contrast",
|
58
|
+
"cache",
|
59
|
+
"canny",
|
60
|
+
"caption",
|
61
|
+
"channel",
|
62
|
+
"channel_fx",
|
63
|
+
"charcoal",
|
64
|
+
"chop",
|
65
|
+
"clahe",
|
66
|
+
"clamp",
|
67
|
+
"clip",
|
68
|
+
"clip_path",
|
69
|
+
"clone",
|
70
|
+
"clut",
|
71
|
+
"coalesce",
|
72
|
+
"colorize",
|
73
|
+
"colormap",
|
74
|
+
"color_matrix",
|
75
|
+
"colors",
|
76
|
+
"colorspace",
|
77
|
+
"colourspace",
|
78
|
+
"color_threshold",
|
79
|
+
"combine",
|
80
|
+
"combine_options",
|
81
|
+
"comment",
|
82
|
+
"compare",
|
83
|
+
"complex",
|
84
|
+
"compose",
|
85
|
+
"composite",
|
86
|
+
"compress",
|
87
|
+
"connected_components",
|
88
|
+
"contrast",
|
89
|
+
"contrast_stretch",
|
90
|
+
"convert",
|
91
|
+
"convolve",
|
92
|
+
"copy",
|
93
|
+
"crop",
|
94
|
+
"cycle",
|
95
|
+
"deconstruct",
|
96
|
+
"define",
|
97
|
+
"delay",
|
98
|
+
"delete",
|
99
|
+
"density",
|
100
|
+
"depth",
|
101
|
+
"descend",
|
102
|
+
"deskew",
|
103
|
+
"despeckle",
|
104
|
+
"direction",
|
105
|
+
"displace",
|
106
|
+
"dispose",
|
107
|
+
"dissimilarity_threshold",
|
108
|
+
"dissolve",
|
109
|
+
"distort",
|
110
|
+
"dither",
|
111
|
+
"draw",
|
112
|
+
"duplicate",
|
113
|
+
"edge",
|
114
|
+
"emboss",
|
115
|
+
"encoding",
|
116
|
+
"endian",
|
117
|
+
"enhance",
|
118
|
+
"equalize",
|
119
|
+
"evaluate",
|
120
|
+
"evaluate_sequence",
|
121
|
+
"extent",
|
122
|
+
"extract",
|
123
|
+
"family",
|
124
|
+
"features",
|
125
|
+
"fft",
|
126
|
+
"fill",
|
127
|
+
"filter",
|
128
|
+
"flatten",
|
129
|
+
"flip",
|
130
|
+
"floodfill",
|
131
|
+
"flop",
|
132
|
+
"font",
|
133
|
+
"foreground",
|
134
|
+
"format",
|
135
|
+
"frame",
|
136
|
+
"function",
|
137
|
+
"fuzz",
|
138
|
+
"fx",
|
139
|
+
"gamma",
|
140
|
+
"gaussian_blur",
|
141
|
+
"geometry",
|
142
|
+
"gravity",
|
143
|
+
"grayscale",
|
144
|
+
"green_primary",
|
145
|
+
"hald_clut",
|
146
|
+
"highlight_color",
|
147
|
+
"hough_lines",
|
148
|
+
"iconGeometry",
|
149
|
+
"iconic",
|
150
|
+
"identify",
|
151
|
+
"ift",
|
152
|
+
"illuminant",
|
153
|
+
"immutable",
|
154
|
+
"implode",
|
155
|
+
"insert",
|
156
|
+
"intensity",
|
157
|
+
"intent",
|
158
|
+
"interlace",
|
159
|
+
"interline_spacing",
|
160
|
+
"interpolate",
|
161
|
+
"interpolative_resize",
|
162
|
+
"interword_spacing",
|
163
|
+
"kerning",
|
164
|
+
"kmeans",
|
165
|
+
"kuwahara",
|
166
|
+
"label",
|
167
|
+
"lat",
|
168
|
+
"layers",
|
169
|
+
"level",
|
170
|
+
"level_colors",
|
171
|
+
"limit",
|
172
|
+
"limits",
|
173
|
+
"linear_stretch",
|
174
|
+
"linewidth",
|
175
|
+
"liquid_rescale",
|
176
|
+
"list",
|
177
|
+
"loader",
|
178
|
+
"log",
|
179
|
+
"loop",
|
180
|
+
"lowlight_color",
|
181
|
+
"magnify",
|
182
|
+
"map",
|
183
|
+
"mattecolor",
|
184
|
+
"median",
|
185
|
+
"mean_shift",
|
186
|
+
"metric",
|
187
|
+
"mode",
|
188
|
+
"modulate",
|
189
|
+
"moments",
|
190
|
+
"monitor",
|
191
|
+
"monochrome",
|
192
|
+
"morph",
|
193
|
+
"morphology",
|
194
|
+
"mosaic",
|
195
|
+
"motion_blur",
|
196
|
+
"name",
|
197
|
+
"negate",
|
198
|
+
"noise",
|
199
|
+
"normalize",
|
200
|
+
"opaque",
|
201
|
+
"ordered_dither",
|
202
|
+
"orient",
|
203
|
+
"page",
|
204
|
+
"paint",
|
205
|
+
"pause",
|
206
|
+
"perceptible",
|
207
|
+
"ping",
|
208
|
+
"pointsize",
|
209
|
+
"polaroid",
|
210
|
+
"poly",
|
211
|
+
"posterize",
|
212
|
+
"precision",
|
213
|
+
"preview",
|
214
|
+
"process",
|
215
|
+
"quality",
|
216
|
+
"quantize",
|
217
|
+
"quiet",
|
218
|
+
"radial_blur",
|
219
|
+
"raise",
|
220
|
+
"random_threshold",
|
221
|
+
"range_threshold",
|
222
|
+
"red_primary",
|
223
|
+
"regard_warnings",
|
224
|
+
"region",
|
225
|
+
"remote",
|
226
|
+
"render",
|
227
|
+
"repage",
|
228
|
+
"resample",
|
229
|
+
"resize",
|
230
|
+
"resize_to_fill",
|
231
|
+
"resize_to_fit",
|
232
|
+
"resize_to_limit",
|
233
|
+
"resize_and_pad",
|
234
|
+
"respect_parentheses",
|
235
|
+
"reverse",
|
236
|
+
"roll",
|
237
|
+
"rotate",
|
238
|
+
"sample",
|
239
|
+
"sampling_factor",
|
240
|
+
"saver",
|
241
|
+
"scale",
|
242
|
+
"scene",
|
243
|
+
"screen",
|
244
|
+
"seed",
|
245
|
+
"segment",
|
246
|
+
"selective_blur",
|
247
|
+
"separate",
|
248
|
+
"sepia_tone",
|
249
|
+
"shade",
|
250
|
+
"shadow",
|
251
|
+
"shared_memory",
|
252
|
+
"sharpen",
|
253
|
+
"shave",
|
254
|
+
"shear",
|
255
|
+
"sigmoidal_contrast",
|
256
|
+
"silent",
|
257
|
+
"similarity_threshold",
|
258
|
+
"size",
|
259
|
+
"sketch",
|
260
|
+
"smush",
|
261
|
+
"snaps",
|
262
|
+
"solarize",
|
263
|
+
"sort_pixels",
|
264
|
+
"sparse_color",
|
265
|
+
"splice",
|
266
|
+
"spread",
|
267
|
+
"statistic",
|
268
|
+
"stegano",
|
269
|
+
"stereo",
|
270
|
+
"storage_type",
|
271
|
+
"stretch",
|
272
|
+
"strip",
|
273
|
+
"stroke",
|
274
|
+
"strokewidth",
|
275
|
+
"style",
|
276
|
+
"subimage_search",
|
277
|
+
"swap",
|
278
|
+
"swirl",
|
279
|
+
"synchronize",
|
280
|
+
"taint",
|
281
|
+
"text_font",
|
282
|
+
"threshold",
|
283
|
+
"thumbnail",
|
284
|
+
"tile_offset",
|
285
|
+
"tint",
|
286
|
+
"title",
|
287
|
+
"transform",
|
288
|
+
"transparent",
|
289
|
+
"transparent_color",
|
290
|
+
"transpose",
|
291
|
+
"transverse",
|
292
|
+
"treedepth",
|
293
|
+
"trim",
|
294
|
+
"type",
|
295
|
+
"undercolor",
|
296
|
+
"unique_colors",
|
297
|
+
"units",
|
298
|
+
"unsharp",
|
299
|
+
"update",
|
300
|
+
"valid_image",
|
301
|
+
"view",
|
302
|
+
"vignette",
|
303
|
+
"virtual_pixel",
|
304
|
+
"visual",
|
305
|
+
"watermark",
|
306
|
+
"wave",
|
307
|
+
"wavelet_denoise",
|
308
|
+
"weight",
|
309
|
+
"white_balance",
|
310
|
+
"white_point",
|
311
|
+
"white_threshold",
|
312
|
+
"window",
|
313
|
+
"window_group",
|
314
|
+
].concat(ActiveStorage.supported_image_processing_methods)
|
315
|
+
|
316
|
+
UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
|
317
|
+
|
23
318
|
class << self
|
24
319
|
# Returns a Variation instance based on the given variator. If the variator is a Variation, it is
|
25
320
|
# returned unmodified. If it is a String, it is passed to ActiveStorage::Variation.decode. Otherwise,
|
@@ -56,12 +351,15 @@ class ActiveStorage::Variation
|
|
56
351
|
def transform(image)
|
57
352
|
ActiveSupport::Notifications.instrument("transform.active_storage") do
|
58
353
|
transformations.each do |name, argument_or_subtransformations|
|
354
|
+
validate_transformation(name, argument_or_subtransformations)
|
59
355
|
image.mogrify do |command|
|
60
356
|
if name.to_s == "combine_options"
|
61
357
|
argument_or_subtransformations.each do |subtransformation_name, subtransformation_argument|
|
358
|
+
validate_transformation(subtransformation_name, subtransformation_argument)
|
62
359
|
pass_transform_argument(command, subtransformation_name, subtransformation_argument)
|
63
360
|
end
|
64
361
|
else
|
362
|
+
validate_transformation(name, argument_or_subtransformations)
|
65
363
|
pass_transform_argument(command, name, argument_or_subtransformations)
|
66
364
|
end
|
67
365
|
end
|
@@ -86,4 +384,58 @@ class ActiveStorage::Variation
|
|
86
384
|
def eligible_argument?(argument)
|
87
385
|
argument.present? && argument != true
|
88
386
|
end
|
387
|
+
|
388
|
+
def validate_transformation(name, argument)
|
389
|
+
method_name = name.to_s.gsub("-","_")
|
390
|
+
|
391
|
+
unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
|
392
|
+
raise UnsupportedImageProcessingMethod, <<~ERROR.squish
|
393
|
+
One or more of the provided transformation methods is not supported.
|
394
|
+
ERROR
|
395
|
+
end
|
396
|
+
|
397
|
+
if argument.present?
|
398
|
+
if argument.is_a?(String) || argument.is_a?(Symbol)
|
399
|
+
validate_arg_string(argument)
|
400
|
+
elsif argument.is_a?(Array)
|
401
|
+
validate_arg_array(argument)
|
402
|
+
elsif argument.is_a?(Hash)
|
403
|
+
validate_arg_hash(argument)
|
404
|
+
end
|
405
|
+
end
|
406
|
+
end
|
407
|
+
|
408
|
+
def validate_arg_string(argument)
|
409
|
+
if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
|
410
|
+
end
|
411
|
+
|
412
|
+
def validate_arg_array(argument)
|
413
|
+
argument.each do |arg|
|
414
|
+
if arg.is_a?(Integer) || arg.is_a?(Float)
|
415
|
+
next
|
416
|
+
elsif arg.is_a?(String) || arg.is_a?(Symbol)
|
417
|
+
validate_arg_string(arg)
|
418
|
+
elsif arg.is_a?(Array)
|
419
|
+
validate_arg_array(arg)
|
420
|
+
elsif arg.is_a?(Hash)
|
421
|
+
validate_arg_hash(arg)
|
422
|
+
end
|
423
|
+
end
|
424
|
+
end
|
425
|
+
|
426
|
+
def validate_arg_hash(argument)
|
427
|
+
argument.each do |key, value|
|
428
|
+
validate_arg_string(key)
|
429
|
+
|
430
|
+
if value.is_a?(Integer) || value.is_a?(Float)
|
431
|
+
next
|
432
|
+
elsif value.is_a?(String) || value.is_a?(Symbol)
|
433
|
+
validate_arg_string(value)
|
434
|
+
elsif value.is_a?(Array)
|
435
|
+
validate_arg_array(value)
|
436
|
+
elsif value.is_a?(Hash)
|
437
|
+
validate_arg_hash(value)
|
438
|
+
end
|
439
|
+
end
|
440
|
+
end
|
89
441
|
end
|
@@ -51,6 +51,20 @@ module ActiveStorage
|
|
51
51
|
application/pdf
|
52
52
|
)
|
53
53
|
|
54
|
+
default_unsupported_image_processing_arguments = %w(
|
55
|
+
-debug
|
56
|
+
-display
|
57
|
+
-distribute-cache
|
58
|
+
-help
|
59
|
+
-path
|
60
|
+
-print
|
61
|
+
-set
|
62
|
+
-verbose
|
63
|
+
-version
|
64
|
+
-write
|
65
|
+
-write-mask
|
66
|
+
)
|
67
|
+
|
54
68
|
config.eager_load_namespaces << ActiveStorage
|
55
69
|
|
56
70
|
initializer "active_storage.configs" do
|
@@ -61,6 +75,8 @@ module ActiveStorage
|
|
61
75
|
ActiveStorage.analyzers = app.config.active_storage.analyzers || []
|
62
76
|
ActiveStorage.paths = app.config.active_storage.paths || {}
|
63
77
|
|
78
|
+
ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
|
79
|
+
ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
|
64
80
|
ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
|
65
81
|
ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
|
66
82
|
ActiveStorage.content_types_allowed_inline = app.config.active_storage.content_types_allowed_inline || []
|
data/lib/active_storage.rb
CHANGED
@@ -50,4 +50,6 @@ module ActiveStorage
|
|
50
50
|
mattr_accessor :content_types_to_serve_as_binary, default: []
|
51
51
|
mattr_accessor :content_types_allowed_inline, default: []
|
52
52
|
mattr_accessor :binary_content_type, default: "application/octet-stream"
|
53
|
+
mattr_accessor :supported_image_processing_methods, default: []
|
54
|
+
mattr_accessor :unsupported_image_processing_arguments
|
53
55
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: activestorage
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.6
|
4
|
+
version: 5.2.6.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-03-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: actionpack
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.6
|
19
|
+
version: 5.2.6.3
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.6
|
26
|
+
version: 5.2.6.3
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: activerecord
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - '='
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 5.2.6
|
33
|
+
version: 5.2.6.3
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - '='
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 5.2.6
|
40
|
+
version: 5.2.6.3
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: marcel
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -124,9 +124,9 @@ homepage: http://rubyonrails.org
|
|
124
124
|
licenses:
|
125
125
|
- MIT
|
126
126
|
metadata:
|
127
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.6/activestorage
|
128
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.6/activestorage/CHANGELOG.md
|
129
|
-
post_install_message:
|
127
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.6.3/activestorage
|
128
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.6.3/activestorage/CHANGELOG.md
|
129
|
+
post_install_message:
|
130
130
|
rdoc_options: []
|
131
131
|
require_paths:
|
132
132
|
- lib
|
@@ -142,7 +142,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
142
142
|
version: '0'
|
143
143
|
requirements: []
|
144
144
|
rubygems_version: 3.1.6
|
145
|
-
signing_key:
|
145
|
+
signing_key:
|
146
146
|
specification_version: 4
|
147
147
|
summary: Local and cloud file storage framework.
|
148
148
|
test_files: []
|