activestorage 5.2.6 → 5.2.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 86f0a1026ab07af16ba9102b322f4dfd2fa5b031e74fba9b731952030f1b363e
-  data.tar.gz: 6cd8d0643728b6177d664fb15ad3ae1e9d00fb3add8b1e8959771ec8a76403c4
+  metadata.gz: 221e253595145d3f877c7f1c72422ab97989ba9cba8cb7a5c14f20d8589b0240
+  data.tar.gz: 32de8686073e333e7f0a4177acc3aba161e5bbd59d90597e42ad49ca7ec55af9
 SHA512:
-  metadata.gz: fdbc41c11f1bed89f704276fa3a06451f7412d87bd8b4a8e23f36e62be3ad6cc0335346cfad41baf4017f9ec61ad8fac4322d038b930a1f52bcd694463f64a2d
-  data.tar.gz: 796151b02f46880842fd9d0e69fcd9eda265476ab31584d1ae6e4fe79320ae4141dcc1c1f5e41f97f3dcaca9c575b03a879f1547c6d498ef36a9d528508a189e
+  metadata.gz: 5617c40e89b030ed1e8b3a05a57ab954a572e40b27f6aade9e4046ae23f7ff298a9f40b1d1ecb31ec7e9cd3717186d6cc7e6ceb939a3967bcd3ab70533e431c9
+  data.tar.gz: 39a0968e43f9d8a1763c3120a83b3ae8cc82b9c2d78b1a0a5503da4818296f0cf5abad84fd57733bd1eac61f321b0a288d99c2aff058d3f37fb0cd453fc423ff

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## Rails 5.2.7 (March 10, 2022) ##
+
+*   Fix `ActiveStorage.supported_image_processing_methods` and
+    `ActiveStorage.unsupported_image_processing_arguments` that were not being applied.
+
+    *Rafael Mendonça França*
+
+
+## Rails 5.2.6.3 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+
+    [CVE-2022-21831]
+
+
+## Rails 5.2.6.2 (February 11, 2022) ##
+
+*   No changes.
+
+
+## Rails 5.2.6.1 (February 11, 2022) ##
+
+*   No changes.
+
+
 ## Rails 5.2.6 (May 05, 2021) ##
 
 *   No changes.

data/app/models/active_storage/variation.rb

@@ -20,6 +20,9 @@
 class ActiveStorage::Variation
   attr_reader :transformations
 
+  class UnsupportedImageProcessingMethod < StandardError; end
+  class UnsupportedImageProcessingArgument < StandardError; end
+
   class << self
     # Returns a Variation instance based on the given variator. If the variator is a Variation, it is
     # returned unmodified. If it is a String, it is passed to ActiveStorage::Variation.decode. Otherwise,
@@ -56,12 +59,15 @@ class ActiveStorage::Variation
   def transform(image)
     ActiveSupport::Notifications.instrument("transform.active_storage") do
       transformations.each do |name, argument_or_subtransformations|
+        validate_transformation(name, argument_or_subtransformations)
         image.mogrify do |command|
           if name.to_s == "combine_options"
             argument_or_subtransformations.each do |subtransformation_name, subtransformation_argument|
+              validate_transformation(subtransformation_name, subtransformation_argument)
               pass_transform_argument(command, subtransformation_name, subtransformation_argument)
             end
           else
+            validate_transformation(name, argument_or_subtransformations)
             pass_transform_argument(command, name, argument_or_subtransformations)
           end
         end
@@ -86,4 +92,58 @@ class ActiveStorage::Variation
     def eligible_argument?(argument)
       argument.present? && argument != true
     end
+
+    def validate_transformation(name, argument)
+      method_name = name.to_s.gsub("-","_")
+
+      unless ActiveStorage.supported_image_processing_methods.any? { |method| method_name == method }
+        raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+          One or more of the provided transformation methods is not supported.
+        ERROR
+      end
+
+      if argument.present?
+        if argument.is_a?(String) || argument.is_a?(Symbol)
+          validate_arg_string(argument)
+        elsif argument.is_a?(Array)
+          validate_arg_array(argument)
+        elsif argument.is_a?(Hash)
+          validate_arg_hash(argument)
+        end
+      end
+    end
+
+    def validate_arg_string(argument)
+      if ActiveStorage.unsupported_image_processing_arguments.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
+    end
+
+    def validate_arg_array(argument)
+      argument.each do |arg|
+        if arg.is_a?(Integer) || arg.is_a?(Float)
+          next
+        elsif arg.is_a?(String) || arg.is_a?(Symbol)
+          validate_arg_string(arg)
+        elsif arg.is_a?(Array)
+          validate_arg_array(arg)
+        elsif arg.is_a?(Hash)
+          validate_arg_hash(arg)
+        end
+      end
+    end
+
+    def validate_arg_hash(argument)
+      argument.each do |key, value|
+        validate_arg_string(key)
+
+        if value.is_a?(Integer) || value.is_a?(Float)
+          next
+        elsif value.is_a?(String) || value.is_a?(Symbol)
+          validate_arg_string(value)
+        elsif value.is_a?(Array)
+          validate_arg_array(value)
+        elsif value.is_a?(Hash)
+          validate_arg_hash(value)
+        end
+      end
+    end
 end

data/lib/active_storage/engine.rb

@@ -61,6 +61,20 @@ module ActiveStorage
         ActiveStorage.analyzers  = app.config.active_storage.analyzers || []
         ActiveStorage.paths      = app.config.active_storage.paths || {}
 
+        ActiveStorage.supported_image_processing_methods += app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || %w(
+          -debug
+          -display
+          -distribute-cache
+          -help
+          -path
+          -print
+          -set
+          -verbose
+          -version
+          -write
+          -write-mask
+        )
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
         ActiveStorage.content_types_allowed_inline = app.config.active_storage.content_types_allowed_inline || []

data/lib/active_storage/gem_version.rb

@@ -9,7 +9,7 @@ module ActiveStorage
   module VERSION
     MAJOR = 5
     MINOR = 2
-    TINY  = 6
+    TINY  = 7
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/active_storage.rb

@@ -50,4 +50,294 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline, default: []
   mattr_accessor :binary_content_type, default: "application/octet-stream"
+  mattr_accessor :supported_image_processing_methods, default: [
+    "adaptive_blur",
+    "adaptive_resize",
+    "adaptive_sharpen",
+    "adjoin",
+    "affine",
+    "alpha",
+    "annotate",
+    "antialias",
+    "append",
+    "apply",
+    "attenuate",
+    "authenticate",
+    "auto_gamma",
+    "auto_level",
+    "auto_orient",
+    "auto_threshold",
+    "backdrop",
+    "background",
+    "bench",
+    "bias",
+    "bilateral_blur",
+    "black_point_compensation",
+    "black_threshold",
+    "blend",
+    "blue_primary",
+    "blue_shift",
+    "blur",
+    "border",
+    "bordercolor",
+    "borderwidth",
+    "brightness_contrast",
+    "cache",
+    "canny",
+    "caption",
+    "channel",
+    "channel_fx",
+    "charcoal",
+    "chop",
+    "clahe",
+    "clamp",
+    "clip",
+    "clip_path",
+    "clone",
+    "clut",
+    "coalesce",
+    "colorize",
+    "colormap",
+    "color_matrix",
+    "colors",
+    "colorspace",
+    "colourspace",
+    "color_threshold",
+    "combine",
+    "combine_options",
+    "comment",
+    "compare",
+    "complex",
+    "compose",
+    "composite",
+    "compress",
+    "connected_components",
+    "contrast",
+    "contrast_stretch",
+    "convert",
+    "convolve",
+    "copy",
+    "crop",
+    "cycle",
+    "deconstruct",
+    "define",
+    "delay",
+    "delete",
+    "density",
+    "depth",
+    "descend",
+    "deskew",
+    "despeckle",
+    "direction",
+    "displace",
+    "dispose",
+    "dissimilarity_threshold",
+    "dissolve",
+    "distort",
+    "dither",
+    "draw",
+    "duplicate",
+    "edge",
+    "emboss",
+    "encoding",
+    "endian",
+    "enhance",
+    "equalize",
+    "evaluate",
+    "evaluate_sequence",
+    "extent",
+    "extract",
+    "family",
+    "features",
+    "fft",
+    "fill",
+    "filter",
+    "flatten",
+    "flip",
+    "floodfill",
+    "flop",
+    "font",
+    "foreground",
+    "format",
+    "frame",
+    "function",
+    "fuzz",
+    "fx",
+    "gamma",
+    "gaussian_blur",
+    "geometry",
+    "gravity",
+    "grayscale",
+    "green_primary",
+    "hald_clut",
+    "highlight_color",
+    "hough_lines",
+    "iconGeometry",
+    "iconic",
+    "identify",
+    "ift",
+    "illuminant",
+    "immutable",
+    "implode",
+    "insert",
+    "intensity",
+    "intent",
+    "interlace",
+    "interline_spacing",
+    "interpolate",
+    "interpolative_resize",
+    "interword_spacing",
+    "kerning",
+    "kmeans",
+    "kuwahara",
+    "label",
+    "lat",
+    "layers",
+    "level",
+    "level_colors",
+    "limit",
+    "limits",
+    "linear_stretch",
+    "linewidth",
+    "liquid_rescale",
+    "list",
+    "loader",
+    "log",
+    "loop",
+    "lowlight_color",
+    "magnify",
+    "map",
+    "mattecolor",
+    "median",
+    "mean_shift",
+    "metric",
+    "mode",
+    "modulate",
+    "moments",
+    "monitor",
+    "monochrome",
+    "morph",
+    "morphology",
+    "mosaic",
+    "motion_blur",
+    "name",
+    "negate",
+    "noise",
+    "normalize",
+    "opaque",
+    "ordered_dither",
+    "orient",
+    "page",
+    "paint",
+    "pause",
+    "perceptible",
+    "ping",
+    "pointsize",
+    "polaroid",
+    "poly",
+    "posterize",
+    "precision",
+    "preview",
+    "process",
+    "quality",
+    "quantize",
+    "quiet",
+    "radial_blur",
+    "raise",
+    "random_threshold",
+    "range_threshold",
+    "red_primary",
+    "regard_warnings",
+    "region",
+    "remote",
+    "render",
+    "repage",
+    "resample",
+    "resize",
+    "resize_to_fill",
+    "resize_to_fit",
+    "resize_to_limit",
+    "resize_and_pad",
+    "respect_parentheses",
+    "reverse",
+    "roll",
+    "rotate",
+    "sample",
+    "sampling_factor",
+    "saver",
+    "scale",
+    "scene",
+    "screen",
+    "seed",
+    "segment",
+    "selective_blur",
+    "separate",
+    "sepia_tone",
+    "shade",
+    "shadow",
+    "shared_memory",
+    "sharpen",
+    "shave",
+    "shear",
+    "sigmoidal_contrast",
+    "silent",
+    "similarity_threshold",
+    "size",
+    "sketch",
+    "smush",
+    "snaps",
+    "solarize",
+    "sort_pixels",
+    "sparse_color",
+    "splice",
+    "spread",
+    "statistic",
+    "stegano",
+    "stereo",
+    "storage_type",
+    "stretch",
+    "strip",
+    "stroke",
+    "strokewidth",
+    "style",
+    "subimage_search",
+    "swap",
+    "swirl",
+    "synchronize",
+    "taint",
+    "text_font",
+    "threshold",
+    "thumbnail",
+    "tile_offset",
+    "tint",
+    "title",
+    "transform",
+    "transparent",
+    "transparent_color",
+    "transpose",
+    "transverse",
+    "treedepth",
+    "trim",
+    "type",
+    "undercolor",
+    "unique_colors",
+    "units",
+    "unsharp",
+    "update",
+    "valid_image",
+    "view",
+    "vignette",
+    "virtual_pixel",
+    "visual",
+    "watermark",
+    "wave",
+    "wavelet_denoise",
+    "weight",
+    "white_balance",
+    "white_point",
+    "white_threshold",
+    "window",
+    "window_group",
+  ]
+  mattr_accessor :unsupported_image_processing_arguments
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 5.2.6
+  version: 5.2.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-05 00:00:00.000000000 Z
+date: 2022-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6
+        version: 5.2.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6
+        version: 5.2.7
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6
+        version: 5.2.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6
+        version: 5.2.7
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -124,8 +124,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.6/activestorage
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.6/activestorage/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.7/activestorage
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.7/activestorage/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths: