activestorage 6.1.4.6 → 6.1.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f78821f730cf6d374a408a0b130b92437182d3026404916ca79618e7c8b2ffd
-  data.tar.gz: 613fab9e9ce486a0897f55c0cf654e0edd98549cdc963813367289651f1bb03e
+  metadata.gz: 23eaa86cd5f845923d83e9c1db63a1f2c26c56be19eee29da93eefc0ded1cee0
+  data.tar.gz: e265bf5c4ea4afec7c2917649694d43a73cd14512d47936975ca609e0ac6bcdd
 SHA512:
-  metadata.gz: bf9329ba6d4500c9f31b0390fabd11854354d3ad6b131280e148912487deb119168dfe35a4fb92db4ee55708c665065b76845f815c96b26557405eb0e13a71a3
-  data.tar.gz: 88cbbc25f7b4d8cbeb5eb57805d79f4d7df2288391835a9abe3aace1680a265edb369bf284dfc99713be94e74998323474f87bb70cb89b7ba7a01273ced37b3d
+  metadata.gz: de85324b3cdb59c7498addbea49f4d9906ac25fe81321db7857f400b03ecd3adc3ad364ebfeb1fb7caa24bdacfdfd2ffeb125b837f566b5d17df16b5938f050a
+  data.tar.gz: ec63bca9ffee2483deb66f448d54c0d3fe04e321371bb20d3cae6b46a26c527474a2abc2064ad16220c9bfca2402745304adb49f3a5fcbbdb0ddcd3c42e05a3d

data/CHANGELOG.md

@@ -1,3 +1,27 @@
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.5 (March 09, 2022) ##
+
+*   Attachments can be deleted after their association is no longer defined.
+
+    Fixes #42514
+
+    *Don Sisco*
+
+
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+    
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    
+    [CVE-2022-21831]
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.
@@ -37,7 +61,7 @@
 
 *   Fix Active Storage update task when running in an engine.
 
-    Justin Malčić*
+    *Justin Malčić*
 
 *   Don't raise an error if the mime type is not recognized.
 

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2020 David Heinemeier Hansson, Basecamp
+Copyright (c) 2017-2022 David Heinemeier Hansson, Basecamp
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/app/models/active_storage/attachment.rb

@@ -51,7 +51,7 @@ class ActiveStorage::Attachment < ActiveStorage::Record
     end
 
     def dependent
-      record.attachment_reflections[name]&.options[:dependent]
+      record.attachment_reflections[name]&.options&.fetch(:dependent, nil)
     end
 end
 

data/app/models/active_storage/variant.rb

@@ -4,7 +4,7 @@
 # These variants are used to create thumbnails, fixed-size avatars, or any other derivative image from the
 # original.
 #
-# Variants rely on {ImageProcessing}[https://github.com/janko-m/image_processing] gem for the actual transformations
+# Variants rely on {ImageProcessing}[https://github.com/janko/image_processing] gem for the actual transformations
 # of the file, so you must add <tt>gem "image_processing"</tt> to your Gemfile if you wish to use variants. By
 # default, images will be processed with {ImageMagick}[http://imagemagick.org] using the
 # {MiniMagick}[https://github.com/minimagick/minimagick] gem, but you can also switch to the
@@ -46,9 +46,9 @@
 #
 # Visit the following links for a list of available ImageProcessing commands and ImageMagick/libvips operations:
 #
-# * {ImageProcessing::MiniMagick}[https://github.com/janko-m/image_processing/blob/master/doc/minimagick.md#methods]
+# * {ImageProcessing::MiniMagick}[https://github.com/janko/image_processing/blob/master/doc/minimagick.md#methods]
 # * {ImageMagick reference}[https://www.imagemagick.org/script/mogrify.php]
-# * {ImageProcessing::Vips}[https://github.com/janko-m/image_processing/blob/master/doc/vips.md#methods]
+# * {ImageProcessing::Vips}[https://github.com/janko/image_processing/blob/master/doc/vips.md#methods]
 # * {ruby-vips reference}[http://www.rubydoc.info/gems/ruby-vips/Vips/Image]
 class ActiveStorage::Variant
   attr_reader :blob, :variation

data/app/models/active_storage/variation.rb

@@ -10,7 +10,7 @@ require "mini_mime"
 #
 #   ActiveStorage::Variation.new(resize_to_limit: [100, 100], monochrome: true, trim: true, rotate: "-90")
 #
-# The options map directly to {ImageProcessing}[https://github.com/janko-m/image_processing] commands.
+# The options map directly to {ImageProcessing}[https://github.com/janko/image_processing] commands.
 class ActiveStorage::Variation
   attr_reader :transformations
 

data/lib/active_storage/engine.rb

@@ -73,6 +73,20 @@ module ActiveStorage
       application/pdf
     )
 
+    default_unsupported_image_processing_arguments = %w(
+      -debug
+      -display
+      -distribute-cache
+      -help
+      -path
+      -print
+      -set
+      -verbose
+      -version
+      -write
+      -write-mask
+    )
+
     config.eager_load_namespaces << ActiveStorage
 
     initializer "active_storage.configs" do
@@ -86,6 +100,9 @@ module ActiveStorage
         ActiveStorage.draw_routes       = app.config.active_storage.draw_routes != false
         ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
 
+        ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
+
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []

data/lib/active_storage/gem_version.rb

@@ -9,8 +9,8 @@ module ActiveStorage
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 4
-    PRE   = "6"
+    TINY  = 5
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/previewer/video_previewer.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "shellwords"
+
 module ActiveStorage
   class Previewer::VideoPreviewer < Previewer
     class << self

data/lib/active_storage/transformers/image_processing_transformer.rb

@@ -13,6 +13,300 @@ module ActiveStorage
   module Transformers
     class ImageProcessingTransformer < Transformer
       private
+        class UnsupportedImageProcessingMethod < StandardError; end
+        class UnsupportedImageProcessingArgument < StandardError; end
+        SUPPORTED_IMAGE_PROCESSING_METHODS = [
+          "adaptive_blur",
+          "adaptive_resize",
+          "adaptive_sharpen",
+          "adjoin",
+          "affine",
+          "alpha",
+          "annotate",
+          "antialias",
+          "append",
+          "apply",
+          "attenuate",
+          "authenticate",
+          "auto_gamma",
+          "auto_level",
+          "auto_orient",
+          "auto_threshold",
+          "backdrop",
+          "background",
+          "bench",
+          "bias",
+          "bilateral_blur",
+          "black_point_compensation",
+          "black_threshold",
+          "blend",
+          "blue_primary",
+          "blue_shift",
+          "blur",
+          "border",
+          "bordercolor",
+          "borderwidth",
+          "brightness_contrast",
+          "cache",
+          "canny",
+          "caption",
+          "channel",
+          "channel_fx",
+          "charcoal",
+          "chop",
+          "clahe",
+          "clamp",
+          "clip",
+          "clip_path",
+          "clone",
+          "clut",
+          "coalesce",
+          "colorize",
+          "colormap",
+          "color_matrix",
+          "colors",
+          "colorspace",
+          "colourspace",
+          "color_threshold",
+          "combine",
+          "combine_options",
+          "comment",
+          "compare",
+          "complex",
+          "compose",
+          "composite",
+          "compress",
+          "connected_components",
+          "contrast",
+          "contrast_stretch",
+          "convert",
+          "convolve",
+          "copy",
+          "crop",
+          "cycle",
+          "deconstruct",
+          "define",
+          "delay",
+          "delete",
+          "density",
+          "depth",
+          "descend",
+          "deskew",
+          "despeckle",
+          "direction",
+          "displace",
+          "dispose",
+          "dissimilarity_threshold",
+          "dissolve",
+          "distort",
+          "dither",
+          "draw",
+          "duplicate",
+          "edge",
+          "emboss",
+          "encoding",
+          "endian",
+          "enhance",
+          "equalize",
+          "evaluate",
+          "evaluate_sequence",
+          "extent",
+          "extract",
+          "family",
+          "features",
+          "fft",
+          "fill",
+          "filter",
+          "flatten",
+          "flip",
+          "floodfill",
+          "flop",
+          "font",
+          "foreground",
+          "format",
+          "frame",
+          "function",
+          "fuzz",
+          "fx",
+          "gamma",
+          "gaussian_blur",
+          "geometry",
+          "gravity",
+          "grayscale",
+          "green_primary",
+          "hald_clut",
+          "highlight_color",
+          "hough_lines",
+          "iconGeometry",
+          "iconic",
+          "identify",
+          "ift",
+          "illuminant",
+          "immutable",
+          "implode",
+          "insert",
+          "intensity",
+          "intent",
+          "interlace",
+          "interline_spacing",
+          "interpolate",
+          "interpolative_resize",
+          "interword_spacing",
+          "kerning",
+          "kmeans",
+          "kuwahara",
+          "label",
+          "lat",
+          "layers",
+          "level",
+          "level_colors",
+          "limit",
+          "limits",
+          "linear_stretch",
+          "linewidth",
+          "liquid_rescale",
+          "list",
+          "loader",
+          "log",
+          "loop",
+          "lowlight_color",
+          "magnify",
+          "map",
+          "mattecolor",
+          "median",
+          "mean_shift",
+          "metric",
+          "mode",
+          "modulate",
+          "moments",
+          "monitor",
+          "monochrome",
+          "morph",
+          "morphology",
+          "mosaic",
+          "motion_blur",
+          "name",
+          "negate",
+          "noise",
+          "normalize",
+          "opaque",
+          "ordered_dither",
+          "orient",
+          "page",
+          "paint",
+          "pause",
+          "perceptible",
+          "ping",
+          "pointsize",
+          "polaroid",
+          "poly",
+          "posterize",
+          "precision",
+          "preview",
+          "process",
+          "quality",
+          "quantize",
+          "quiet",
+          "radial_blur",
+          "raise",
+          "random_threshold",
+          "range_threshold",
+          "red_primary",
+          "regard_warnings",
+          "region",
+          "remote",
+          "render",
+          "repage",
+          "resample",
+          "resize",
+          "resize_to_fill",
+          "resize_to_fit",
+          "resize_to_limit",
+          "resize_and_pad",
+          "respect_parentheses",
+          "reverse",
+          "roll",
+          "rotate",
+          "sample",
+          "sampling_factor",
+          "saver",
+          "scale",
+          "scene",
+          "screen",
+          "seed",
+          "segment",
+          "selective_blur",
+          "separate",
+          "sepia_tone",
+          "shade",
+          "shadow",
+          "shared_memory",
+          "sharpen",
+          "shave",
+          "shear",
+          "sigmoidal_contrast",
+          "silent",
+          "similarity_threshold",
+          "size",
+          "sketch",
+          "smush",
+          "snaps",
+          "solarize",
+          "sort_pixels",
+          "sparse_color",
+          "splice",
+          "spread",
+          "statistic",
+          "stegano",
+          "stereo",
+          "storage_type",
+          "stretch",
+          "strip",
+          "stroke",
+          "strokewidth",
+          "style",
+          "subimage_search",
+          "swap",
+          "swirl",
+          "synchronize",
+          "taint",
+          "text_font",
+          "threshold",
+          "thumbnail",
+          "tile_offset",
+          "tint",
+          "title",
+          "transform",
+          "transparent",
+          "transparent_color",
+          "transpose",
+          "transverse",
+          "treedepth",
+          "trim",
+          "type",
+          "undercolor",
+          "unique_colors",
+          "units",
+          "unsharp",
+          "update",
+          "valid_image",
+          "view",
+          "vignette",
+          "virtual_pixel",
+          "visual",
+          "watermark",
+          "wave",
+          "wavelet_denoise",
+          "weight",
+          "white_balance",
+          "white_point",
+          "white_threshold",
+          "window",
+          "window_group"
+        ].concat(ActiveStorage.supported_image_processing_methods)
+
+        UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
+
         def process(file, format:)
           processor.
             source(file).
@@ -28,6 +322,10 @@ module ActiveStorage
 
         def operations
           transformations.each_with_object([]) do |(name, argument), list|
+            if ActiveStorage.variant_processor == :mini_magick
+              validate_transformation(name, argument)
+            end
+
             if name.to_s == "combine_options"
               raise ArgumentError, <<~ERROR.squish
                 Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +338,60 @@ module ActiveStorage
             end
           end
         end
+
+        def validate_transformation(name, argument)
+          method_name = name.to_s.tr("-", "_")
+
+          unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
+            raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+              One or more of the provided transformation methods is not supported.
+            ERROR
+          end
+
+          if argument.present?
+            if argument.is_a?(String) || argument.is_a?(Symbol)
+              validate_arg_string(argument)
+            elsif argument.is_a?(Array)
+              validate_arg_array(argument)
+            elsif argument.is_a?(Hash)
+              validate_arg_hash(argument)
+            end
+          end
+        end
+
+        def validate_arg_string(argument)
+          if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
+        end
+
+        def validate_arg_array(argument)
+          argument.each do |arg|
+            if arg.is_a?(Integer) || arg.is_a?(Float)
+              next
+            elsif arg.is_a?(String) || arg.is_a?(Symbol)
+              validate_arg_string(arg)
+            elsif arg.is_a?(Array)
+              validate_arg_array(arg)
+            elsif arg.is_a?(Hash)
+              validate_arg_hash(arg)
+            end
+          end
+        end
+
+        def validate_arg_hash(argument)
+          argument.each do |key, value|
+            validate_arg_string(key)
+
+            if value.is_a?(Integer) || value.is_a?(Float)
+              next
+            elsif value.is_a?(String) || value.is_a?(Symbol)
+              validate_arg_string(value)
+            elsif value.is_a?(Array)
+              validate_arg_array(value)
+            elsif value.is_a?(Hash)
+              validate_arg_hash(value)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_storage.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2017-2020 David Heinemeier Hansson, Basecamp
+# Copyright (c) 2017-2022 David Heinemeier Hansson, Basecamp
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -58,6 +58,9 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline,     default: []
 
+  mattr_accessor :supported_image_processing_methods, default: []
+  mattr_accessor :unsupported_image_processing_arguments
+
   mattr_accessor :service_urls_expire_in, default: 5.minutes
 
   mattr_accessor :routes_prefix, default: "/rails/active_storage"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 6.1.4.6
+  version: 6.1.5.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,70 +16,70 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.5.1
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: mini_mime
   requirement: !ruby/object:Gem::Requirement
@@ -188,10 +188,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.4.6/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.4.6/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.5.1/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.5.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.4.6/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.5.1/activestorage
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -207,7 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Local and cloud file storage framework.