activestorage 6.1.4.6 → 6.1.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f78821f730cf6d374a408a0b130b92437182d3026404916ca79618e7c8b2ffd
-  data.tar.gz: 613fab9e9ce486a0897f55c0cf654e0edd98549cdc963813367289651f1bb03e
+  metadata.gz: 8fb7344362927b3834f94b8e5cd2420f3c5060066804ccdedace833169d98bf1
+  data.tar.gz: 0d3225047a9550eea6007f80b212ce28455795d55ecbfa0e902e480a048c7ceb
 SHA512:
-  metadata.gz: bf9329ba6d4500c9f31b0390fabd11854354d3ad6b131280e148912487deb119168dfe35a4fb92db4ee55708c665065b76845f815c96b26557405eb0e13a71a3
-  data.tar.gz: 88cbbc25f7b4d8cbeb5eb57805d79f4d7df2288391835a9abe3aace1680a265edb369bf284dfc99713be94e74998323474f87bb70cb89b7ba7a01273ced37b3d
+  metadata.gz: 43a65bfab6574ff8f1b8d324da2d305baa99a871971814033fb232c60deaa7e2ed8348da24419e6f73ad13271c0eafcbaefde0598a1ed5cbff5bc8da0fdf3991
+  data.tar.gz: 388a9c9628a15f9ac638a592cdbd527db9ab2d7bbb2e8d2492a8e987ea2744e3663e7dbaff18f80d780e199f5a8019d008e05843223cac8649fa9d8e33827cb2

data/CHANGELOG.md

@@ -1,3 +1,32 @@
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.5.1 (April 26, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.5 (March 09, 2022) ##
+
+*   Attachments can be deleted after their association is no longer defined.
+
+    Fixes #42514
+
+    *Don Sisco*
+
+
+## Rails 6.1.4.7 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+    
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    
+    [CVE-2022-21831]
+
+
 ## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.
@@ -37,7 +66,7 @@
 
 *   Fix Active Storage update task when running in an engine.
 
-    Justin Malčić*
+    *Justin Malčić*
 
 *   Don't raise an error if the mime type is not recognized.
 

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2017-2020 David Heinemeier Hansson, Basecamp
+Copyright (c) 2017-2022 David Heinemeier Hansson, Basecamp
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/app/models/active_storage/attachment.rb

@@ -51,7 +51,7 @@ class ActiveStorage::Attachment < ActiveStorage::Record
     end
 
     def dependent
-      record.attachment_reflections[name]&.options[:dependent]
+      record.attachment_reflections[name]&.options&.fetch(:dependent, nil)
     end
 end
 

data/app/models/active_storage/variant.rb

@@ -4,7 +4,7 @@
 # These variants are used to create thumbnails, fixed-size avatars, or any other derivative image from the
 # original.
 #
-# Variants rely on {ImageProcessing}[https://github.com/janko-m/image_processing] gem for the actual transformations
+# Variants rely on {ImageProcessing}[https://github.com/janko/image_processing] gem for the actual transformations
 # of the file, so you must add <tt>gem "image_processing"</tt> to your Gemfile if you wish to use variants. By
 # default, images will be processed with {ImageMagick}[http://imagemagick.org] using the
 # {MiniMagick}[https://github.com/minimagick/minimagick] gem, but you can also switch to the
@@ -46,9 +46,9 @@
 #
 # Visit the following links for a list of available ImageProcessing commands and ImageMagick/libvips operations:
 #
-# * {ImageProcessing::MiniMagick}[https://github.com/janko-m/image_processing/blob/master/doc/minimagick.md#methods]
+# * {ImageProcessing::MiniMagick}[https://github.com/janko/image_processing/blob/master/doc/minimagick.md#methods]
 # * {ImageMagick reference}[https://www.imagemagick.org/script/mogrify.php]
-# * {ImageProcessing::Vips}[https://github.com/janko-m/image_processing/blob/master/doc/vips.md#methods]
+# * {ImageProcessing::Vips}[https://github.com/janko/image_processing/blob/master/doc/vips.md#methods]
 # * {ruby-vips reference}[http://www.rubydoc.info/gems/ruby-vips/Vips/Image]
 class ActiveStorage::Variant
   attr_reader :blob, :variation

data/app/models/active_storage/variation.rb

@@ -10,7 +10,7 @@ require "mini_mime"
 #
 #   ActiveStorage::Variation.new(resize_to_limit: [100, 100], monochrome: true, trim: true, rotate: "-90")
 #
-# The options map directly to {ImageProcessing}[https://github.com/janko-m/image_processing] commands.
+# The options map directly to {ImageProcessing}[https://github.com/janko/image_processing] commands.
 class ActiveStorage::Variation
   attr_reader :transformations
 

data/lib/active_storage/engine.rb

@@ -86,6 +86,21 @@ module ActiveStorage
         ActiveStorage.draw_routes       = app.config.active_storage.draw_routes != false
         ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
 
+        ActiveStorage.supported_image_processing_methods += app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || %w(
+          -debug
+          -display
+          -distribute-cache
+          -help
+          -path
+          -print
+          -set
+          -verbose
+          -version
+          -write
+          -write-mask
+        )
+
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []

data/lib/active_storage/gem_version.rb

@@ -9,8 +9,8 @@ module ActiveStorage
   module VERSION
     MAJOR = 6
     MINOR = 1
-    TINY  = 4
-    PRE   = "6"
+    TINY  = 6
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/previewer/video_previewer.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "shellwords"
+
 module ActiveStorage
   class Previewer::VideoPreviewer < Previewer
     class << self

data/lib/active_storage/transformers/image_processing_transformer.rb

@@ -13,6 +13,9 @@ module ActiveStorage
   module Transformers
     class ImageProcessingTransformer < Transformer
       private
+        class UnsupportedImageProcessingMethod < StandardError; end
+        class UnsupportedImageProcessingArgument < StandardError; end
+
         def process(file, format:)
           processor.
             source(file).
@@ -28,6 +31,10 @@ module ActiveStorage
 
         def operations
           transformations.each_with_object([]) do |(name, argument), list|
+            if ActiveStorage.variant_processor == :mini_magick
+              validate_transformation(name, argument)
+            end
+
             if name.to_s == "combine_options"
               raise ArgumentError, <<~ERROR.squish
                 Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +47,64 @@ module ActiveStorage
             end
           end
         end
+
+        def validate_transformation(name, argument)
+          method_name = name.to_s.tr("-", "_")
+
+          unless ActiveStorage.supported_image_processing_methods.any? { |method| method_name == method }
+            raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+              One or more of the provided transformation methods is not supported.
+            ERROR
+          end
+
+          if argument.present?
+            if argument.is_a?(String) || argument.is_a?(Symbol)
+              validate_arg_string(argument)
+            elsif argument.is_a?(Array)
+              validate_arg_array(argument)
+            elsif argument.is_a?(Hash)
+              validate_arg_hash(argument)
+            end
+          end
+        end
+
+        def validate_arg_string(argument)
+          unsupported_arguments = ActiveStorage.unsupported_image_processing_arguments.any? do |bad_arg|
+            argument.to_s.downcase.include?(bad_arg)
+          end
+
+          raise UnsupportedImageProcessingArgument if unsupported_arguments
+        end
+
+        def validate_arg_array(argument)
+          argument.each do |arg|
+            if arg.is_a?(Integer) || arg.is_a?(Float)
+              next
+            elsif arg.is_a?(String) || arg.is_a?(Symbol)
+              validate_arg_string(arg)
+            elsif arg.is_a?(Array)
+              validate_arg_array(arg)
+            elsif arg.is_a?(Hash)
+              validate_arg_hash(arg)
+            end
+          end
+        end
+
+        def validate_arg_hash(argument)
+          argument.each do |key, value|
+            validate_arg_string(key)
+
+            if value.is_a?(Integer) || value.is_a?(Float)
+              next
+            elsif value.is_a?(String) || value.is_a?(Symbol)
+              validate_arg_string(value)
+            elsif value.is_a?(Array)
+              validate_arg_array(value)
+            elsif value.is_a?(Hash)
+              validate_arg_hash(value)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_storage.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2017-2020 David Heinemeier Hansson, Basecamp
+# Copyright (c) 2017-2022 David Heinemeier Hansson, Basecamp
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -58,6 +58,297 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline,     default: []
 
+  mattr_accessor :supported_image_processing_methods, default: [
+    "adaptive_blur",
+    "adaptive_resize",
+    "adaptive_sharpen",
+    "adjoin",
+    "affine",
+    "alpha",
+    "annotate",
+    "antialias",
+    "append",
+    "apply",
+    "attenuate",
+    "authenticate",
+    "auto_gamma",
+    "auto_level",
+    "auto_orient",
+    "auto_threshold",
+    "backdrop",
+    "background",
+    "bench",
+    "bias",
+    "bilateral_blur",
+    "black_point_compensation",
+    "black_threshold",
+    "blend",
+    "blue_primary",
+    "blue_shift",
+    "blur",
+    "border",
+    "bordercolor",
+    "borderwidth",
+    "brightness_contrast",
+    "cache",
+    "canny",
+    "caption",
+    "channel",
+    "channel_fx",
+    "charcoal",
+    "chop",
+    "clahe",
+    "clamp",
+    "clip",
+    "clip_path",
+    "clone",
+    "clut",
+    "coalesce",
+    "colorize",
+    "colormap",
+    "color_matrix",
+    "colors",
+    "colorspace",
+    "colourspace",
+    "color_threshold",
+    "combine",
+    "combine_options",
+    "comment",
+    "compare",
+    "complex",
+    "compose",
+    "composite",
+    "compress",
+    "connected_components",
+    "contrast",
+    "contrast_stretch",
+    "convert",
+    "convolve",
+    "copy",
+    "crop",
+    "cycle",
+    "deconstruct",
+    "define",
+    "delay",
+    "delete",
+    "density",
+    "depth",
+    "descend",
+    "deskew",
+    "despeckle",
+    "direction",
+    "displace",
+    "dispose",
+    "dissimilarity_threshold",
+    "dissolve",
+    "distort",
+    "dither",
+    "draw",
+    "duplicate",
+    "edge",
+    "emboss",
+    "encoding",
+    "endian",
+    "enhance",
+    "equalize",
+    "evaluate",
+    "evaluate_sequence",
+    "extent",
+    "extract",
+    "family",
+    "features",
+    "fft",
+    "fill",
+    "filter",
+    "flatten",
+    "flip",
+    "floodfill",
+    "flop",
+    "font",
+    "foreground",
+    "format",
+    "frame",
+    "function",
+    "fuzz",
+    "fx",
+    "gamma",
+    "gaussian_blur",
+    "geometry",
+    "gravity",
+    "grayscale",
+    "green_primary",
+    "hald_clut",
+    "highlight_color",
+    "hough_lines",
+    "iconGeometry",
+    "iconic",
+    "identify",
+    "ift",
+    "illuminant",
+    "immutable",
+    "implode",
+    "insert",
+    "intensity",
+    "intent",
+    "interlace",
+    "interline_spacing",
+    "interpolate",
+    "interpolative_resize",
+    "interword_spacing",
+    "kerning",
+    "kmeans",
+    "kuwahara",
+    "label",
+    "lat",
+    "layers",
+    "level",
+    "level_colors",
+    "limit",
+    "limits",
+    "linear_stretch",
+    "linewidth",
+    "liquid_rescale",
+    "list",
+    "loader",
+    "log",
+    "loop",
+    "lowlight_color",
+    "magnify",
+    "map",
+    "mattecolor",
+    "median",
+    "mean_shift",
+    "metric",
+    "mode",
+    "modulate",
+    "moments",
+    "monitor",
+    "monochrome",
+    "morph",
+    "morphology",
+    "mosaic",
+    "motion_blur",
+    "name",
+    "negate",
+    "noise",
+    "normalize",
+    "opaque",
+    "ordered_dither",
+    "orient",
+    "page",
+    "paint",
+    "pause",
+    "perceptible",
+    "ping",
+    "pointsize",
+    "polaroid",
+    "poly",
+    "posterize",
+    "precision",
+    "preview",
+    "process",
+    "quality",
+    "quantize",
+    "quiet",
+    "radial_blur",
+    "raise",
+    "random_threshold",
+    "range_threshold",
+    "red_primary",
+    "regard_warnings",
+    "region",
+    "remote",
+    "render",
+    "repage",
+    "resample",
+    "resize",
+    "resize_to_fill",
+    "resize_to_fit",
+    "resize_to_limit",
+    "resize_and_pad",
+    "respect_parentheses",
+    "reverse",
+    "roll",
+    "rotate",
+    "sample",
+    "sampling_factor",
+    "saver",
+    "scale",
+    "scene",
+    "screen",
+    "seed",
+    "segment",
+    "selective_blur",
+    "separate",
+    "sepia_tone",
+    "shade",
+    "shadow",
+    "shared_memory",
+    "sharpen",
+    "shave",
+    "shear",
+    "sigmoidal_contrast",
+    "silent",
+    "similarity_threshold",
+    "size",
+    "sketch",
+    "smush",
+    "snaps",
+    "solarize",
+    "sort_pixels",
+    "sparse_color",
+    "splice",
+    "spread",
+    "statistic",
+    "stegano",
+    "stereo",
+    "storage_type",
+    "stretch",
+    "strip",
+    "stroke",
+    "strokewidth",
+    "style",
+    "subimage_search",
+    "swap",
+    "swirl",
+    "synchronize",
+    "taint",
+    "text_font",
+    "threshold",
+    "thumbnail",
+    "tile_offset",
+    "tint",
+    "title",
+    "transform",
+    "transparent",
+    "transparent_color",
+    "transpose",
+    "transverse",
+    "treedepth",
+    "trim",
+    "type",
+    "undercolor",
+    "unique_colors",
+    "units",
+    "unsharp",
+    "update",
+    "valid_image",
+    "view",
+    "vignette",
+    "virtual_pixel",
+    "visual",
+    "watermark",
+    "wave",
+    "wavelet_denoise",
+    "weight",
+    "white_balance",
+    "white_point",
+    "white_threshold",
+    "window",
+    "window_group"
+  ]
+  mattr_accessor :unsupported_image_processing_arguments
+
   mattr_accessor :service_urls_expire_in, default: 5.minutes
 
   mattr_accessor :routes_prefix, default: "/rails/active_storage"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 6.1.4.6
+  version: 6.1.6.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,70 +16,70 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.1.4.6
+        version: 6.1.6.1
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: mini_mime
   requirement: !ruby/object:Gem::Requirement
@@ -188,10 +188,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.1.4.6/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.1.4.6/
+  changelog_uri: https://github.com/rails/rails/blob/v6.1.6.1/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.1.6.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.1.4.6/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v6.1.6.1/activestorage
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -207,7 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: Local and cloud file storage framework.