activestorage 7.0.2.1 → 7.0.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d9df0f86c676632d14361aeb9d1ac834834c5888d601084408f8c07c8b52c56
-  data.tar.gz: f635cc43298bc0574332bd15442ad5b2922dc243773100b215badfdd54dbc5a7
+  metadata.gz: f8abbeb51e2c7d0af6de3c08e984a8097a191ba25fc143895cb685c6fe748ff4
+  data.tar.gz: 5a4a38ea3da7fc0ecdde4e6e016becf090a09929e1bbbaf76ea8e588eff5321a
 SHA512:
-  metadata.gz: f41a19838f26239a1739f1c2c977fbbf16d037eac381701b2cff6650a0704bc955835c31aa0a3be02fe061329f21c3a0b9199ed2ca8758a94af00cbecd953470
-  data.tar.gz: 7fae947ad43e2995c637ee3b6304702ebfc797de47fd99ddb4101e21edf6b7e026f47518bf56d0ebfdf058a324b63e8f734026d03f1e49399a81607cc5642888
+  metadata.gz: d0216d24ae61092a7dce38da8705eb4063ba79a9ec8c83df7595f7c048e717af5c873c506ed769dcd5b9ca4028ae1734f08cbfe9f5b33c59f9e3fe1722bb92d3
+  data.tar.gz: bfe6d5b7cb5d9a27921bbe676218af6e5c4bc336b0897b14560ab1df4f4a7c1c4369c251ce3b6739fae52868ff385c1a817b146440f26af6256a41f3e09c6cc7

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+## Rails 7.0.2.4 (April 26, 2022) ##
+
+*   No changes.
+
+
+## Rails 7.0.2.3 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+    
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    
+    [CVE-2022-21831]
+
+
+## Rails 7.0.2.2 (February 11, 2022) ##
+
+*   No changes.
+
+
 ## Rails 7.0.2.1 (February 11, 2022) ##
 
 *   No changes.

data/lib/active_storage/engine.rb

@@ -80,6 +80,20 @@ module ActiveStorage
       application/pdf
     )
 
+    default_unsupported_image_processing_arguments = %w(
+      -debug
+      -display
+      -distribute-cache
+      -help
+      -path
+      -print
+      -set
+      -verbose
+      -version
+      -write
+      -write-mask
+    )
+
     config.eager_load_namespaces << ActiveStorage
 
     initializer "active_storage.configs" do
@@ -93,6 +107,9 @@ module ActiveStorage
         ActiveStorage.draw_routes       = app.config.active_storage.draw_routes != false
         ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
 
+        ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
+
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []

data/lib/active_storage/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveStorage
     MAJOR = 7
     MINOR = 0
     TINY  = 2
-    PRE   = "1"
+    PRE   = "4"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/transformers/image_processing_transformer.rb

@@ -13,6 +13,300 @@ module ActiveStorage
   module Transformers
     class ImageProcessingTransformer < Transformer
       private
+        class UnsupportedImageProcessingMethod < StandardError; end
+        class UnsupportedImageProcessingArgument < StandardError; end
+        SUPPORTED_IMAGE_PROCESSING_METHODS = [
+          "adaptive_blur",
+          "adaptive_resize",
+          "adaptive_sharpen",
+          "adjoin",
+          "affine",
+          "alpha",
+          "annotate",
+          "antialias",
+          "append",
+          "apply",
+          "attenuate",
+          "authenticate",
+          "auto_gamma",
+          "auto_level",
+          "auto_orient",
+          "auto_threshold",
+          "backdrop",
+          "background",
+          "bench",
+          "bias",
+          "bilateral_blur",
+          "black_point_compensation",
+          "black_threshold",
+          "blend",
+          "blue_primary",
+          "blue_shift",
+          "blur",
+          "border",
+          "bordercolor",
+          "borderwidth",
+          "brightness_contrast",
+          "cache",
+          "canny",
+          "caption",
+          "channel",
+          "channel_fx",
+          "charcoal",
+          "chop",
+          "clahe",
+          "clamp",
+          "clip",
+          "clip_path",
+          "clone",
+          "clut",
+          "coalesce",
+          "colorize",
+          "colormap",
+          "color_matrix",
+          "colors",
+          "colorspace",
+          "colourspace",
+          "color_threshold",
+          "combine",
+          "combine_options",
+          "comment",
+          "compare",
+          "complex",
+          "compose",
+          "composite",
+          "compress",
+          "connected_components",
+          "contrast",
+          "contrast_stretch",
+          "convert",
+          "convolve",
+          "copy",
+          "crop",
+          "cycle",
+          "deconstruct",
+          "define",
+          "delay",
+          "delete",
+          "density",
+          "depth",
+          "descend",
+          "deskew",
+          "despeckle",
+          "direction",
+          "displace",
+          "dispose",
+          "dissimilarity_threshold",
+          "dissolve",
+          "distort",
+          "dither",
+          "draw",
+          "duplicate",
+          "edge",
+          "emboss",
+          "encoding",
+          "endian",
+          "enhance",
+          "equalize",
+          "evaluate",
+          "evaluate_sequence",
+          "extent",
+          "extract",
+          "family",
+          "features",
+          "fft",
+          "fill",
+          "filter",
+          "flatten",
+          "flip",
+          "floodfill",
+          "flop",
+          "font",
+          "foreground",
+          "format",
+          "frame",
+          "function",
+          "fuzz",
+          "fx",
+          "gamma",
+          "gaussian_blur",
+          "geometry",
+          "gravity",
+          "grayscale",
+          "green_primary",
+          "hald_clut",
+          "highlight_color",
+          "hough_lines",
+          "iconGeometry",
+          "iconic",
+          "identify",
+          "ift",
+          "illuminant",
+          "immutable",
+          "implode",
+          "insert",
+          "intensity",
+          "intent",
+          "interlace",
+          "interline_spacing",
+          "interpolate",
+          "interpolative_resize",
+          "interword_spacing",
+          "kerning",
+          "kmeans",
+          "kuwahara",
+          "label",
+          "lat",
+          "layers",
+          "level",
+          "level_colors",
+          "limit",
+          "limits",
+          "linear_stretch",
+          "linewidth",
+          "liquid_rescale",
+          "list",
+          "loader",
+          "log",
+          "loop",
+          "lowlight_color",
+          "magnify",
+          "map",
+          "mattecolor",
+          "median",
+          "mean_shift",
+          "metric",
+          "mode",
+          "modulate",
+          "moments",
+          "monitor",
+          "monochrome",
+          "morph",
+          "morphology",
+          "mosaic",
+          "motion_blur",
+          "name",
+          "negate",
+          "noise",
+          "normalize",
+          "opaque",
+          "ordered_dither",
+          "orient",
+          "page",
+          "paint",
+          "pause",
+          "perceptible",
+          "ping",
+          "pointsize",
+          "polaroid",
+          "poly",
+          "posterize",
+          "precision",
+          "preview",
+          "process",
+          "quality",
+          "quantize",
+          "quiet",
+          "radial_blur",
+          "raise",
+          "random_threshold",
+          "range_threshold",
+          "red_primary",
+          "regard_warnings",
+          "region",
+          "remote",
+          "render",
+          "repage",
+          "resample",
+          "resize",
+          "resize_to_fill",
+          "resize_to_fit",
+          "resize_to_limit",
+          "resize_and_pad",
+          "respect_parentheses",
+          "reverse",
+          "roll",
+          "rotate",
+          "sample",
+          "sampling_factor",
+          "saver",
+          "scale",
+          "scene",
+          "screen",
+          "seed",
+          "segment",
+          "selective_blur",
+          "separate",
+          "sepia_tone",
+          "shade",
+          "shadow",
+          "shared_memory",
+          "sharpen",
+          "shave",
+          "shear",
+          "sigmoidal_contrast",
+          "silent",
+          "similarity_threshold",
+          "size",
+          "sketch",
+          "smush",
+          "snaps",
+          "solarize",
+          "sort_pixels",
+          "sparse_color",
+          "splice",
+          "spread",
+          "statistic",
+          "stegano",
+          "stereo",
+          "storage_type",
+          "stretch",
+          "strip",
+          "stroke",
+          "strokewidth",
+          "style",
+          "subimage_search",
+          "swap",
+          "swirl",
+          "synchronize",
+          "taint",
+          "text_font",
+          "threshold",
+          "thumbnail",
+          "tile_offset",
+          "tint",
+          "title",
+          "transform",
+          "transparent",
+          "transparent_color",
+          "transpose",
+          "transverse",
+          "treedepth",
+          "trim",
+          "type",
+          "undercolor",
+          "unique_colors",
+          "units",
+          "unsharp",
+          "update",
+          "valid_image",
+          "view",
+          "vignette",
+          "virtual_pixel",
+          "visual",
+          "watermark",
+          "wave",
+          "wavelet_denoise",
+          "weight",
+          "white_balance",
+          "white_point",
+          "white_threshold",
+          "window",
+          "window_group"
+        ].concat(ActiveStorage.supported_image_processing_methods)
+
+        UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
+
         def process(file, format:)
           processor.
             source(file).
@@ -28,6 +322,10 @@ module ActiveStorage
 
         def operations
           transformations.each_with_object([]) do |(name, argument), list|
+            if ActiveStorage.variant_processor == :mini_magick
+              validate_transformation(name, argument)
+            end
+
             if name.to_s == "combine_options"
               raise ArgumentError, <<~ERROR.squish
                 Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +338,60 @@ module ActiveStorage
             end
           end
         end
+
+        def validate_transformation(name, argument)
+          method_name = name.to_s.gsub("-","_")
+
+          unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
+            raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+              One or more of the provided transformation methods is not supported.
+            ERROR
+          end
+
+          if argument.present?
+            if argument.is_a?(String) || argument.is_a?(Symbol)
+              validate_arg_string(argument)
+            elsif argument.is_a?(Array)
+              validate_arg_array(argument)
+            elsif argument.is_a?(Hash)
+              validate_arg_hash(argument)
+            end
+          end
+        end
+
+        def validate_arg_string(argument)
+          if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
+        end
+
+        def validate_arg_array(argument)
+          argument.each do |arg|
+            if arg.is_a?(Integer) || arg.is_a?(Float)
+              next
+            elsif arg.is_a?(String) || arg.is_a?(Symbol)
+              validate_arg_string(arg)
+            elsif arg.is_a?(Array)
+              validate_arg_array(arg)
+            elsif arg.is_a?(Hash)
+              validate_arg_hash(arg)
+            end
+          end
+        end
+
+        def validate_arg_hash(argument)
+          argument.each do |key, value|
+            validate_arg_string(key)
+
+            if value.is_a?(Integer) || value.is_a?(Float)
+              next
+            elsif value.is_a?(String) || value.is_a?(Symbol)
+              validate_arg_string(value)
+            elsif value.is_a?(Array)
+              validate_arg_array(value)
+            elsif value.is_a?(Hash)
+              validate_arg_hash(value)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_storage.rb

@@ -59,6 +59,9 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline,     default: []
 
+  mattr_accessor :supported_image_processing_methods, default: []
+  mattr_accessor :unsupported_image_processing_arguments
+
   mattr_accessor :service_urls_expire_in, default: 5.minutes
   mattr_accessor :urls_expire_in
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 7.0.2.1
+  version: 7.0.2.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,56 +16,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.1
+        version: 7.0.2.4
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.2.1/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.2.1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.2.4/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.2.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.2.1/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.2.4/activestorage
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -218,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Local and cloud file storage framework.