activestorage 7.0.2.2 → 7.0.2.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 797efdf2ca8b6bb58815e2352e430b2cca2b6defaf37fc4e524c2a2150695f4a
4
- data.tar.gz: 11490b758f9b6e9c2a9eda88757e5a454ca92e587624ce85cb6235dfa9f10fbd
3
+ metadata.gz: d9f273d0dd11c90236869d27f0d5cd33cb87ba465ba2b87ad48eed3729b4027d
4
+ data.tar.gz: 1896af35ab20bf919a5445847312e1d0ff8bc122f2536f9d14f4b5c5164f2546
5
5
  SHA512:
6
- metadata.gz: 02a012dd3e41df712e0b4f64576db45634659b369d5e09245c6cc87e1bbb38d31bebd2e110d5782f97477ba2798717f9770167325c68b3b3b8c12d3409c492c5
7
- data.tar.gz: b89aa21d7d77e5c4ed766c507b06c7c81b34cf79db5fd01f8f1aaa171476e88cf90cabb0e576ebfba698065ab1daee2021cb34b6a9ba2da7054a21907fcd0218
6
+ metadata.gz: 5f92489340c81f8a4ba4607356173410ce280edb3c05524e2a0e40fcd1f50f8c5cf419fe4f8106abe361baa6e10df862d4fb900e346f216abff56a3431998fdf
7
+ data.tar.gz: 1044f1e3ecccfc2188904b3cc07f81bce2d6947e6040a481ead533450d939da464d25fe15378a026d18f5727d143103f1738942a97a85174e5e721e8207ee07a
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## Rails 7.0.2.3 (March 08, 2022) ##
2
+
3
+ * Added image transformation validation via configurable allow-list.
4
+
5
+ Variant now offers a configurable allow-list for
6
+ transformation methods in addition to a configurable deny-list for arguments.
7
+
8
+ [CVE-2022-21831]
9
+
10
+
1
11
  ## Rails 7.0.2.2 (February 11, 2022) ##
2
12
 
3
13
  * No changes.
@@ -80,6 +80,20 @@ module ActiveStorage
80
80
  application/pdf
81
81
  )
82
82
 
83
+ default_unsupported_image_processing_arguments = %w(
84
+ -debug
85
+ -display
86
+ -distribute-cache
87
+ -help
88
+ -path
89
+ -print
90
+ -set
91
+ -verbose
92
+ -version
93
+ -write
94
+ -write-mask
95
+ )
96
+
83
97
  config.eager_load_namespaces << ActiveStorage
84
98
 
85
99
  initializer "active_storage.configs" do
@@ -93,6 +107,9 @@ module ActiveStorage
93
107
  ActiveStorage.draw_routes = app.config.active_storage.draw_routes != false
94
108
  ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
95
109
 
110
+ ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
111
+ ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
112
+
96
113
  ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
97
114
  ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
98
115
  ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
@@ -10,7 +10,7 @@ module ActiveStorage
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 2
13
- PRE = "2"
13
+ PRE = "3"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -13,6 +13,300 @@ module ActiveStorage
13
13
  module Transformers
14
14
  class ImageProcessingTransformer < Transformer
15
15
  private
16
+ class UnsupportedImageProcessingMethod < StandardError; end
17
+ class UnsupportedImageProcessingArgument < StandardError; end
18
+ SUPPORTED_IMAGE_PROCESSING_METHODS = [
19
+ "adaptive_blur",
20
+ "adaptive_resize",
21
+ "adaptive_sharpen",
22
+ "adjoin",
23
+ "affine",
24
+ "alpha",
25
+ "annotate",
26
+ "antialias",
27
+ "append",
28
+ "apply",
29
+ "attenuate",
30
+ "authenticate",
31
+ "auto_gamma",
32
+ "auto_level",
33
+ "auto_orient",
34
+ "auto_threshold",
35
+ "backdrop",
36
+ "background",
37
+ "bench",
38
+ "bias",
39
+ "bilateral_blur",
40
+ "black_point_compensation",
41
+ "black_threshold",
42
+ "blend",
43
+ "blue_primary",
44
+ "blue_shift",
45
+ "blur",
46
+ "border",
47
+ "bordercolor",
48
+ "borderwidth",
49
+ "brightness_contrast",
50
+ "cache",
51
+ "canny",
52
+ "caption",
53
+ "channel",
54
+ "channel_fx",
55
+ "charcoal",
56
+ "chop",
57
+ "clahe",
58
+ "clamp",
59
+ "clip",
60
+ "clip_path",
61
+ "clone",
62
+ "clut",
63
+ "coalesce",
64
+ "colorize",
65
+ "colormap",
66
+ "color_matrix",
67
+ "colors",
68
+ "colorspace",
69
+ "colourspace",
70
+ "color_threshold",
71
+ "combine",
72
+ "combine_options",
73
+ "comment",
74
+ "compare",
75
+ "complex",
76
+ "compose",
77
+ "composite",
78
+ "compress",
79
+ "connected_components",
80
+ "contrast",
81
+ "contrast_stretch",
82
+ "convert",
83
+ "convolve",
84
+ "copy",
85
+ "crop",
86
+ "cycle",
87
+ "deconstruct",
88
+ "define",
89
+ "delay",
90
+ "delete",
91
+ "density",
92
+ "depth",
93
+ "descend",
94
+ "deskew",
95
+ "despeckle",
96
+ "direction",
97
+ "displace",
98
+ "dispose",
99
+ "dissimilarity_threshold",
100
+ "dissolve",
101
+ "distort",
102
+ "dither",
103
+ "draw",
104
+ "duplicate",
105
+ "edge",
106
+ "emboss",
107
+ "encoding",
108
+ "endian",
109
+ "enhance",
110
+ "equalize",
111
+ "evaluate",
112
+ "evaluate_sequence",
113
+ "extent",
114
+ "extract",
115
+ "family",
116
+ "features",
117
+ "fft",
118
+ "fill",
119
+ "filter",
120
+ "flatten",
121
+ "flip",
122
+ "floodfill",
123
+ "flop",
124
+ "font",
125
+ "foreground",
126
+ "format",
127
+ "frame",
128
+ "function",
129
+ "fuzz",
130
+ "fx",
131
+ "gamma",
132
+ "gaussian_blur",
133
+ "geometry",
134
+ "gravity",
135
+ "grayscale",
136
+ "green_primary",
137
+ "hald_clut",
138
+ "highlight_color",
139
+ "hough_lines",
140
+ "iconGeometry",
141
+ "iconic",
142
+ "identify",
143
+ "ift",
144
+ "illuminant",
145
+ "immutable",
146
+ "implode",
147
+ "insert",
148
+ "intensity",
149
+ "intent",
150
+ "interlace",
151
+ "interline_spacing",
152
+ "interpolate",
153
+ "interpolative_resize",
154
+ "interword_spacing",
155
+ "kerning",
156
+ "kmeans",
157
+ "kuwahara",
158
+ "label",
159
+ "lat",
160
+ "layers",
161
+ "level",
162
+ "level_colors",
163
+ "limit",
164
+ "limits",
165
+ "linear_stretch",
166
+ "linewidth",
167
+ "liquid_rescale",
168
+ "list",
169
+ "loader",
170
+ "log",
171
+ "loop",
172
+ "lowlight_color",
173
+ "magnify",
174
+ "map",
175
+ "mattecolor",
176
+ "median",
177
+ "mean_shift",
178
+ "metric",
179
+ "mode",
180
+ "modulate",
181
+ "moments",
182
+ "monitor",
183
+ "monochrome",
184
+ "morph",
185
+ "morphology",
186
+ "mosaic",
187
+ "motion_blur",
188
+ "name",
189
+ "negate",
190
+ "noise",
191
+ "normalize",
192
+ "opaque",
193
+ "ordered_dither",
194
+ "orient",
195
+ "page",
196
+ "paint",
197
+ "pause",
198
+ "perceptible",
199
+ "ping",
200
+ "pointsize",
201
+ "polaroid",
202
+ "poly",
203
+ "posterize",
204
+ "precision",
205
+ "preview",
206
+ "process",
207
+ "quality",
208
+ "quantize",
209
+ "quiet",
210
+ "radial_blur",
211
+ "raise",
212
+ "random_threshold",
213
+ "range_threshold",
214
+ "red_primary",
215
+ "regard_warnings",
216
+ "region",
217
+ "remote",
218
+ "render",
219
+ "repage",
220
+ "resample",
221
+ "resize",
222
+ "resize_to_fill",
223
+ "resize_to_fit",
224
+ "resize_to_limit",
225
+ "resize_and_pad",
226
+ "respect_parentheses",
227
+ "reverse",
228
+ "roll",
229
+ "rotate",
230
+ "sample",
231
+ "sampling_factor",
232
+ "saver",
233
+ "scale",
234
+ "scene",
235
+ "screen",
236
+ "seed",
237
+ "segment",
238
+ "selective_blur",
239
+ "separate",
240
+ "sepia_tone",
241
+ "shade",
242
+ "shadow",
243
+ "shared_memory",
244
+ "sharpen",
245
+ "shave",
246
+ "shear",
247
+ "sigmoidal_contrast",
248
+ "silent",
249
+ "similarity_threshold",
250
+ "size",
251
+ "sketch",
252
+ "smush",
253
+ "snaps",
254
+ "solarize",
255
+ "sort_pixels",
256
+ "sparse_color",
257
+ "splice",
258
+ "spread",
259
+ "statistic",
260
+ "stegano",
261
+ "stereo",
262
+ "storage_type",
263
+ "stretch",
264
+ "strip",
265
+ "stroke",
266
+ "strokewidth",
267
+ "style",
268
+ "subimage_search",
269
+ "swap",
270
+ "swirl",
271
+ "synchronize",
272
+ "taint",
273
+ "text_font",
274
+ "threshold",
275
+ "thumbnail",
276
+ "tile_offset",
277
+ "tint",
278
+ "title",
279
+ "transform",
280
+ "transparent",
281
+ "transparent_color",
282
+ "transpose",
283
+ "transverse",
284
+ "treedepth",
285
+ "trim",
286
+ "type",
287
+ "undercolor",
288
+ "unique_colors",
289
+ "units",
290
+ "unsharp",
291
+ "update",
292
+ "valid_image",
293
+ "view",
294
+ "vignette",
295
+ "virtual_pixel",
296
+ "visual",
297
+ "watermark",
298
+ "wave",
299
+ "wavelet_denoise",
300
+ "weight",
301
+ "white_balance",
302
+ "white_point",
303
+ "white_threshold",
304
+ "window",
305
+ "window_group"
306
+ ].concat(ActiveStorage.supported_image_processing_methods)
307
+
308
+ UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
309
+
16
310
  def process(file, format:)
17
311
  processor.
18
312
  source(file).
@@ -28,6 +322,10 @@ module ActiveStorage
28
322
 
29
323
  def operations
30
324
  transformations.each_with_object([]) do |(name, argument), list|
325
+ if ActiveStorage.variant_processor == :mini_magick
326
+ validate_transformation(name, argument)
327
+ end
328
+
31
329
  if name.to_s == "combine_options"
32
330
  raise ArgumentError, <<~ERROR.squish
33
331
  Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +338,60 @@ module ActiveStorage
40
338
  end
41
339
  end
42
340
  end
341
+
342
+ def validate_transformation(name, argument)
343
+ method_name = name.to_s.gsub("-","_")
344
+
345
+ unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
346
+ raise UnsupportedImageProcessingMethod, <<~ERROR.squish
347
+ One or more of the provided transformation methods is not supported.
348
+ ERROR
349
+ end
350
+
351
+ if argument.present?
352
+ if argument.is_a?(String) || argument.is_a?(Symbol)
353
+ validate_arg_string(argument)
354
+ elsif argument.is_a?(Array)
355
+ validate_arg_array(argument)
356
+ elsif argument.is_a?(Hash)
357
+ validate_arg_hash(argument)
358
+ end
359
+ end
360
+ end
361
+
362
+ def validate_arg_string(argument)
363
+ if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
364
+ end
365
+
366
+ def validate_arg_array(argument)
367
+ argument.each do |arg|
368
+ if arg.is_a?(Integer) || arg.is_a?(Float)
369
+ next
370
+ elsif arg.is_a?(String) || arg.is_a?(Symbol)
371
+ validate_arg_string(arg)
372
+ elsif arg.is_a?(Array)
373
+ validate_arg_array(arg)
374
+ elsif arg.is_a?(Hash)
375
+ validate_arg_hash(arg)
376
+ end
377
+ end
378
+ end
379
+
380
+ def validate_arg_hash(argument)
381
+ argument.each do |key, value|
382
+ validate_arg_string(key)
383
+
384
+ if value.is_a?(Integer) || value.is_a?(Float)
385
+ next
386
+ elsif value.is_a?(String) || value.is_a?(Symbol)
387
+ validate_arg_string(value)
388
+ elsif value.is_a?(Array)
389
+ validate_arg_array(value)
390
+ elsif value.is_a?(Hash)
391
+ validate_arg_hash(value)
392
+ end
393
+ end
394
+ end
43
395
  end
44
396
  end
45
397
  end
@@ -59,6 +59,9 @@ module ActiveStorage
59
59
  mattr_accessor :content_types_to_serve_as_binary, default: []
60
60
  mattr_accessor :content_types_allowed_inline, default: []
61
61
 
62
+ mattr_accessor :supported_image_processing_methods, default: []
63
+ mattr_accessor :unsupported_image_processing_arguments
64
+
62
65
  mattr_accessor :service_urls_expire_in, default: 5.minutes
63
66
  mattr_accessor :urls_expire_in
64
67
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activestorage
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.2
4
+ version: 7.0.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-03-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,56 +16,56 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.2.2
19
+ version: 7.0.2.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.2.2
26
+ version: 7.0.2.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: actionpack
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 7.0.2.2
33
+ version: 7.0.2.3
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 7.0.2.2
40
+ version: 7.0.2.3
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: activejob
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - '='
46
46
  - !ruby/object:Gem::Version
47
- version: 7.0.2.2
47
+ version: 7.0.2.3
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - '='
53
53
  - !ruby/object:Gem::Version
54
- version: 7.0.2.2
54
+ version: 7.0.2.3
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: activerecord
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - '='
60
60
  - !ruby/object:Gem::Version
61
- version: 7.0.2.2
61
+ version: 7.0.2.3
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
- version: 7.0.2.2
68
+ version: 7.0.2.3
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: marcel
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ licenses:
198
198
  - MIT
199
199
  metadata:
200
200
  bug_tracker_uri: https://github.com/rails/rails/issues
201
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.2/activestorage/CHANGELOG.md
202
- documentation_uri: https://api.rubyonrails.org/v7.0.2.2/
201
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.2.3/activestorage/CHANGELOG.md
202
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
203
203
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
204
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.2/activestorage
204
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/activestorage
205
205
  rubygems_mfa_required: 'true'
206
206
  post_install_message:
207
207
  rdoc_options: []
@@ -218,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
218
218
  - !ruby/object:Gem::Version
219
219
  version: '0'
220
220
  requirements: []
221
- rubygems_version: 3.2.22
221
+ rubygems_version: 3.1.6
222
222
  signing_key:
223
223
  specification_version: 4
224
224
  summary: Local and cloud file storage framework.