RubyGems - activestorage - Versions diffs - 7.0.2.2 → 7.0.3 - Mend

activestorage 7.0.2.2 → 7.0.3

Potentially problematic release.

This version of activestorage might be problematic. Click here for more details.

Files changed (15) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 797efdf2ca8b6bb58815e2352e430b2cca2b6defaf37fc4e524c2a2150695f4a
-  data.tar.gz: 11490b758f9b6e9c2a9eda88757e5a454ca92e587624ce85cb6235dfa9f10fbd
+  metadata.gz: cb27c3976b612802226ea7343ba6bd9483eb635f1785a0255d8048f936c77fc0
+  data.tar.gz: f4bea0eb4dad8afe87aa78185cb3a9eaa92e7c4eb4bd50a28f5505dba4574a6a
 SHA512:
-  metadata.gz: 02a012dd3e41df712e0b4f64576db45634659b369d5e09245c6cc87e1bbb38d31bebd2e110d5782f97477ba2798717f9770167325c68b3b3b8c12d3409c492c5
-  data.tar.gz: b89aa21d7d77e5c4ed766c507b06c7c81b34cf79db5fd01f8f1aaa171476e88cf90cabb0e576ebfba698065ab1daee2021cb34b6a9ba2da7054a21907fcd0218
+  metadata.gz: 24ef173da37fd9a08160b3ca83e78633a2f54699c6043ac7c21bf111226c1d94e6f7971acb3c2be035320cbfd6dfae9dd91c85abaaf0f97c922c33e1f5b26043
+  data.tar.gz: 640a260bf6d6bc690491fe365e810117232c3be9c96112ddc9a5d8e68d8d8f680930f3ae065fcaedadb43490de63a3226e8f5cbde1279419d9f23a019e692b7f

data/CHANGELOG.md CHANGED Viewed

@@ -1,8 +1,34 @@
-## Rails 7.0.2.2 (February 11, 2022) ##
+## Rails 7.0.3 (May 09, 2022) ##
+*   Don't stream responses in redirect mode
+    Previously, both redirect mode and proxy mode streamed their
+    responses which caused a new thread to be created, and could end
+    up leaking connections in the connection pool. But since redirect
+    mode doesn't actually send any data, it doesn't need to be
+    streamed.
+    *Luke Lau*
+## Rails 7.0.2.4 (April 26, 2022) ##
 *   No changes.
+## Rails 7.0.2.3 (March 08, 2022) ##
+*   Added image transformation validation via configurable allow-list.
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    [CVE-2022-21831]
+## Rails 7.0.2.2 (February 11, 2022) ##
+*   No changes.
 ## Rails 7.0.2.1 (February 11, 2022) ##
 *   No changes.

data/app/controllers/active_storage/base_controller.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 # The base class for all Active Storage controllers.
 class ActiveStorage::BaseController < ActionController::Base
-  include ActiveStorage::SetCurrent, ActiveStorage::Streaming
+  include ActiveStorage::SetCurrent
   protect_from_forgery with: :exception

data/app/controllers/active_storage/blobs/proxy_controller.rb CHANGED Viewed

@@ -8,6 +8,7 @@
 # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
+  include ActiveStorage::Streaming
   def show
     if request.headers["Range"].present?

data/app/controllers/active_storage/representations/proxy_controller.rb CHANGED Viewed

@@ -7,6 +7,8 @@
 # require a higher level of protection consider implementing
 # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
 class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
+  include ActiveStorage::Streaming
   def show
     http_cache_forever public: true do
       send_blob_stream @representation.image, disposition: params[:disposition]

data/app/models/active_storage/variant_with_record.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 # Like an ActiveStorage::Variant, but keeps detail about the variant in the database as an
-# ActiveStorage::VariantRecord. This is only used if `ActiveStorage.track_variants` is enabled.
+# ActiveStorage::VariantRecord. This is only used if +ActiveStorage.track_variants+ is enabled.
 class ActiveStorage::VariantWithRecord
   attr_reader :blob, :variation
   delegate :service, to: :blob

data/db/update_migrate/20190112182829_add_service_name_to_active_storage_blobs.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
   def up
+    return unless table_exists?(:active_storage_blobs)
     unless column_exists?(:active_storage_blobs, :service_name)
       add_column :active_storage_blobs, :service_name, :string
@@ -12,6 +14,8 @@ class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
   end
   def down
+    return unless table_exists?(:active_storage_blobs)
     remove_column :active_storage_blobs, :service_name
   end
 end

data/db/update_migrate/20191206030411_create_active_storage_variant_records.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 class CreateActiveStorageVariantRecords < ActiveRecord::Migration[6.0]
   def change
+    return unless table_exists?(:active_storage_blobs)
     # Use Active Record's configured type for primary key
     create_table :active_storage_variant_records, id: primary_key_type, if_not_exists: true do |t|
       t.belongs_to :blob, null: false, index: false, type: blobs_primary_key_type

data/db/update_migrate/20211119233751_remove_not_null_on_active_storage_blobs_checksum.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 class RemoveNotNullOnActiveStorageBlobsChecksum < ActiveRecord::Migration[6.0]
   def change
+    return unless table_exists?(:active_storage_blobs)
     change_column_null(:active_storage_blobs, :checksum, true)
   end
 end

data/lib/active_storage/engine.rb CHANGED Viewed

@@ -93,6 +93,21 @@ module ActiveStorage
         ActiveStorage.draw_routes       = app.config.active_storage.draw_routes != false
         ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
+        ActiveStorage.supported_image_processing_methods += app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || %w(
+          -debug
+          -display
+          -distribute-cache
+          -help
+          -path
+          -print
+          -set
+          -verbose
+          -version
+          -write
+          -write-mask
+        )
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []

data/lib/active_storage/gem_version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module ActiveStorage
-  # Returns the version of the currently loaded Active Storage as a <tt>Gem::Version</tt>.
+  # Returns the currently loaded version of Active Storage as a <tt>Gem::Version</tt>.
   def self.gem_version
     Gem::Version.new VERSION::STRING
   end
@@ -9,8 +9,8 @@ module ActiveStorage
   module VERSION
     MAJOR = 7
     MINOR = 0
-    TINY  = 2
-    PRE   = "2"
+    TINY  = 3
+    PRE   = nil
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/transformers/image_processing_transformer.rb CHANGED Viewed

@@ -13,6 +13,9 @@ module ActiveStorage
   module Transformers
     class ImageProcessingTransformer < Transformer
       private
+        class UnsupportedImageProcessingMethod < StandardError; end
+        class UnsupportedImageProcessingArgument < StandardError; end
         def process(file, format:)
           processor.
             source(file).
@@ -28,6 +31,10 @@ module ActiveStorage
         def operations
           transformations.each_with_object([]) do |(name, argument), list|
+            if ActiveStorage.variant_processor == :mini_magick
+              validate_transformation(name, argument)
+            end
             if name.to_s == "combine_options"
               raise ArgumentError, <<~ERROR.squish
                 Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +47,64 @@ module ActiveStorage
             end
           end
         end
+        def validate_transformation(name, argument)
+          method_name = name.to_s.tr("-", "_")
+          unless ActiveStorage.supported_image_processing_methods.any? { |method| method_name == method }
+            raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+              One or more of the provided transformation methods is not supported.
+            ERROR
+          end
+          if argument.present?
+            if argument.is_a?(String) || argument.is_a?(Symbol)
+              validate_arg_string(argument)
+            elsif argument.is_a?(Array)
+              validate_arg_array(argument)
+            elsif argument.is_a?(Hash)
+              validate_arg_hash(argument)
+            end
+          end
+        end
+        def validate_arg_string(argument)
+          unsupported_arguments = ActiveStorage.unsupported_image_processing_arguments.any? do |bad_arg|
+            argument.to_s.downcase.include?(bad_arg)
+          end
+          raise UnsupportedImageProcessingArgument if unsupported_arguments
+        end
+        def validate_arg_array(argument)
+          argument.each do |arg|
+            if arg.is_a?(Integer) || arg.is_a?(Float)
+              next
+            elsif arg.is_a?(String) || arg.is_a?(Symbol)
+              validate_arg_string(arg)
+            elsif arg.is_a?(Array)
+              validate_arg_array(arg)
+            elsif arg.is_a?(Hash)
+              validate_arg_hash(arg)
+            end
+          end
+        end
+        def validate_arg_hash(argument)
+          argument.each do |key, value|
+            validate_arg_string(key)
+            if value.is_a?(Integer) || value.is_a?(Float)
+              next
+            elsif value.is_a?(String) || value.is_a?(Symbol)
+              validate_arg_string(value)
+            elsif value.is_a?(Array)
+              validate_arg_array(value)
+            elsif value.is_a?(Hash)
+              validate_arg_hash(value)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_storage/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 require_relative "gem_version"
 module ActiveStorage
-  # Returns the version of the currently loaded ActiveStorage as a <tt>Gem::Version</tt>
+  # Returns the currently loaded version of Active Storage as a <tt>Gem::Version</tt>.
   def self.version
     gem_version
   end

data/lib/active_storage.rb CHANGED Viewed

@@ -59,6 +59,297 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline,     default: []
+  mattr_accessor :supported_image_processing_methods, default: [
+    "adaptive_blur",
+    "adaptive_resize",
+    "adaptive_sharpen",
+    "adjoin",
+    "affine",
+    "alpha",
+    "annotate",
+    "antialias",
+    "append",
+    "apply",
+    "attenuate",
+    "authenticate",
+    "auto_gamma",
+    "auto_level",
+    "auto_orient",
+    "auto_threshold",
+    "backdrop",
+    "background",
+    "bench",
+    "bias",
+    "bilateral_blur",
+    "black_point_compensation",
+    "black_threshold",
+    "blend",
+    "blue_primary",
+    "blue_shift",
+    "blur",
+    "border",
+    "bordercolor",
+    "borderwidth",
+    "brightness_contrast",
+    "cache",
+    "canny",
+    "caption",
+    "channel",
+    "channel_fx",
+    "charcoal",
+    "chop",
+    "clahe",
+    "clamp",
+    "clip",
+    "clip_path",
+    "clone",
+    "clut",
+    "coalesce",
+    "colorize",
+    "colormap",
+    "color_matrix",
+    "colors",
+    "colorspace",
+    "colourspace",
+    "color_threshold",
+    "combine",
+    "combine_options",
+    "comment",
+    "compare",
+    "complex",
+    "compose",
+    "composite",
+    "compress",
+    "connected_components",
+    "contrast",
+    "contrast_stretch",
+    "convert",
+    "convolve",
+    "copy",
+    "crop",
+    "cycle",
+    "deconstruct",
+    "define",
+    "delay",
+    "delete",
+    "density",
+    "depth",
+    "descend",
+    "deskew",
+    "despeckle",
+    "direction",
+    "displace",
+    "dispose",
+    "dissimilarity_threshold",
+    "dissolve",
+    "distort",
+    "dither",
+    "draw",
+    "duplicate",
+    "edge",
+    "emboss",
+    "encoding",
+    "endian",
+    "enhance",
+    "equalize",
+    "evaluate",
+    "evaluate_sequence",
+    "extent",
+    "extract",
+    "family",
+    "features",
+    "fft",
+    "fill",
+    "filter",
+    "flatten",
+    "flip",
+    "floodfill",
+    "flop",
+    "font",
+    "foreground",
+    "format",
+    "frame",
+    "function",
+    "fuzz",
+    "fx",
+    "gamma",
+    "gaussian_blur",
+    "geometry",
+    "gravity",
+    "grayscale",
+    "green_primary",
+    "hald_clut",
+    "highlight_color",
+    "hough_lines",
+    "iconGeometry",
+    "iconic",
+    "identify",
+    "ift",
+    "illuminant",
+    "immutable",
+    "implode",
+    "insert",
+    "intensity",
+    "intent",
+    "interlace",
+    "interline_spacing",
+    "interpolate",
+    "interpolative_resize",
+    "interword_spacing",
+    "kerning",
+    "kmeans",
+    "kuwahara",
+    "label",
+    "lat",
+    "layers",
+    "level",
+    "level_colors",
+    "limit",
+    "limits",
+    "linear_stretch",
+    "linewidth",
+    "liquid_rescale",
+    "list",
+    "loader",
+    "log",
+    "loop",
+    "lowlight_color",
+    "magnify",
+    "map",
+    "mattecolor",
+    "median",
+    "mean_shift",
+    "metric",
+    "mode",
+    "modulate",
+    "moments",
+    "monitor",
+    "monochrome",
+    "morph",
+    "morphology",
+    "mosaic",
+    "motion_blur",
+    "name",
+    "negate",
+    "noise",
+    "normalize",
+    "opaque",
+    "ordered_dither",
+    "orient",
+    "page",
+    "paint",
+    "pause",
+    "perceptible",
+    "ping",
+    "pointsize",
+    "polaroid",
+    "poly",
+    "posterize",
+    "precision",
+    "preview",
+    "process",
+    "quality",
+    "quantize",
+    "quiet",
+    "radial_blur",
+    "raise",
+    "random_threshold",
+    "range_threshold",
+    "red_primary",
+    "regard_warnings",
+    "region",
+    "remote",
+    "render",
+    "repage",
+    "resample",
+    "resize",
+    "resize_to_fill",
+    "resize_to_fit",
+    "resize_to_limit",
+    "resize_and_pad",
+    "respect_parentheses",
+    "reverse",
+    "roll",
+    "rotate",
+    "sample",
+    "sampling_factor",
+    "saver",
+    "scale",
+    "scene",
+    "screen",
+    "seed",
+    "segment",
+    "selective_blur",
+    "separate",
+    "sepia_tone",
+    "shade",
+    "shadow",
+    "shared_memory",
+    "sharpen",
+    "shave",
+    "shear",
+    "sigmoidal_contrast",
+    "silent",
+    "similarity_threshold",
+    "size",
+    "sketch",
+    "smush",
+    "snaps",
+    "solarize",
+    "sort_pixels",
+    "sparse_color",
+    "splice",
+    "spread",
+    "statistic",
+    "stegano",
+    "stereo",
+    "storage_type",
+    "stretch",
+    "strip",
+    "stroke",
+    "strokewidth",
+    "style",
+    "subimage_search",
+    "swap",
+    "swirl",
+    "synchronize",
+    "taint",
+    "text_font",
+    "threshold",
+    "thumbnail",
+    "tile_offset",
+    "tint",
+    "title",
+    "transform",
+    "transparent",
+    "transparent_color",
+    "transpose",
+    "transverse",
+    "treedepth",
+    "trim",
+    "type",
+    "undercolor",
+    "unique_colors",
+    "units",
+    "unsharp",
+    "update",
+    "valid_image",
+    "view",
+    "vignette",
+    "virtual_pixel",
+    "visual",
+    "watermark",
+    "wave",
+    "wavelet_denoise",
+    "weight",
+    "white_balance",
+    "white_point",
+    "white_threshold",
+    "window",
+    "window_group"
+  ]
+  mattr_accessor :unsupported_image_processing_arguments
   mattr_accessor :service_urls_expire_in, default: 5.minutes
   mattr_accessor :urls_expire_in

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 7.0.2.2
+  version: 7.0.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,56 +16,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.2
+        version: 7.0.3
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.2.2/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.2.2/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.3/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.2.2/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activestorage
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -218,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Local and cloud file storage framework.