activestorage 7.0.2.2 → 7.0.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activestorage might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 797efdf2ca8b6bb58815e2352e430b2cca2b6defaf37fc4e524c2a2150695f4a
4
- data.tar.gz: 11490b758f9b6e9c2a9eda88757e5a454ca92e587624ce85cb6235dfa9f10fbd
3
+ metadata.gz: cb27c3976b612802226ea7343ba6bd9483eb635f1785a0255d8048f936c77fc0
4
+ data.tar.gz: f4bea0eb4dad8afe87aa78185cb3a9eaa92e7c4eb4bd50a28f5505dba4574a6a
5
5
  SHA512:
6
- metadata.gz: 02a012dd3e41df712e0b4f64576db45634659b369d5e09245c6cc87e1bbb38d31bebd2e110d5782f97477ba2798717f9770167325c68b3b3b8c12d3409c492c5
7
- data.tar.gz: b89aa21d7d77e5c4ed766c507b06c7c81b34cf79db5fd01f8f1aaa171476e88cf90cabb0e576ebfba698065ab1daee2021cb34b6a9ba2da7054a21907fcd0218
6
+ metadata.gz: 24ef173da37fd9a08160b3ca83e78633a2f54699c6043ac7c21bf111226c1d94e6f7971acb3c2be035320cbfd6dfae9dd91c85abaaf0f97c922c33e1f5b26043
7
+ data.tar.gz: 640a260bf6d6bc690491fe365e810117232c3be9c96112ddc9a5d8e68d8d8f680930f3ae065fcaedadb43490de63a3226e8f5cbde1279419d9f23a019e692b7f
data/CHANGELOG.md CHANGED
@@ -1,8 +1,34 @@
1
- ## Rails 7.0.2.2 (February 11, 2022) ##
1
+ ## Rails 7.0.3 (May 09, 2022) ##
2
+
3
+ * Don't stream responses in redirect mode
4
+
5
+ Previously, both redirect mode and proxy mode streamed their
6
+ responses which caused a new thread to be created, and could end
7
+ up leaking connections in the connection pool. But since redirect
8
+ mode doesn't actually send any data, it doesn't need to be
9
+ streamed.
10
+
11
+ *Luke Lau*
12
+
13
+ ## Rails 7.0.2.4 (April 26, 2022) ##
2
14
 
3
15
  * No changes.
4
16
 
5
17
 
18
+ ## Rails 7.0.2.3 (March 08, 2022) ##
19
+
20
+ * Added image transformation validation via configurable allow-list.
21
+
22
+ Variant now offers a configurable allow-list for
23
+ transformation methods in addition to a configurable deny-list for arguments.
24
+
25
+ [CVE-2022-21831]
26
+
27
+
28
+ ## Rails 7.0.2.2 (February 11, 2022) ##
29
+
30
+ * No changes.
31
+
6
32
  ## Rails 7.0.2.1 (February 11, 2022) ##
7
33
 
8
34
  * No changes.
@@ -2,7 +2,7 @@
2
2
 
3
3
  # The base class for all Active Storage controllers.
4
4
  class ActiveStorage::BaseController < ActionController::Base
5
- include ActiveStorage::SetCurrent, ActiveStorage::Streaming
5
+ include ActiveStorage::SetCurrent
6
6
 
7
7
  protect_from_forgery with: :exception
8
8
 
@@ -8,6 +8,7 @@
8
8
  # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
9
9
  class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
10
10
  include ActiveStorage::SetBlob
11
+ include ActiveStorage::Streaming
11
12
 
12
13
  def show
13
14
  if request.headers["Range"].present?
@@ -7,6 +7,8 @@
7
7
  # require a higher level of protection consider implementing
8
8
  # {Authenticated Controllers}[https://guides.rubyonrails.org/active_storage_overview.html#authenticated-controllers].
9
9
  class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
10
+ include ActiveStorage::Streaming
11
+
10
12
  def show
11
13
  http_cache_forever public: true do
12
14
  send_blob_stream @representation.image, disposition: params[:disposition]
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  # Like an ActiveStorage::Variant, but keeps detail about the variant in the database as an
4
- # ActiveStorage::VariantRecord. This is only used if `ActiveStorage.track_variants` is enabled.
4
+ # ActiveStorage::VariantRecord. This is only used if +ActiveStorage.track_variants+ is enabled.
5
5
  class ActiveStorage::VariantWithRecord
6
6
  attr_reader :blob, :variation
7
7
  delegate :service, to: :blob
@@ -1,5 +1,7 @@
1
1
  class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
2
2
  def up
3
+ return unless table_exists?(:active_storage_blobs)
4
+
3
5
  unless column_exists?(:active_storage_blobs, :service_name)
4
6
  add_column :active_storage_blobs, :service_name, :string
5
7
 
@@ -12,6 +14,8 @@ class AddServiceNameToActiveStorageBlobs < ActiveRecord::Migration[6.0]
12
14
  end
13
15
 
14
16
  def down
17
+ return unless table_exists?(:active_storage_blobs)
18
+
15
19
  remove_column :active_storage_blobs, :service_name
16
20
  end
17
21
  end
@@ -1,5 +1,7 @@
1
1
  class CreateActiveStorageVariantRecords < ActiveRecord::Migration[6.0]
2
2
  def change
3
+ return unless table_exists?(:active_storage_blobs)
4
+
3
5
  # Use Active Record's configured type for primary key
4
6
  create_table :active_storage_variant_records, id: primary_key_type, if_not_exists: true do |t|
5
7
  t.belongs_to :blob, null: false, index: false, type: blobs_primary_key_type
@@ -1,5 +1,7 @@
1
1
  class RemoveNotNullOnActiveStorageBlobsChecksum < ActiveRecord::Migration[6.0]
2
2
  def change
3
+ return unless table_exists?(:active_storage_blobs)
4
+
3
5
  change_column_null(:active_storage_blobs, :checksum, true)
4
6
  end
5
7
  end
@@ -93,6 +93,21 @@ module ActiveStorage
93
93
  ActiveStorage.draw_routes = app.config.active_storage.draw_routes != false
94
94
  ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
95
95
 
96
+ ActiveStorage.supported_image_processing_methods += app.config.active_storage.supported_image_processing_methods || []
97
+ ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || %w(
98
+ -debug
99
+ -display
100
+ -distribute-cache
101
+ -help
102
+ -path
103
+ -print
104
+ -set
105
+ -verbose
106
+ -version
107
+ -write
108
+ -write-mask
109
+ )
110
+
96
111
  ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
97
112
  ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
98
113
  ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module ActiveStorage
4
- # Returns the version of the currently loaded Active Storage as a <tt>Gem::Version</tt>.
4
+ # Returns the currently loaded version of Active Storage as a <tt>Gem::Version</tt>.
5
5
  def self.gem_version
6
6
  Gem::Version.new VERSION::STRING
7
7
  end
@@ -9,8 +9,8 @@ module ActiveStorage
9
9
  module VERSION
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
- TINY = 2
13
- PRE = "2"
12
+ TINY = 3
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -13,6 +13,9 @@ module ActiveStorage
13
13
  module Transformers
14
14
  class ImageProcessingTransformer < Transformer
15
15
  private
16
+ class UnsupportedImageProcessingMethod < StandardError; end
17
+ class UnsupportedImageProcessingArgument < StandardError; end
18
+
16
19
  def process(file, format:)
17
20
  processor.
18
21
  source(file).
@@ -28,6 +31,10 @@ module ActiveStorage
28
31
 
29
32
  def operations
30
33
  transformations.each_with_object([]) do |(name, argument), list|
34
+ if ActiveStorage.variant_processor == :mini_magick
35
+ validate_transformation(name, argument)
36
+ end
37
+
31
38
  if name.to_s == "combine_options"
32
39
  raise ArgumentError, <<~ERROR.squish
33
40
  Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +47,64 @@ module ActiveStorage
40
47
  end
41
48
  end
42
49
  end
50
+
51
+ def validate_transformation(name, argument)
52
+ method_name = name.to_s.tr("-", "_")
53
+
54
+ unless ActiveStorage.supported_image_processing_methods.any? { |method| method_name == method }
55
+ raise UnsupportedImageProcessingMethod, <<~ERROR.squish
56
+ One or more of the provided transformation methods is not supported.
57
+ ERROR
58
+ end
59
+
60
+ if argument.present?
61
+ if argument.is_a?(String) || argument.is_a?(Symbol)
62
+ validate_arg_string(argument)
63
+ elsif argument.is_a?(Array)
64
+ validate_arg_array(argument)
65
+ elsif argument.is_a?(Hash)
66
+ validate_arg_hash(argument)
67
+ end
68
+ end
69
+ end
70
+
71
+ def validate_arg_string(argument)
72
+ unsupported_arguments = ActiveStorage.unsupported_image_processing_arguments.any? do |bad_arg|
73
+ argument.to_s.downcase.include?(bad_arg)
74
+ end
75
+
76
+ raise UnsupportedImageProcessingArgument if unsupported_arguments
77
+ end
78
+
79
+ def validate_arg_array(argument)
80
+ argument.each do |arg|
81
+ if arg.is_a?(Integer) || arg.is_a?(Float)
82
+ next
83
+ elsif arg.is_a?(String) || arg.is_a?(Symbol)
84
+ validate_arg_string(arg)
85
+ elsif arg.is_a?(Array)
86
+ validate_arg_array(arg)
87
+ elsif arg.is_a?(Hash)
88
+ validate_arg_hash(arg)
89
+ end
90
+ end
91
+ end
92
+
93
+ def validate_arg_hash(argument)
94
+ argument.each do |key, value|
95
+ validate_arg_string(key)
96
+
97
+ if value.is_a?(Integer) || value.is_a?(Float)
98
+ next
99
+ elsif value.is_a?(String) || value.is_a?(Symbol)
100
+ validate_arg_string(value)
101
+ elsif value.is_a?(Array)
102
+ validate_arg_array(value)
103
+ elsif value.is_a?(Hash)
104
+ validate_arg_hash(value)
105
+ end
106
+ end
107
+ end
43
108
  end
44
109
  end
45
110
  end
@@ -3,7 +3,7 @@
3
3
  require_relative "gem_version"
4
4
 
5
5
  module ActiveStorage
6
- # Returns the version of the currently loaded ActiveStorage as a <tt>Gem::Version</tt>
6
+ # Returns the currently loaded version of Active Storage as a <tt>Gem::Version</tt>.
7
7
  def self.version
8
8
  gem_version
9
9
  end
@@ -59,6 +59,297 @@ module ActiveStorage
59
59
  mattr_accessor :content_types_to_serve_as_binary, default: []
60
60
  mattr_accessor :content_types_allowed_inline, default: []
61
61
 
62
+ mattr_accessor :supported_image_processing_methods, default: [
63
+ "adaptive_blur",
64
+ "adaptive_resize",
65
+ "adaptive_sharpen",
66
+ "adjoin",
67
+ "affine",
68
+ "alpha",
69
+ "annotate",
70
+ "antialias",
71
+ "append",
72
+ "apply",
73
+ "attenuate",
74
+ "authenticate",
75
+ "auto_gamma",
76
+ "auto_level",
77
+ "auto_orient",
78
+ "auto_threshold",
79
+ "backdrop",
80
+ "background",
81
+ "bench",
82
+ "bias",
83
+ "bilateral_blur",
84
+ "black_point_compensation",
85
+ "black_threshold",
86
+ "blend",
87
+ "blue_primary",
88
+ "blue_shift",
89
+ "blur",
90
+ "border",
91
+ "bordercolor",
92
+ "borderwidth",
93
+ "brightness_contrast",
94
+ "cache",
95
+ "canny",
96
+ "caption",
97
+ "channel",
98
+ "channel_fx",
99
+ "charcoal",
100
+ "chop",
101
+ "clahe",
102
+ "clamp",
103
+ "clip",
104
+ "clip_path",
105
+ "clone",
106
+ "clut",
107
+ "coalesce",
108
+ "colorize",
109
+ "colormap",
110
+ "color_matrix",
111
+ "colors",
112
+ "colorspace",
113
+ "colourspace",
114
+ "color_threshold",
115
+ "combine",
116
+ "combine_options",
117
+ "comment",
118
+ "compare",
119
+ "complex",
120
+ "compose",
121
+ "composite",
122
+ "compress",
123
+ "connected_components",
124
+ "contrast",
125
+ "contrast_stretch",
126
+ "convert",
127
+ "convolve",
128
+ "copy",
129
+ "crop",
130
+ "cycle",
131
+ "deconstruct",
132
+ "define",
133
+ "delay",
134
+ "delete",
135
+ "density",
136
+ "depth",
137
+ "descend",
138
+ "deskew",
139
+ "despeckle",
140
+ "direction",
141
+ "displace",
142
+ "dispose",
143
+ "dissimilarity_threshold",
144
+ "dissolve",
145
+ "distort",
146
+ "dither",
147
+ "draw",
148
+ "duplicate",
149
+ "edge",
150
+ "emboss",
151
+ "encoding",
152
+ "endian",
153
+ "enhance",
154
+ "equalize",
155
+ "evaluate",
156
+ "evaluate_sequence",
157
+ "extent",
158
+ "extract",
159
+ "family",
160
+ "features",
161
+ "fft",
162
+ "fill",
163
+ "filter",
164
+ "flatten",
165
+ "flip",
166
+ "floodfill",
167
+ "flop",
168
+ "font",
169
+ "foreground",
170
+ "format",
171
+ "frame",
172
+ "function",
173
+ "fuzz",
174
+ "fx",
175
+ "gamma",
176
+ "gaussian_blur",
177
+ "geometry",
178
+ "gravity",
179
+ "grayscale",
180
+ "green_primary",
181
+ "hald_clut",
182
+ "highlight_color",
183
+ "hough_lines",
184
+ "iconGeometry",
185
+ "iconic",
186
+ "identify",
187
+ "ift",
188
+ "illuminant",
189
+ "immutable",
190
+ "implode",
191
+ "insert",
192
+ "intensity",
193
+ "intent",
194
+ "interlace",
195
+ "interline_spacing",
196
+ "interpolate",
197
+ "interpolative_resize",
198
+ "interword_spacing",
199
+ "kerning",
200
+ "kmeans",
201
+ "kuwahara",
202
+ "label",
203
+ "lat",
204
+ "layers",
205
+ "level",
206
+ "level_colors",
207
+ "limit",
208
+ "limits",
209
+ "linear_stretch",
210
+ "linewidth",
211
+ "liquid_rescale",
212
+ "list",
213
+ "loader",
214
+ "log",
215
+ "loop",
216
+ "lowlight_color",
217
+ "magnify",
218
+ "map",
219
+ "mattecolor",
220
+ "median",
221
+ "mean_shift",
222
+ "metric",
223
+ "mode",
224
+ "modulate",
225
+ "moments",
226
+ "monitor",
227
+ "monochrome",
228
+ "morph",
229
+ "morphology",
230
+ "mosaic",
231
+ "motion_blur",
232
+ "name",
233
+ "negate",
234
+ "noise",
235
+ "normalize",
236
+ "opaque",
237
+ "ordered_dither",
238
+ "orient",
239
+ "page",
240
+ "paint",
241
+ "pause",
242
+ "perceptible",
243
+ "ping",
244
+ "pointsize",
245
+ "polaroid",
246
+ "poly",
247
+ "posterize",
248
+ "precision",
249
+ "preview",
250
+ "process",
251
+ "quality",
252
+ "quantize",
253
+ "quiet",
254
+ "radial_blur",
255
+ "raise",
256
+ "random_threshold",
257
+ "range_threshold",
258
+ "red_primary",
259
+ "regard_warnings",
260
+ "region",
261
+ "remote",
262
+ "render",
263
+ "repage",
264
+ "resample",
265
+ "resize",
266
+ "resize_to_fill",
267
+ "resize_to_fit",
268
+ "resize_to_limit",
269
+ "resize_and_pad",
270
+ "respect_parentheses",
271
+ "reverse",
272
+ "roll",
273
+ "rotate",
274
+ "sample",
275
+ "sampling_factor",
276
+ "saver",
277
+ "scale",
278
+ "scene",
279
+ "screen",
280
+ "seed",
281
+ "segment",
282
+ "selective_blur",
283
+ "separate",
284
+ "sepia_tone",
285
+ "shade",
286
+ "shadow",
287
+ "shared_memory",
288
+ "sharpen",
289
+ "shave",
290
+ "shear",
291
+ "sigmoidal_contrast",
292
+ "silent",
293
+ "similarity_threshold",
294
+ "size",
295
+ "sketch",
296
+ "smush",
297
+ "snaps",
298
+ "solarize",
299
+ "sort_pixels",
300
+ "sparse_color",
301
+ "splice",
302
+ "spread",
303
+ "statistic",
304
+ "stegano",
305
+ "stereo",
306
+ "storage_type",
307
+ "stretch",
308
+ "strip",
309
+ "stroke",
310
+ "strokewidth",
311
+ "style",
312
+ "subimage_search",
313
+ "swap",
314
+ "swirl",
315
+ "synchronize",
316
+ "taint",
317
+ "text_font",
318
+ "threshold",
319
+ "thumbnail",
320
+ "tile_offset",
321
+ "tint",
322
+ "title",
323
+ "transform",
324
+ "transparent",
325
+ "transparent_color",
326
+ "transpose",
327
+ "transverse",
328
+ "treedepth",
329
+ "trim",
330
+ "type",
331
+ "undercolor",
332
+ "unique_colors",
333
+ "units",
334
+ "unsharp",
335
+ "update",
336
+ "valid_image",
337
+ "view",
338
+ "vignette",
339
+ "virtual_pixel",
340
+ "visual",
341
+ "watermark",
342
+ "wave",
343
+ "wavelet_denoise",
344
+ "weight",
345
+ "white_balance",
346
+ "white_point",
347
+ "white_threshold",
348
+ "window",
349
+ "window_group"
350
+ ]
351
+ mattr_accessor :unsupported_image_processing_arguments
352
+
62
353
  mattr_accessor :service_urls_expire_in, default: 5.minutes
63
354
  mattr_accessor :urls_expire_in
64
355
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activestorage
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.2
4
+ version: 7.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-05-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,56 +16,56 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.2.2
19
+ version: 7.0.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.2.2
26
+ version: 7.0.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: actionpack
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 7.0.2.2
33
+ version: 7.0.3
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 7.0.2.2
40
+ version: 7.0.3
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: activejob
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - '='
46
46
  - !ruby/object:Gem::Version
47
- version: 7.0.2.2
47
+ version: 7.0.3
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - '='
53
53
  - !ruby/object:Gem::Version
54
- version: 7.0.2.2
54
+ version: 7.0.3
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: activerecord
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - '='
60
60
  - !ruby/object:Gem::Version
61
- version: 7.0.2.2
61
+ version: 7.0.3
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
- version: 7.0.2.2
68
+ version: 7.0.3
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: marcel
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ licenses:
198
198
  - MIT
199
199
  metadata:
200
200
  bug_tracker_uri: https://github.com/rails/rails/issues
201
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.2/activestorage/CHANGELOG.md
202
- documentation_uri: https://api.rubyonrails.org/v7.0.2.2/
201
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.3/activestorage/CHANGELOG.md
202
+ documentation_uri: https://api.rubyonrails.org/v7.0.3/
203
203
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
204
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.2/activestorage
204
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.3/activestorage
205
205
  rubygems_mfa_required: 'true'
206
206
  post_install_message:
207
207
  rdoc_options: []
@@ -218,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
218
218
  - !ruby/object:Gem::Version
219
219
  version: '0'
220
220
  requirements: []
221
- rubygems_version: 3.2.22
221
+ rubygems_version: 3.3.7
222
222
  signing_key:
223
223
  specification_version: 4
224
224
  summary: Local and cloud file storage framework.