activestorage 7.1.3.4 → 7.1.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10c31beefd192ae50216812e96dd7326c6d301f84f3a9ac4c42cf41369bfbd68
-  data.tar.gz: b744929e6b8cab0e2c2d2f834b453d538fad962a42b6b52f62ed74cf67fd000b
+  metadata.gz: 3e2fdc79c02f31ae87546d38d509d76e6745aa1613b53d3242036eaede2df98c
+  data.tar.gz: db43b46d975c7794b7dcc9948899b4c1cdd1f4d8002266e6bd9078fee560732f
 SHA512:
-  metadata.gz: 93dcf40c82c8a7ecb7308c9e90c42a22816876cfe31c42304369a3979b4a6153a6296a8509d60a9e28bccdd0789f299ef3a734cb0b1b46ca1bd1cbd3c5f411ea
-  data.tar.gz: 56d0c210295b80a5bd0fa4145901652ddb3d1baede6a22993a294ae4031a378e99c45775e73caefa8890cf6a5bdafb224c215fc12ca33c20491a0cdf1b201b17
+  metadata.gz: 93ff6753974b1f2ce12bb81c867c5ae0432de55dcb90db8e768c9911152651f48594c312f321c5e8e5971be826556f8338e20b80a07fd736a54884b0af2f790c
+  data.tar.gz: fa516053c9d81e0c6ac8003e5aeaee1be1e62c16e32c9ae0ec2fbcae41ebb255c3e49e780c5b1b58ca57049ee3ed421ecc08eb822d42ba58fb30e86d6c1ebdaf

data/CHANGELOG.md

@@ -1,3 +1,38 @@
+## Rails 7.1.5.2 (August 13, 2025) ##
+
+    Remove dangerous transformations
+
+    [CVE-2025-24293]
+
+    *Zack Deveau*
+
+## Rails 7.1.5.1 (December 10, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.1.5 (October 30, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.1.4.2 (October 23, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.1.4.1 (October 15, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.1.4 (August 22, 2024) ##
+
+*   Fixes race condition for multiple preprocessed video variants.
+
+    *Justin Searls*
+
+
 ## Rails 7.1.3.4 (June 04, 2024) ##
 
 *   No changes.

data/app/jobs/active_storage/preview_image_job.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class ActiveStorage::PreviewImageJob < ActiveStorage::BaseJob
+  queue_as { ActiveStorage.queues[:preview_image] }
+
+  discard_on ActiveRecord::RecordNotFound, ActiveStorage::UnrepresentableError
+  retry_on ActiveStorage::IntegrityError, attempts: 10, wait: :polynomially_longer
+
+  def perform(blob, variations)
+    blob.preview({}).processed
+
+    variations.each do |transformations|
+      blob.preprocessed(transformations)
+    end
+  end
+end

data/app/models/active_storage/attachment.rb

@@ -132,8 +132,18 @@ class ActiveStorage::Attachment < ActiveStorage::Record
     end
 
     def transform_variants_later
-      named_variants.each do |_name, named_variant|
-        blob.preprocessed(named_variant.transformations) if named_variant.preprocessed?(record)
+      preprocessed_variations = named_variants.filter_map { |_name, named_variant|
+        if named_variant.preprocessed?(record)
+          named_variant.transformations
+        end
+      }
+
+      if blob.preview_image_needed_before_processing_variants?
+        blob.create_preview_image_later(preprocessed_variations)
+      else
+        preprocessed_variations.each do |transformations|
+          blob.preprocessed(transformations)
+        end
       end
     end
 

data/app/models/active_storage/blob/representable.rb

@@ -98,6 +98,14 @@ module ActiveStorage::Blob::Representable
     variable? || previewable?
   end
 
+  def preview_image_needed_before_processing_variants? # :nodoc:
+    previewable? && !preview_image.attached?
+  end
+
+  def create_preview_image_later(variations) # :nodoc:
+    ActiveStorage::PreviewImageJob.perform_later(self, variations) if representable?
+  end
+
   def preprocessed(transformations) # :nodoc:
     ActiveStorage::TransformJob.perform_later(self, transformations) if representable?
   end

data/lib/active_storage/attached/model.rb

@@ -74,8 +74,10 @@ module ActiveStorage
       # The system has been designed to having you go through the ActiveStorage::Attached::One
       # proxy that provides the dynamic proxy to the associations and factory methods, like +attach+.
       #
-      # If the +:dependent+ option isn't set, the attachment will be purged
-      # (i.e. destroyed) whenever the record is destroyed.
+      # The +:dependent+ option defaults to +:purge_later+. This means the attachment will be
+      # purged (i.e. destroyed) in the background whenever the record is destroyed.
+      # If an ActiveJob::Backend queue adapter is not set in the application set it to
+      # +purge+ instead.
       #
       # If you need the attachment to use a service which differs from the globally configured one,
       # pass the +:service+ option. For instance:
@@ -162,8 +164,10 @@ module ActiveStorage
       # The system has been designed to having you go through the ActiveStorage::Attached::Many
       # proxy that provides the dynamic proxy to the associations and factory methods, like +#attach+.
       #
-      # If the +:dependent+ option isn't set, all the attachments will be purged
-      # (i.e. destroyed) whenever the record is destroyed.
+      # The +:dependent+ option defaults to +:purge_later+. This means the attachments will be
+      # purged (i.e. destroyed) in the background whenever the record is destroyed.
+      # If an ActiveJob::Backend queue adapter is not set in the application set it to
+      # +purge+ instead.
       #
       # If you need the attachment to use a service which differs from the globally configured one,
       # pass the +:service+ option. For instance:

data/lib/active_storage/gem_version.rb

@@ -9,8 +9,8 @@ module ActiveStorage
   module VERSION
     MAJOR = 7
     MINOR = 1
-    TINY  = 3
-    PRE   = "4"
+    TINY  = 5
+    PRE   = "2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage.rb

@@ -35,7 +35,7 @@ require "active_storage/errors"
 require "marcel"
 
 # :markup: markdown
-# :include: activestorage/README.md
+# :include: ../README.md
 module ActiveStorage
   extend ActiveSupport::Autoload
 
@@ -72,7 +72,6 @@ module ActiveStorage
     "annotate",
     "antialias",
     "append",
-    "apply",
     "attenuate",
     "authenticate",
     "auto_gamma",
@@ -213,7 +212,6 @@ module ActiveStorage
     "linewidth",
     "liquid_rescale",
     "list",
-    "loader",
     "log",
     "loop",
     "lowlight_color",
@@ -276,7 +274,6 @@ module ActiveStorage
     "rotate",
     "sample",
     "sampling_factor",
-    "saver",
     "scale",
     "scene",
     "screen",

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 7.1.3.4
+  version: 7.1.5.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,56 +15,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.5.2
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -116,6 +115,7 @@ files:
 - app/jobs/active_storage/analyze_job.rb
 - app/jobs/active_storage/base_job.rb
 - app/jobs/active_storage/mirror_job.rb
+- app/jobs/active_storage/preview_image_job.rb
 - app/jobs/active_storage/purge_job.rb
 - app/jobs/active_storage/transform_job.rb
 - app/models/active_storage/attachment.rb
@@ -189,12 +189,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.5.2/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.5.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.5.2/activestorage
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -209,8 +208,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Local and cloud file storage framework.
 test_files: []