activestorage 5.2.6.2 → 5.2.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77a86d36739462dae9f19160381a10a393b6ac4332a142c6621ee182c0576fc6
-  data.tar.gz: 0e8c581ab7e4dc77d752a399ff5106aa376633068bf27c0c9ca0908d74542f69
+  metadata.gz: 13b52cd35b6dc01b7589a2c6a666628f0dd9022a7003be3b4ccb461854aa8f54
+  data.tar.gz: c5b000e97cc5c5da0800bb963892f20857841d1a6c1d1d41224c7053b340aaaa
 SHA512:
-  metadata.gz: 82568e892f764f230bba24910a979c264788c4e33c70633936f9bde67321d3a30c0a9cdf065d26ebf92b1c46dcaeb3a84f45d050efb6a6428cfb2a4d17ddc291
-  data.tar.gz: 7c734a0f2f8e585e245b368b4f83a5c629fa5d15bf39d5fa4721aca0a6747680af6e9458691af58d4ff439e45bddfa9c8bd8070671ddd1b3c83038e8c02f3fb8
+  metadata.gz: 81552bc85fb46cac27886e71abd1434d0e184e8eb6f679642e6cc2589c6c8e1f72aea689ab169407a6467bc03d2a846ed77d36c6ea4ee55102d451fc9be1ade8
+  data.tar.gz: 907cc0d61bf68b93edecfd2caabc06656a5a31b7a64931c98342005ddf8976a0c33d412e376da464f1453a738156efa8769449ffd554f14c08d20bd853329cd6

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## Rails 5.2.6.3 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+    
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    
+    [CVE-2022-21831]
+
+
 ## Rails 5.2.6.2 (February 11, 2022) ##
 
 *   No changes.

data/app/models/active_storage/variation.rb

@@ -20,6 +20,301 @@
 class ActiveStorage::Variation
   attr_reader :transformations
 
+  class UnsupportedImageProcessingMethod < StandardError; end
+  class UnsupportedImageProcessingArgument < StandardError; end
+
+  SUPPORTED_IMAGE_PROCESSING_METHODS = [
+   "adaptive_blur",
+   "adaptive_resize",
+   "adaptive_sharpen",
+   "adjoin",
+   "affine",
+   "alpha",
+   "annotate",
+   "antialias",
+   "append",
+   "apply",
+   "attenuate",
+   "authenticate",
+   "auto_gamma",
+   "auto_level",
+   "auto_orient",
+   "auto_threshold",
+   "backdrop",
+   "background",
+   "bench",
+   "bias",
+   "bilateral_blur",
+   "black_point_compensation",
+   "black_threshold",
+   "blend",
+   "blue_primary",
+   "blue_shift",
+   "blur",
+   "border",
+   "bordercolor",
+   "borderwidth",
+   "brightness_contrast",
+   "cache",
+   "canny",
+   "caption",
+   "channel",
+   "channel_fx",
+   "charcoal",
+   "chop",
+   "clahe",
+   "clamp",
+   "clip",
+   "clip_path",
+   "clone",
+   "clut",
+   "coalesce",
+   "colorize",
+   "colormap",
+   "color_matrix",
+   "colors",
+   "colorspace",
+   "colourspace",
+   "color_threshold",
+   "combine",
+   "combine_options",
+   "comment",
+   "compare",
+   "complex",
+   "compose",
+   "composite",
+   "compress",
+   "connected_components",
+   "contrast",
+   "contrast_stretch",
+   "convert",
+   "convolve",
+   "copy",
+   "crop",
+   "cycle",
+   "deconstruct",
+   "define",
+   "delay",
+   "delete",
+   "density",
+   "depth",
+   "descend",
+   "deskew",
+   "despeckle",
+   "direction",
+   "displace",
+   "dispose",
+   "dissimilarity_threshold",
+   "dissolve",
+   "distort",
+   "dither",
+   "draw",
+   "duplicate",
+   "edge",
+   "emboss",
+   "encoding",
+   "endian",
+   "enhance",
+   "equalize",
+   "evaluate",
+   "evaluate_sequence",
+   "extent",
+   "extract",
+   "family",
+   "features",
+   "fft",
+   "fill",
+   "filter",
+   "flatten",
+   "flip",
+   "floodfill",
+   "flop",
+   "font",
+   "foreground",
+   "format",
+   "frame",
+   "function",
+   "fuzz",
+   "fx",
+   "gamma",
+   "gaussian_blur",
+   "geometry",
+   "gravity",
+   "grayscale",
+   "green_primary",
+   "hald_clut",
+   "highlight_color",
+   "hough_lines",
+   "iconGeometry",
+   "iconic",
+   "identify",
+   "ift",
+   "illuminant",
+   "immutable",
+   "implode",
+   "insert",
+   "intensity",
+   "intent",
+   "interlace",
+   "interline_spacing",
+   "interpolate",
+   "interpolative_resize",
+   "interword_spacing",
+   "kerning",
+   "kmeans",
+   "kuwahara",
+   "label",
+   "lat",
+   "layers",
+   "level",
+   "level_colors",
+   "limit",
+   "limits",
+   "linear_stretch",
+   "linewidth",
+   "liquid_rescale",
+   "list",
+   "loader",
+   "log",
+   "loop",
+   "lowlight_color",
+   "magnify",
+   "map",
+   "mattecolor",
+   "median",
+   "mean_shift",
+   "metric",
+   "mode",
+   "modulate",
+   "moments",
+   "monitor",
+   "monochrome",
+   "morph",
+   "morphology",
+   "mosaic",
+   "motion_blur",
+   "name",
+   "negate",
+   "noise",
+   "normalize",
+   "opaque",
+   "ordered_dither",
+   "orient",
+   "page",
+   "paint",
+   "pause",
+   "perceptible",
+   "ping",
+   "pointsize",
+   "polaroid",
+   "poly",
+   "posterize",
+   "precision",
+   "preview",
+   "process",
+   "quality",
+   "quantize",
+   "quiet",
+   "radial_blur",
+   "raise",
+   "random_threshold",
+   "range_threshold",
+   "red_primary",
+   "regard_warnings",
+   "region",
+   "remote",
+   "render",
+   "repage",
+   "resample",
+   "resize",
+   "resize_to_fill",
+   "resize_to_fit",
+   "resize_to_limit",
+   "resize_and_pad",
+   "respect_parentheses",
+   "reverse",
+   "roll",
+   "rotate",
+   "sample",
+   "sampling_factor",
+   "saver",
+   "scale",
+   "scene",
+   "screen",
+   "seed",
+   "segment",
+   "selective_blur",
+   "separate",
+   "sepia_tone",
+   "shade",
+   "shadow",
+   "shared_memory",
+   "sharpen",
+   "shave",
+   "shear",
+   "sigmoidal_contrast",
+   "silent",
+   "similarity_threshold",
+   "size",
+   "sketch",
+   "smush",
+   "snaps",
+   "solarize",
+   "sort_pixels",
+   "sparse_color",
+   "splice",
+   "spread",
+   "statistic",
+   "stegano",
+   "stereo",
+   "storage_type",
+   "stretch",
+   "strip",
+   "stroke",
+   "strokewidth",
+   "style",
+   "subimage_search",
+   "swap",
+   "swirl",
+   "synchronize",
+   "taint",
+   "text_font",
+   "threshold",
+   "thumbnail",
+   "tile_offset",
+   "tint",
+   "title",
+   "transform",
+   "transparent",
+   "transparent_color",
+   "transpose",
+   "transverse",
+   "treedepth",
+   "trim",
+   "type",
+   "undercolor",
+   "unique_colors",
+   "units",
+   "unsharp",
+   "update",
+   "valid_image",
+   "view",
+   "vignette",
+   "virtual_pixel",
+   "visual",
+   "watermark",
+   "wave",
+   "wavelet_denoise",
+   "weight",
+   "white_balance",
+   "white_point",
+   "white_threshold",
+   "window",
+   "window_group",
+  ].concat(ActiveStorage.supported_image_processing_methods)
+
+  UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
+
   class << self
     # Returns a Variation instance based on the given variator. If the variator is a Variation, it is
     # returned unmodified. If it is a String, it is passed to ActiveStorage::Variation.decode. Otherwise,
@@ -56,12 +351,15 @@ class ActiveStorage::Variation
   def transform(image)
     ActiveSupport::Notifications.instrument("transform.active_storage") do
       transformations.each do |name, argument_or_subtransformations|
+        validate_transformation(name, argument_or_subtransformations)
         image.mogrify do |command|
           if name.to_s == "combine_options"
             argument_or_subtransformations.each do |subtransformation_name, subtransformation_argument|
+              validate_transformation(subtransformation_name, subtransformation_argument)
               pass_transform_argument(command, subtransformation_name, subtransformation_argument)
             end
           else
+            validate_transformation(name, argument_or_subtransformations)
             pass_transform_argument(command, name, argument_or_subtransformations)
           end
         end
@@ -86,4 +384,58 @@ class ActiveStorage::Variation
     def eligible_argument?(argument)
       argument.present? && argument != true
     end
+
+    def validate_transformation(name, argument)
+      method_name = name.to_s.gsub("-","_")
+
+      unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
+        raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+          One or more of the provided transformation methods is not supported.
+        ERROR
+      end
+
+      if argument.present?
+        if argument.is_a?(String) || argument.is_a?(Symbol)
+          validate_arg_string(argument)
+        elsif argument.is_a?(Array)
+          validate_arg_array(argument)
+        elsif argument.is_a?(Hash)
+          validate_arg_hash(argument)
+        end
+      end
+    end
+
+    def validate_arg_string(argument)
+      if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
+    end
+
+    def validate_arg_array(argument)
+      argument.each do |arg|
+        if arg.is_a?(Integer) || arg.is_a?(Float)
+          next
+        elsif arg.is_a?(String) || arg.is_a?(Symbol)
+          validate_arg_string(arg)
+        elsif arg.is_a?(Array)
+          validate_arg_array(arg)
+        elsif arg.is_a?(Hash)
+          validate_arg_hash(arg)
+        end
+      end
+    end
+
+    def validate_arg_hash(argument)
+      argument.each do |key, value|
+        validate_arg_string(key)
+
+        if value.is_a?(Integer) || value.is_a?(Float)
+          next
+        elsif value.is_a?(String) || value.is_a?(Symbol)
+          validate_arg_string(value)
+        elsif value.is_a?(Array)
+          validate_arg_array(value)
+        elsif value.is_a?(Hash)
+          validate_arg_hash(value)
+        end
+      end
+    end
 end

data/lib/active_storage/engine.rb

@@ -51,6 +51,20 @@ module ActiveStorage
       application/pdf
     )
 
+    default_unsupported_image_processing_arguments = %w(
+      -debug
+      -display
+      -distribute-cache
+      -help
+      -path
+      -print
+      -set
+      -verbose
+      -version
+      -write
+      -write-mask
+    )
+
     config.eager_load_namespaces << ActiveStorage
 
     initializer "active_storage.configs" do
@@ -61,6 +75,8 @@ module ActiveStorage
         ActiveStorage.analyzers  = app.config.active_storage.analyzers || []
         ActiveStorage.paths      = app.config.active_storage.paths || {}
 
+        ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
         ActiveStorage.content_types_allowed_inline = app.config.active_storage.content_types_allowed_inline || []

data/lib/active_storage/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveStorage
     MAJOR = 5
     MINOR = 2
     TINY  = 6
-    PRE   = "2"
+    PRE   = "3"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage.rb

@@ -50,4 +50,6 @@ module ActiveStorage
   mattr_accessor :content_types_to_serve_as_binary, default: []
   mattr_accessor :content_types_allowed_inline, default: []
   mattr_accessor :binary_content_type, default: "application/octet-stream"
+  mattr_accessor :supported_image_processing_methods, default: []
+  mattr_accessor :unsupported_image_processing_arguments
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 5.2.6.2
+  version: 5.2.6.3
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6.2
+        version: 5.2.6.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6.2
+        version: 5.2.6.3
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6.2
+        version: 5.2.6.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.6.2
+        version: 5.2.6.3
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -124,8 +124,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.6.2/activestorage
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.6.2/activestorage/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.6.3/activestorage
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.6.3/activestorage/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths: