activestorage 6.0.4.6 → 6.0.4.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd478b94709d7df9dbb70008f89cb1b5bf7e6984e025f3cadea8e1f7c27d0383
-  data.tar.gz: 4ccf47891c900e624d8d93935460ad0951198cf5a096177fab0ffa46f4b89179
+  metadata.gz: b8abd4646a5f7b15789f20d256008fcd705b0ebefa2c253bd303badc8f80c947
+  data.tar.gz: 2cb4987c87f06cab5c713476aa1f47857402ded737c4b7bd27ebecf26517578e
 SHA512:
-  metadata.gz: bbca4133f93dbc6a64151d30f4023f8da2e1e8fa6fb37c43e6e312ff090cd5c498e54f5abf0858ccab79d4a68b7631f4d98157dcc7a65bbda4d04ac9ec605840
-  data.tar.gz: 49b603b52623d68bc21295a65337aad7025a822c02e1d90ef8e7eb7977aa03cab78b2100bebf77f15ab229483e6bd0d830a1d0d46cc7343a5f5dfdea2e9c4378
+  metadata.gz: 66125107a143936b03c67031ec099610a38d3c4fe1866bee350c3731df963d436873d898c81383953ca68a72eb6ca0954de5028e76dec4b9fc0fc84727b35bea
+  data.tar.gz: 14d18de480bc99e5f080eaab1f1f5aaf9c05b237cf12977cb2038fe031f24ebc0542df509243d3cf664204a26ec8099909468130f9d865c080bb78e069348523

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## Rails 6.0.4.7 (March 08, 2022) ##
+
+*   Added image transformation validation via configurable allow-list.
+    
+    Variant now offers a configurable allow-list for
+    transformation methods in addition to a configurable deny-list for arguments.
+    
+    [CVE-2022-21831]
+
+
 ## Rails 6.0.4.6 (February 11, 2022) ##
 
 *   No changes.

data/lib/active_storage/engine.rb

@@ -63,6 +63,20 @@ module ActiveStorage
       application/pdf
     )
 
+    default_unsupported_image_processing_arguments = %w(
+      -debug
+      -display
+      -distribute-cache
+      -help
+      -path
+      -print
+      -set
+      -verbose
+      -version
+      -write
+      -write-mask
+    )
+
     config.eager_load_namespaces << ActiveStorage
 
     initializer "active_storage.configs" do
@@ -74,6 +88,8 @@ module ActiveStorage
         ActiveStorage.paths             = app.config.active_storage.paths || {}
         ActiveStorage.routes_prefix     = app.config.active_storage.routes_prefix || "/rails/active_storage"
 
+        ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
+        ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
         ActiveStorage.service_urls_expire_in = app.config.active_storage.service_urls_expire_in || 5.minutes

data/lib/active_storage/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveStorage
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "6"
+    PRE   = "7"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/transformers/image_processing_transformer.rb

@@ -6,6 +6,300 @@ module ActiveStorage
   module Transformers
     class ImageProcessingTransformer < Transformer
       private
+        class UnsupportedImageProcessingMethod < StandardError; end
+        class UnsupportedImageProcessingArgument < StandardError; end
+        SUPPORTED_IMAGE_PROCESSING_METHODS = [
+          "adaptive_blur",
+          "adaptive_resize",
+          "adaptive_sharpen",
+          "adjoin",
+          "affine",
+          "alpha",
+          "annotate",
+          "antialias",
+          "append",
+          "apply",
+          "attenuate",
+          "authenticate",
+          "auto_gamma",
+          "auto_level",
+          "auto_orient",
+          "auto_threshold",
+          "backdrop",
+          "background",
+          "bench",
+          "bias",
+          "bilateral_blur",
+          "black_point_compensation",
+          "black_threshold",
+          "blend",
+          "blue_primary",
+          "blue_shift",
+          "blur",
+          "border",
+          "bordercolor",
+          "borderwidth",
+          "brightness_contrast",
+          "cache",
+          "canny",
+          "caption",
+          "channel",
+          "channel_fx",
+          "charcoal",
+          "chop",
+          "clahe",
+          "clamp",
+          "clip",
+          "clip_path",
+          "clone",
+          "clut",
+          "coalesce",
+          "colorize",
+          "colormap",
+          "color_matrix",
+          "colors",
+          "colorspace",
+          "colourspace",
+          "color_threshold",
+          "combine",
+          "combine_options",
+          "comment",
+          "compare",
+          "complex",
+          "compose",
+          "composite",
+          "compress",
+          "connected_components",
+          "contrast",
+          "contrast_stretch",
+          "convert",
+          "convolve",
+          "copy",
+          "crop",
+          "cycle",
+          "deconstruct",
+          "define",
+          "delay",
+          "delete",
+          "density",
+          "depth",
+          "descend",
+          "deskew",
+          "despeckle",
+          "direction",
+          "displace",
+          "dispose",
+          "dissimilarity_threshold",
+          "dissolve",
+          "distort",
+          "dither",
+          "draw",
+          "duplicate",
+          "edge",
+          "emboss",
+          "encoding",
+          "endian",
+          "enhance",
+          "equalize",
+          "evaluate",
+          "evaluate_sequence",
+          "extent",
+          "extract",
+          "family",
+          "features",
+          "fft",
+          "fill",
+          "filter",
+          "flatten",
+          "flip",
+          "floodfill",
+          "flop",
+          "font",
+          "foreground",
+          "format",
+          "frame",
+          "function",
+          "fuzz",
+          "fx",
+          "gamma",
+          "gaussian_blur",
+          "geometry",
+          "gravity",
+          "grayscale",
+          "green_primary",
+          "hald_clut",
+          "highlight_color",
+          "hough_lines",
+          "iconGeometry",
+          "iconic",
+          "identify",
+          "ift",
+          "illuminant",
+          "immutable",
+          "implode",
+          "insert",
+          "intensity",
+          "intent",
+          "interlace",
+          "interline_spacing",
+          "interpolate",
+          "interpolative_resize",
+          "interword_spacing",
+          "kerning",
+          "kmeans",
+          "kuwahara",
+          "label",
+          "lat",
+          "layers",
+          "level",
+          "level_colors",
+          "limit",
+          "limits",
+          "linear_stretch",
+          "linewidth",
+          "liquid_rescale",
+          "list",
+          "loader",
+          "log",
+          "loop",
+          "lowlight_color",
+          "magnify",
+          "map",
+          "mattecolor",
+          "median",
+          "mean_shift",
+          "metric",
+          "mode",
+          "modulate",
+          "moments",
+          "monitor",
+          "monochrome",
+          "morph",
+          "morphology",
+          "mosaic",
+          "motion_blur",
+          "name",
+          "negate",
+          "noise",
+          "normalize",
+          "opaque",
+          "ordered_dither",
+          "orient",
+          "page",
+          "paint",
+          "pause",
+          "perceptible",
+          "ping",
+          "pointsize",
+          "polaroid",
+          "poly",
+          "posterize",
+          "precision",
+          "preview",
+          "process",
+          "quality",
+          "quantize",
+          "quiet",
+          "radial_blur",
+          "raise",
+          "random_threshold",
+          "range_threshold",
+          "red_primary",
+          "regard_warnings",
+          "region",
+          "remote",
+          "render",
+          "repage",
+          "resample",
+          "resize",
+          "resize_to_fill",
+          "resize_to_fit",
+          "resize_to_limit",
+          "resize_and_pad",
+          "respect_parentheses",
+          "reverse",
+          "roll",
+          "rotate",
+          "sample",
+          "sampling_factor",
+          "saver",
+          "scale",
+          "scene",
+          "screen",
+          "seed",
+          "segment",
+          "selective_blur",
+          "separate",
+          "sepia_tone",
+          "shade",
+          "shadow",
+          "shared_memory",
+          "sharpen",
+          "shave",
+          "shear",
+          "sigmoidal_contrast",
+          "silent",
+          "similarity_threshold",
+          "size",
+          "sketch",
+          "smush",
+          "snaps",
+          "solarize",
+          "sort_pixels",
+          "sparse_color",
+          "splice",
+          "spread",
+          "statistic",
+          "stegano",
+          "stereo",
+          "storage_type",
+          "stretch",
+          "strip",
+          "stroke",
+          "strokewidth",
+          "style",
+          "subimage_search",
+          "swap",
+          "swirl",
+          "synchronize",
+          "taint",
+          "text_font",
+          "threshold",
+          "thumbnail",
+          "tile_offset",
+          "tint",
+          "title",
+          "transform",
+          "transparent",
+          "transparent_color",
+          "transpose",
+          "transverse",
+          "treedepth",
+          "trim",
+          "type",
+          "undercolor",
+          "unique_colors",
+          "units",
+          "unsharp",
+          "update",
+          "valid_image",
+          "view",
+          "vignette",
+          "virtual_pixel",
+          "visual",
+          "watermark",
+          "wave",
+          "wavelet_denoise",
+          "weight",
+          "white_balance",
+          "white_point",
+          "white_threshold",
+          "window",
+          "window_group"
+        ].concat(ActiveStorage.supported_image_processing_methods)
+
+        UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
+
         def process(file, format:)
           processor.
             source(file).
@@ -21,6 +315,16 @@ module ActiveStorage
 
         def operations
           transformations.each_with_object([]) do |(name, argument), list|
+            if ActiveStorage.variant_processor == :mini_magick
+              if name.to_s == "combine_options"
+                argument.each do |subtransformation_name, subtransformation_argument|
+                  validate_transformation(subtransformation_name, subtransformation_argument)
+                end
+              else
+                validate_transformation(name, argument)
+              end
+            end
+
             if name.to_s == "combine_options"
               ActiveSupport::Deprecation.warn <<~WARNING.squish
                 Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -34,6 +338,60 @@ module ActiveStorage
             end
           end
         end
+
+        def validate_transformation(name, argument)
+          method_name = name.to_s.gsub("-","_")
+
+          unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
+            raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+              One or more of the provided transformation methods is not supported.
+            ERROR
+          end
+
+          if argument.present?
+            if argument.is_a?(String) || argument.is_a?(Symbol)
+              validate_arg_string(argument)
+            elsif argument.is_a?(Array)
+              validate_arg_array(argument)
+            elsif argument.is_a?(Hash)
+              validate_arg_hash(argument)
+            end
+          end
+        end
+
+        def validate_arg_string(argument)
+          if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
+        end
+
+        def validate_arg_array(argument)
+          argument.each do |arg|
+            if arg.is_a?(Integer) || arg.is_a?(Float)
+              next
+            elsif arg.is_a?(String) || arg.is_a?(Symbol)
+              validate_arg_string(arg)
+            elsif arg.is_a?(Array)
+              validate_arg_array(arg)
+            elsif arg.is_a?(Hash)
+              validate_arg_hash(arg)
+            end
+          end
+        end
+
+        def validate_arg_hash(argument)
+          argument.each do |key, value|
+            validate_arg_string(key)
+
+            if value.is_a?(Integer) || value.is_a?(Float)
+              next
+            elsif value.is_a?(String) || value.is_a?(Symbol)
+              validate_arg_string(value)
+            elsif value.is_a?(Array)
+              validate_arg_array(value)
+            elsif value.is_a?(Hash)
+              validate_arg_hash(value)
+            end
+          end
+        end
     end
   end
 end

data/lib/active_storage.rb

@@ -52,10 +52,12 @@ module ActiveStorage
 
   mattr_accessor :paths, default: {}
 
-  mattr_accessor :variable_content_types,           default: []
-  mattr_accessor :binary_content_type,              default: "application/octet-stream"
-  mattr_accessor :content_types_to_serve_as_binary, default: []
-  mattr_accessor :content_types_allowed_inline,     default: []
+  mattr_accessor :variable_content_types,             default: []
+  mattr_accessor :binary_content_type,                default: "application/octet-stream"
+  mattr_accessor :content_types_to_serve_as_binary,   default: []
+  mattr_accessor :content_types_allowed_inline,       default: []
+  mattr_accessor :supported_image_processing_methods, default: []
+  mattr_accessor :unsupported_image_processing_arguments
 
   mattr_accessor :service_urls_expire_in, default: 5.minutes
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 6.0.4.6
+  version: 6.0.4.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,42 +16,42 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4.6
+        version: 6.0.4.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4.6
+        version: 6.0.4.7
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4.6
+        version: 6.0.4.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4.6
+        version: 6.0.4.7
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4.6
+        version: 6.0.4.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.4.6
+        version: 6.0.4.7
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -151,10 +151,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.0.4.6/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.4.6/
+  changelog_uri: https://github.com/rails/rails/blob/v6.0.4.7/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.4.7/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.4.6/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.4.7/activestorage
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -170,7 +170,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Local and cloud file storage framework.