activestorage 6.1.4.6 → 6.1.4.7

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activestorage might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4f78821f730cf6d374a408a0b130b92437182d3026404916ca79618e7c8b2ffd
4
- data.tar.gz: 613fab9e9ce486a0897f55c0cf654e0edd98549cdc963813367289651f1bb03e
3
+ metadata.gz: 78649b7f2ca40b322750c583e72493acf680a1b7f32bb2c8a1e20eb69ebd1df8
4
+ data.tar.gz: fe790afaf918cb57fedbfac741cb3f6baeed0e62a6cbb3854568ab1b8a1ab126
5
5
  SHA512:
6
- metadata.gz: bf9329ba6d4500c9f31b0390fabd11854354d3ad6b131280e148912487deb119168dfe35a4fb92db4ee55708c665065b76845f815c96b26557405eb0e13a71a3
7
- data.tar.gz: 88cbbc25f7b4d8cbeb5eb57805d79f4d7df2288391835a9abe3aace1680a265edb369bf284dfc99713be94e74998323474f87bb70cb89b7ba7a01273ced37b3d
6
+ metadata.gz: 2e94e94a8f3b462d223a930446344d9f315de7881be67b841f45cecafb4ae11895308dea426a4b073dd8d9495ed6eda7ad53b9051d8c2ba1a24ec40319069ab3
7
+ data.tar.gz: 527abfc288dfa20d5e24224bc50580f0f2b65f2e5273be729b914976a5cb649dadfab7428bc0a6eac0aa76e331bd6a10b6002f7d0e1a17a60f1741e259749904
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## Rails 6.1.4.7 (March 08, 2022) ##
2
+
3
+ * Added image transformation validation via configurable allow-list.
4
+
5
+ Variant now offers a configurable allow-list for
6
+ transformation methods in addition to a configurable deny-list for arguments.
7
+
8
+ [CVE-2022-21831]
9
+
10
+
1
11
  ## Rails 6.1.4.6 (February 11, 2022) ##
2
12
 
3
13
  * No changes.
@@ -73,6 +73,20 @@ module ActiveStorage
73
73
  application/pdf
74
74
  )
75
75
 
76
+ default_unsupported_image_processing_arguments = %w(
77
+ -debug
78
+ -display
79
+ -distribute-cache
80
+ -help
81
+ -path
82
+ -print
83
+ -set
84
+ -verbose
85
+ -version
86
+ -write
87
+ -write-mask
88
+ )
89
+
76
90
  config.eager_load_namespaces << ActiveStorage
77
91
 
78
92
  initializer "active_storage.configs" do
@@ -86,6 +100,9 @@ module ActiveStorage
86
100
  ActiveStorage.draw_routes = app.config.active_storage.draw_routes != false
87
101
  ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
88
102
 
103
+ ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
104
+ ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
105
+
89
106
  ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
90
107
  ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
91
108
  ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
@@ -10,7 +10,7 @@ module ActiveStorage
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
12
  TINY = 4
13
- PRE = "6"
13
+ PRE = "7"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -13,6 +13,300 @@ module ActiveStorage
13
13
  module Transformers
14
14
  class ImageProcessingTransformer < Transformer
15
15
  private
16
+ class UnsupportedImageProcessingMethod < StandardError; end
17
+ class UnsupportedImageProcessingArgument < StandardError; end
18
+ SUPPORTED_IMAGE_PROCESSING_METHODS = [
19
+ "adaptive_blur",
20
+ "adaptive_resize",
21
+ "adaptive_sharpen",
22
+ "adjoin",
23
+ "affine",
24
+ "alpha",
25
+ "annotate",
26
+ "antialias",
27
+ "append",
28
+ "apply",
29
+ "attenuate",
30
+ "authenticate",
31
+ "auto_gamma",
32
+ "auto_level",
33
+ "auto_orient",
34
+ "auto_threshold",
35
+ "backdrop",
36
+ "background",
37
+ "bench",
38
+ "bias",
39
+ "bilateral_blur",
40
+ "black_point_compensation",
41
+ "black_threshold",
42
+ "blend",
43
+ "blue_primary",
44
+ "blue_shift",
45
+ "blur",
46
+ "border",
47
+ "bordercolor",
48
+ "borderwidth",
49
+ "brightness_contrast",
50
+ "cache",
51
+ "canny",
52
+ "caption",
53
+ "channel",
54
+ "channel_fx",
55
+ "charcoal",
56
+ "chop",
57
+ "clahe",
58
+ "clamp",
59
+ "clip",
60
+ "clip_path",
61
+ "clone",
62
+ "clut",
63
+ "coalesce",
64
+ "colorize",
65
+ "colormap",
66
+ "color_matrix",
67
+ "colors",
68
+ "colorspace",
69
+ "colourspace",
70
+ "color_threshold",
71
+ "combine",
72
+ "combine_options",
73
+ "comment",
74
+ "compare",
75
+ "complex",
76
+ "compose",
77
+ "composite",
78
+ "compress",
79
+ "connected_components",
80
+ "contrast",
81
+ "contrast_stretch",
82
+ "convert",
83
+ "convolve",
84
+ "copy",
85
+ "crop",
86
+ "cycle",
87
+ "deconstruct",
88
+ "define",
89
+ "delay",
90
+ "delete",
91
+ "density",
92
+ "depth",
93
+ "descend",
94
+ "deskew",
95
+ "despeckle",
96
+ "direction",
97
+ "displace",
98
+ "dispose",
99
+ "dissimilarity_threshold",
100
+ "dissolve",
101
+ "distort",
102
+ "dither",
103
+ "draw",
104
+ "duplicate",
105
+ "edge",
106
+ "emboss",
107
+ "encoding",
108
+ "endian",
109
+ "enhance",
110
+ "equalize",
111
+ "evaluate",
112
+ "evaluate_sequence",
113
+ "extent",
114
+ "extract",
115
+ "family",
116
+ "features",
117
+ "fft",
118
+ "fill",
119
+ "filter",
120
+ "flatten",
121
+ "flip",
122
+ "floodfill",
123
+ "flop",
124
+ "font",
125
+ "foreground",
126
+ "format",
127
+ "frame",
128
+ "function",
129
+ "fuzz",
130
+ "fx",
131
+ "gamma",
132
+ "gaussian_blur",
133
+ "geometry",
134
+ "gravity",
135
+ "grayscale",
136
+ "green_primary",
137
+ "hald_clut",
138
+ "highlight_color",
139
+ "hough_lines",
140
+ "iconGeometry",
141
+ "iconic",
142
+ "identify",
143
+ "ift",
144
+ "illuminant",
145
+ "immutable",
146
+ "implode",
147
+ "insert",
148
+ "intensity",
149
+ "intent",
150
+ "interlace",
151
+ "interline_spacing",
152
+ "interpolate",
153
+ "interpolative_resize",
154
+ "interword_spacing",
155
+ "kerning",
156
+ "kmeans",
157
+ "kuwahara",
158
+ "label",
159
+ "lat",
160
+ "layers",
161
+ "level",
162
+ "level_colors",
163
+ "limit",
164
+ "limits",
165
+ "linear_stretch",
166
+ "linewidth",
167
+ "liquid_rescale",
168
+ "list",
169
+ "loader",
170
+ "log",
171
+ "loop",
172
+ "lowlight_color",
173
+ "magnify",
174
+ "map",
175
+ "mattecolor",
176
+ "median",
177
+ "mean_shift",
178
+ "metric",
179
+ "mode",
180
+ "modulate",
181
+ "moments",
182
+ "monitor",
183
+ "monochrome",
184
+ "morph",
185
+ "morphology",
186
+ "mosaic",
187
+ "motion_blur",
188
+ "name",
189
+ "negate",
190
+ "noise",
191
+ "normalize",
192
+ "opaque",
193
+ "ordered_dither",
194
+ "orient",
195
+ "page",
196
+ "paint",
197
+ "pause",
198
+ "perceptible",
199
+ "ping",
200
+ "pointsize",
201
+ "polaroid",
202
+ "poly",
203
+ "posterize",
204
+ "precision",
205
+ "preview",
206
+ "process",
207
+ "quality",
208
+ "quantize",
209
+ "quiet",
210
+ "radial_blur",
211
+ "raise",
212
+ "random_threshold",
213
+ "range_threshold",
214
+ "red_primary",
215
+ "regard_warnings",
216
+ "region",
217
+ "remote",
218
+ "render",
219
+ "repage",
220
+ "resample",
221
+ "resize",
222
+ "resize_to_fill",
223
+ "resize_to_fit",
224
+ "resize_to_limit",
225
+ "resize_and_pad",
226
+ "respect_parentheses",
227
+ "reverse",
228
+ "roll",
229
+ "rotate",
230
+ "sample",
231
+ "sampling_factor",
232
+ "saver",
233
+ "scale",
234
+ "scene",
235
+ "screen",
236
+ "seed",
237
+ "segment",
238
+ "selective_blur",
239
+ "separate",
240
+ "sepia_tone",
241
+ "shade",
242
+ "shadow",
243
+ "shared_memory",
244
+ "sharpen",
245
+ "shave",
246
+ "shear",
247
+ "sigmoidal_contrast",
248
+ "silent",
249
+ "similarity_threshold",
250
+ "size",
251
+ "sketch",
252
+ "smush",
253
+ "snaps",
254
+ "solarize",
255
+ "sort_pixels",
256
+ "sparse_color",
257
+ "splice",
258
+ "spread",
259
+ "statistic",
260
+ "stegano",
261
+ "stereo",
262
+ "storage_type",
263
+ "stretch",
264
+ "strip",
265
+ "stroke",
266
+ "strokewidth",
267
+ "style",
268
+ "subimage_search",
269
+ "swap",
270
+ "swirl",
271
+ "synchronize",
272
+ "taint",
273
+ "text_font",
274
+ "threshold",
275
+ "thumbnail",
276
+ "tile_offset",
277
+ "tint",
278
+ "title",
279
+ "transform",
280
+ "transparent",
281
+ "transparent_color",
282
+ "transpose",
283
+ "transverse",
284
+ "treedepth",
285
+ "trim",
286
+ "type",
287
+ "undercolor",
288
+ "unique_colors",
289
+ "units",
290
+ "unsharp",
291
+ "update",
292
+ "valid_image",
293
+ "view",
294
+ "vignette",
295
+ "virtual_pixel",
296
+ "visual",
297
+ "watermark",
298
+ "wave",
299
+ "wavelet_denoise",
300
+ "weight",
301
+ "white_balance",
302
+ "white_point",
303
+ "white_threshold",
304
+ "window",
305
+ "window_group"
306
+ ].concat(ActiveStorage.supported_image_processing_methods)
307
+
308
+ UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
309
+
16
310
  def process(file, format:)
17
311
  processor.
18
312
  source(file).
@@ -28,6 +322,10 @@ module ActiveStorage
28
322
 
29
323
  def operations
30
324
  transformations.each_with_object([]) do |(name, argument), list|
325
+ if ActiveStorage.variant_processor == :mini_magick
326
+ validate_transformation(name, argument)
327
+ end
328
+
31
329
  if name.to_s == "combine_options"
32
330
  raise ArgumentError, <<~ERROR.squish
33
331
  Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +338,60 @@ module ActiveStorage
40
338
  end
41
339
  end
42
340
  end
341
+
342
+ def validate_transformation(name, argument)
343
+ method_name = name.to_s.gsub("-","_")
344
+
345
+ unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
346
+ raise UnsupportedImageProcessingMethod, <<~ERROR.squish
347
+ One or more of the provided transformation methods is not supported.
348
+ ERROR
349
+ end
350
+
351
+ if argument.present?
352
+ if argument.is_a?(String) || argument.is_a?(Symbol)
353
+ validate_arg_string(argument)
354
+ elsif argument.is_a?(Array)
355
+ validate_arg_array(argument)
356
+ elsif argument.is_a?(Hash)
357
+ validate_arg_hash(argument)
358
+ end
359
+ end
360
+ end
361
+
362
+ def validate_arg_string(argument)
363
+ if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
364
+ end
365
+
366
+ def validate_arg_array(argument)
367
+ argument.each do |arg|
368
+ if arg.is_a?(Integer) || arg.is_a?(Float)
369
+ next
370
+ elsif arg.is_a?(String) || arg.is_a?(Symbol)
371
+ validate_arg_string(arg)
372
+ elsif arg.is_a?(Array)
373
+ validate_arg_array(arg)
374
+ elsif arg.is_a?(Hash)
375
+ validate_arg_hash(arg)
376
+ end
377
+ end
378
+ end
379
+
380
+ def validate_arg_hash(argument)
381
+ argument.each do |key, value|
382
+ validate_arg_string(key)
383
+
384
+ if value.is_a?(Integer) || value.is_a?(Float)
385
+ next
386
+ elsif value.is_a?(String) || value.is_a?(Symbol)
387
+ validate_arg_string(value)
388
+ elsif value.is_a?(Array)
389
+ validate_arg_array(value)
390
+ elsif value.is_a?(Hash)
391
+ validate_arg_hash(value)
392
+ end
393
+ end
394
+ end
43
395
  end
44
396
  end
45
397
  end
@@ -58,6 +58,9 @@ module ActiveStorage
58
58
  mattr_accessor :content_types_to_serve_as_binary, default: []
59
59
  mattr_accessor :content_types_allowed_inline, default: []
60
60
 
61
+ mattr_accessor :supported_image_processing_methods, default: []
62
+ mattr_accessor :unsupported_image_processing_arguments
63
+
61
64
  mattr_accessor :service_urls_expire_in, default: 5.minutes
62
65
 
63
66
  mattr_accessor :routes_prefix, default: "/rails/active_storage"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activestorage
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.4.6
4
+ version: 6.1.4.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-03-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,56 +16,56 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.4.6
19
+ version: 6.1.4.7
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.4.6
26
+ version: 6.1.4.7
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: actionpack
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 6.1.4.6
33
+ version: 6.1.4.7
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 6.1.4.6
40
+ version: 6.1.4.7
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: activejob
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - '='
46
46
  - !ruby/object:Gem::Version
47
- version: 6.1.4.6
47
+ version: 6.1.4.7
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - '='
53
53
  - !ruby/object:Gem::Version
54
- version: 6.1.4.6
54
+ version: 6.1.4.7
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: activerecord
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - '='
60
60
  - !ruby/object:Gem::Version
61
- version: 6.1.4.6
61
+ version: 6.1.4.7
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
- version: 6.1.4.6
68
+ version: 6.1.4.7
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: marcel
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -188,10 +188,10 @@ licenses:
188
188
  - MIT
189
189
  metadata:
190
190
  bug_tracker_uri: https://github.com/rails/rails/issues
191
- changelog_uri: https://github.com/rails/rails/blob/v6.1.4.6/activestorage/CHANGELOG.md
192
- documentation_uri: https://api.rubyonrails.org/v6.1.4.6/
191
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.4.7/activestorage/CHANGELOG.md
192
+ documentation_uri: https://api.rubyonrails.org/v6.1.4.7/
193
193
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
194
- source_code_uri: https://github.com/rails/rails/tree/v6.1.4.6/activestorage
194
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.4.7/activestorage
195
195
  post_install_message:
196
196
  rdoc_options: []
197
197
  require_paths:
@@ -207,7 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
207
207
  - !ruby/object:Gem::Version
208
208
  version: '0'
209
209
  requirements: []
210
- rubygems_version: 3.2.22
210
+ rubygems_version: 3.1.6
211
211
  signing_key:
212
212
  specification_version: 4
213
213
  summary: Local and cloud file storage framework.