activestorage 7.0.2.2 → 7.0.2.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activestorage might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 797efdf2ca8b6bb58815e2352e430b2cca2b6defaf37fc4e524c2a2150695f4a
4
- data.tar.gz: 11490b758f9b6e9c2a9eda88757e5a454ca92e587624ce85cb6235dfa9f10fbd
3
+ metadata.gz: d9f273d0dd11c90236869d27f0d5cd33cb87ba465ba2b87ad48eed3729b4027d
4
+ data.tar.gz: 1896af35ab20bf919a5445847312e1d0ff8bc122f2536f9d14f4b5c5164f2546
5
5
  SHA512:
6
- metadata.gz: 02a012dd3e41df712e0b4f64576db45634659b369d5e09245c6cc87e1bbb38d31bebd2e110d5782f97477ba2798717f9770167325c68b3b3b8c12d3409c492c5
7
- data.tar.gz: b89aa21d7d77e5c4ed766c507b06c7c81b34cf79db5fd01f8f1aaa171476e88cf90cabb0e576ebfba698065ab1daee2021cb34b6a9ba2da7054a21907fcd0218
6
+ metadata.gz: 5f92489340c81f8a4ba4607356173410ce280edb3c05524e2a0e40fcd1f50f8c5cf419fe4f8106abe361baa6e10df862d4fb900e346f216abff56a3431998fdf
7
+ data.tar.gz: 1044f1e3ecccfc2188904b3cc07f81bce2d6947e6040a481ead533450d939da464d25fe15378a026d18f5727d143103f1738942a97a85174e5e721e8207ee07a
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## Rails 7.0.2.3 (March 08, 2022) ##
2
+
3
+ * Added image transformation validation via configurable allow-list.
4
+
5
+ Variant now offers a configurable allow-list for
6
+ transformation methods in addition to a configurable deny-list for arguments.
7
+
8
+ [CVE-2022-21831]
9
+
10
+
1
11
  ## Rails 7.0.2.2 (February 11, 2022) ##
2
12
 
3
13
  * No changes.
@@ -80,6 +80,20 @@ module ActiveStorage
80
80
  application/pdf
81
81
  )
82
82
 
83
+ default_unsupported_image_processing_arguments = %w(
84
+ -debug
85
+ -display
86
+ -distribute-cache
87
+ -help
88
+ -path
89
+ -print
90
+ -set
91
+ -verbose
92
+ -version
93
+ -write
94
+ -write-mask
95
+ )
96
+
83
97
  config.eager_load_namespaces << ActiveStorage
84
98
 
85
99
  initializer "active_storage.configs" do
@@ -93,6 +107,9 @@ module ActiveStorage
93
107
  ActiveStorage.draw_routes = app.config.active_storage.draw_routes != false
94
108
  ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
95
109
 
110
+ ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || []
111
+ ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments
112
+
96
113
  ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
97
114
  ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
98
115
  ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
@@ -10,7 +10,7 @@ module ActiveStorage
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
12
  TINY = 2
13
- PRE = "2"
13
+ PRE = "3"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -13,6 +13,300 @@ module ActiveStorage
13
13
  module Transformers
14
14
  class ImageProcessingTransformer < Transformer
15
15
  private
16
+ class UnsupportedImageProcessingMethod < StandardError; end
17
+ class UnsupportedImageProcessingArgument < StandardError; end
18
+ SUPPORTED_IMAGE_PROCESSING_METHODS = [
19
+ "adaptive_blur",
20
+ "adaptive_resize",
21
+ "adaptive_sharpen",
22
+ "adjoin",
23
+ "affine",
24
+ "alpha",
25
+ "annotate",
26
+ "antialias",
27
+ "append",
28
+ "apply",
29
+ "attenuate",
30
+ "authenticate",
31
+ "auto_gamma",
32
+ "auto_level",
33
+ "auto_orient",
34
+ "auto_threshold",
35
+ "backdrop",
36
+ "background",
37
+ "bench",
38
+ "bias",
39
+ "bilateral_blur",
40
+ "black_point_compensation",
41
+ "black_threshold",
42
+ "blend",
43
+ "blue_primary",
44
+ "blue_shift",
45
+ "blur",
46
+ "border",
47
+ "bordercolor",
48
+ "borderwidth",
49
+ "brightness_contrast",
50
+ "cache",
51
+ "canny",
52
+ "caption",
53
+ "channel",
54
+ "channel_fx",
55
+ "charcoal",
56
+ "chop",
57
+ "clahe",
58
+ "clamp",
59
+ "clip",
60
+ "clip_path",
61
+ "clone",
62
+ "clut",
63
+ "coalesce",
64
+ "colorize",
65
+ "colormap",
66
+ "color_matrix",
67
+ "colors",
68
+ "colorspace",
69
+ "colourspace",
70
+ "color_threshold",
71
+ "combine",
72
+ "combine_options",
73
+ "comment",
74
+ "compare",
75
+ "complex",
76
+ "compose",
77
+ "composite",
78
+ "compress",
79
+ "connected_components",
80
+ "contrast",
81
+ "contrast_stretch",
82
+ "convert",
83
+ "convolve",
84
+ "copy",
85
+ "crop",
86
+ "cycle",
87
+ "deconstruct",
88
+ "define",
89
+ "delay",
90
+ "delete",
91
+ "density",
92
+ "depth",
93
+ "descend",
94
+ "deskew",
95
+ "despeckle",
96
+ "direction",
97
+ "displace",
98
+ "dispose",
99
+ "dissimilarity_threshold",
100
+ "dissolve",
101
+ "distort",
102
+ "dither",
103
+ "draw",
104
+ "duplicate",
105
+ "edge",
106
+ "emboss",
107
+ "encoding",
108
+ "endian",
109
+ "enhance",
110
+ "equalize",
111
+ "evaluate",
112
+ "evaluate_sequence",
113
+ "extent",
114
+ "extract",
115
+ "family",
116
+ "features",
117
+ "fft",
118
+ "fill",
119
+ "filter",
120
+ "flatten",
121
+ "flip",
122
+ "floodfill",
123
+ "flop",
124
+ "font",
125
+ "foreground",
126
+ "format",
127
+ "frame",
128
+ "function",
129
+ "fuzz",
130
+ "fx",
131
+ "gamma",
132
+ "gaussian_blur",
133
+ "geometry",
134
+ "gravity",
135
+ "grayscale",
136
+ "green_primary",
137
+ "hald_clut",
138
+ "highlight_color",
139
+ "hough_lines",
140
+ "iconGeometry",
141
+ "iconic",
142
+ "identify",
143
+ "ift",
144
+ "illuminant",
145
+ "immutable",
146
+ "implode",
147
+ "insert",
148
+ "intensity",
149
+ "intent",
150
+ "interlace",
151
+ "interline_spacing",
152
+ "interpolate",
153
+ "interpolative_resize",
154
+ "interword_spacing",
155
+ "kerning",
156
+ "kmeans",
157
+ "kuwahara",
158
+ "label",
159
+ "lat",
160
+ "layers",
161
+ "level",
162
+ "level_colors",
163
+ "limit",
164
+ "limits",
165
+ "linear_stretch",
166
+ "linewidth",
167
+ "liquid_rescale",
168
+ "list",
169
+ "loader",
170
+ "log",
171
+ "loop",
172
+ "lowlight_color",
173
+ "magnify",
174
+ "map",
175
+ "mattecolor",
176
+ "median",
177
+ "mean_shift",
178
+ "metric",
179
+ "mode",
180
+ "modulate",
181
+ "moments",
182
+ "monitor",
183
+ "monochrome",
184
+ "morph",
185
+ "morphology",
186
+ "mosaic",
187
+ "motion_blur",
188
+ "name",
189
+ "negate",
190
+ "noise",
191
+ "normalize",
192
+ "opaque",
193
+ "ordered_dither",
194
+ "orient",
195
+ "page",
196
+ "paint",
197
+ "pause",
198
+ "perceptible",
199
+ "ping",
200
+ "pointsize",
201
+ "polaroid",
202
+ "poly",
203
+ "posterize",
204
+ "precision",
205
+ "preview",
206
+ "process",
207
+ "quality",
208
+ "quantize",
209
+ "quiet",
210
+ "radial_blur",
211
+ "raise",
212
+ "random_threshold",
213
+ "range_threshold",
214
+ "red_primary",
215
+ "regard_warnings",
216
+ "region",
217
+ "remote",
218
+ "render",
219
+ "repage",
220
+ "resample",
221
+ "resize",
222
+ "resize_to_fill",
223
+ "resize_to_fit",
224
+ "resize_to_limit",
225
+ "resize_and_pad",
226
+ "respect_parentheses",
227
+ "reverse",
228
+ "roll",
229
+ "rotate",
230
+ "sample",
231
+ "sampling_factor",
232
+ "saver",
233
+ "scale",
234
+ "scene",
235
+ "screen",
236
+ "seed",
237
+ "segment",
238
+ "selective_blur",
239
+ "separate",
240
+ "sepia_tone",
241
+ "shade",
242
+ "shadow",
243
+ "shared_memory",
244
+ "sharpen",
245
+ "shave",
246
+ "shear",
247
+ "sigmoidal_contrast",
248
+ "silent",
249
+ "similarity_threshold",
250
+ "size",
251
+ "sketch",
252
+ "smush",
253
+ "snaps",
254
+ "solarize",
255
+ "sort_pixels",
256
+ "sparse_color",
257
+ "splice",
258
+ "spread",
259
+ "statistic",
260
+ "stegano",
261
+ "stereo",
262
+ "storage_type",
263
+ "stretch",
264
+ "strip",
265
+ "stroke",
266
+ "strokewidth",
267
+ "style",
268
+ "subimage_search",
269
+ "swap",
270
+ "swirl",
271
+ "synchronize",
272
+ "taint",
273
+ "text_font",
274
+ "threshold",
275
+ "thumbnail",
276
+ "tile_offset",
277
+ "tint",
278
+ "title",
279
+ "transform",
280
+ "transparent",
281
+ "transparent_color",
282
+ "transpose",
283
+ "transverse",
284
+ "treedepth",
285
+ "trim",
286
+ "type",
287
+ "undercolor",
288
+ "unique_colors",
289
+ "units",
290
+ "unsharp",
291
+ "update",
292
+ "valid_image",
293
+ "view",
294
+ "vignette",
295
+ "virtual_pixel",
296
+ "visual",
297
+ "watermark",
298
+ "wave",
299
+ "wavelet_denoise",
300
+ "weight",
301
+ "white_balance",
302
+ "white_point",
303
+ "white_threshold",
304
+ "window",
305
+ "window_group"
306
+ ].concat(ActiveStorage.supported_image_processing_methods)
307
+
308
+ UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments
309
+
16
310
  def process(file, format:)
17
311
  processor.
18
312
  source(file).
@@ -28,6 +322,10 @@ module ActiveStorage
28
322
 
29
323
  def operations
30
324
  transformations.each_with_object([]) do |(name, argument), list|
325
+ if ActiveStorage.variant_processor == :mini_magick
326
+ validate_transformation(name, argument)
327
+ end
328
+
31
329
  if name.to_s == "combine_options"
32
330
  raise ArgumentError, <<~ERROR.squish
33
331
  Active Storage's ImageProcessing transformer doesn't support :combine_options,
@@ -40,6 +338,60 @@ module ActiveStorage
40
338
  end
41
339
  end
42
340
  end
341
+
342
+ def validate_transformation(name, argument)
343
+ method_name = name.to_s.gsub("-","_")
344
+
345
+ unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method }
346
+ raise UnsupportedImageProcessingMethod, <<~ERROR.squish
347
+ One or more of the provided transformation methods is not supported.
348
+ ERROR
349
+ end
350
+
351
+ if argument.present?
352
+ if argument.is_a?(String) || argument.is_a?(Symbol)
353
+ validate_arg_string(argument)
354
+ elsif argument.is_a?(Array)
355
+ validate_arg_array(argument)
356
+ elsif argument.is_a?(Hash)
357
+ validate_arg_hash(argument)
358
+ end
359
+ end
360
+ end
361
+
362
+ def validate_arg_string(argument)
363
+ if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end
364
+ end
365
+
366
+ def validate_arg_array(argument)
367
+ argument.each do |arg|
368
+ if arg.is_a?(Integer) || arg.is_a?(Float)
369
+ next
370
+ elsif arg.is_a?(String) || arg.is_a?(Symbol)
371
+ validate_arg_string(arg)
372
+ elsif arg.is_a?(Array)
373
+ validate_arg_array(arg)
374
+ elsif arg.is_a?(Hash)
375
+ validate_arg_hash(arg)
376
+ end
377
+ end
378
+ end
379
+
380
+ def validate_arg_hash(argument)
381
+ argument.each do |key, value|
382
+ validate_arg_string(key)
383
+
384
+ if value.is_a?(Integer) || value.is_a?(Float)
385
+ next
386
+ elsif value.is_a?(String) || value.is_a?(Symbol)
387
+ validate_arg_string(value)
388
+ elsif value.is_a?(Array)
389
+ validate_arg_array(value)
390
+ elsif value.is_a?(Hash)
391
+ validate_arg_hash(value)
392
+ end
393
+ end
394
+ end
43
395
  end
44
396
  end
45
397
  end
@@ -59,6 +59,9 @@ module ActiveStorage
59
59
  mattr_accessor :content_types_to_serve_as_binary, default: []
60
60
  mattr_accessor :content_types_allowed_inline, default: []
61
61
 
62
+ mattr_accessor :supported_image_processing_methods, default: []
63
+ mattr_accessor :unsupported_image_processing_arguments
64
+
62
65
  mattr_accessor :service_urls_expire_in, default: 5.minutes
63
66
  mattr_accessor :urls_expire_in
64
67
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activestorage
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.2
4
+ version: 7.0.2.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-11 00:00:00.000000000 Z
11
+ date: 2022-03-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,56 +16,56 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.2.2
19
+ version: 7.0.2.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.2.2
26
+ version: 7.0.2.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: actionpack
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 7.0.2.2
33
+ version: 7.0.2.3
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 7.0.2.2
40
+ version: 7.0.2.3
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: activejob
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
45
  - - '='
46
46
  - !ruby/object:Gem::Version
47
- version: 7.0.2.2
47
+ version: 7.0.2.3
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - '='
53
53
  - !ruby/object:Gem::Version
54
- version: 7.0.2.2
54
+ version: 7.0.2.3
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: activerecord
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - '='
60
60
  - !ruby/object:Gem::Version
61
- version: 7.0.2.2
61
+ version: 7.0.2.3
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - '='
67
67
  - !ruby/object:Gem::Version
68
- version: 7.0.2.2
68
+ version: 7.0.2.3
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: marcel
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ licenses:
198
198
  - MIT
199
199
  metadata:
200
200
  bug_tracker_uri: https://github.com/rails/rails/issues
201
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.2/activestorage/CHANGELOG.md
202
- documentation_uri: https://api.rubyonrails.org/v7.0.2.2/
201
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.2.3/activestorage/CHANGELOG.md
202
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
203
203
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
204
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.2/activestorage
204
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/activestorage
205
205
  rubygems_mfa_required: 'true'
206
206
  post_install_message:
207
207
  rdoc_options: []
@@ -218,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
218
218
  - !ruby/object:Gem::Version
219
219
  version: '0'
220
220
  requirements: []
221
- rubygems_version: 3.2.22
221
+ rubygems_version: 3.1.6
222
222
  signing_key:
223
223
  specification_version: 4
224
224
  summary: Local and cloud file storage framework.