activestorage 7.2.3.1 → 8.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 07e918ed2ad2733425a8c83bcd4a17b0de42f1b4e4692f0ac60f37886a2b1982
-  data.tar.gz: 8ec0faa694ef8191678280d2f5ed44b8a3d623788e2239013a43a33c25e0f754
+  metadata.gz: 90eb90580cb0faea4b29eef5ddf0dbc99dd1087158980f968561fe45c2dcb4d4
+  data.tar.gz: bdd0ced8684956539dee4f32ea7eacd16744c72e318aebc0bd815adfa72ffe73
 SHA512:
-  metadata.gz: 71e330a9f27d46bdd58c56f7bf4ead818b549c899e5aca043f895b4377b0478b25499c05ec39392e4fcbf5c3eaa8e85f5ada5000d3f2c01ae84badeed4591326
-  data.tar.gz: bb8ce35c75e8a43bdc135ddac20b94928bdbc1365b3351e7570f72c566001906506ecd32a98cde9fd3e47a1b8726058d235ce413afeac31a6d874ff9687d8096
+  metadata.gz: 46465038ab95d65913a9f359af9b21fcb5b3ee9a37877b32eeabd7943de6373625d7ae51a9383099a89bd7d949ee6b5db37c5518656313121d8991b4e52e7667
+  data.tar.gz: 4f7590242bb707d2ed0c9b22871f2e00d28f683224341387c739b9771a85ab18e8655e1a913b2bdabb724bb694cb6b997f4b1c2771fa52a2b96ac1882593471a

data/CHANGELOG.md

@@ -1,182 +1,23 @@
-## Rails 7.2.3.1 (March 23, 2026) ##
+## Rails 8.0.0.beta1 (September 26, 2024) ##
 
-*   Filter user supplied metadata in DirectUploadController
+*   Deprecate `ActiveStorage::Service::AzureStorageService`.
 
-    [CVE-2026-33173]
+    *zzak*
 
-    *Jean Boussier*
+*   Improve `ActiveStorage::Filename#sanitized` method to handle special characters more effectively.
+    Replace the characters `"*?<>` with `-` if they exist in the Filename to match the Filename convention of Win OS.
 
-*   Configurable maxmimum streaming chunk size
+    *Luong Viet Dung(Martin)*
 
-    Makes sure that byte ranges for blobs don't exceed 100mb by default.
-    Content ranges that are too big can result in denial of service.
+*   Improve InvariableError, UnpreviewableError and UnrepresentableError message.
 
-    [CVE-2026-33174]
+    Include Blob ID and content_type in the messages.
 
-    *Gannon McGibbon*
+    *Petrik de Heus*
 
-*   Limit range requests to a single range
+*   Mark proxied files as `immutable` in their Cache-Control header
 
-    [CVE-2026-33658]
+    *Nate Matykiewicz*
 
-    *Jean Boussier*
 
-*   Prevent path traversal in `DiskService`.
-
-    `DiskService#path_for` now raises an `InvalidKeyError` when passed keys with dot segments (".",
-    ".."), or if the resolved path is outside the storage root directory.
-
-    `#path_for` also now consistently raises `InvalidKeyError` if the key is invalid in any way, for
-    example containing null bytes or having an incompatible encoding. Previously, the exception
-    raised may have been `ArgumentError` or `Encoding::CompatibilityError`.
-
-    `DiskController` now explicitly rescues `InvalidKeyError` with appropriate HTTP status codes.
-
-    [CVE-2026-33195]
-
-    *Mike Dalessio*
-
-*   Prevent glob injection in `DiskService#delete_prefixed`.
-
-    Escape glob metacharacters in the resolved path before passing to `Dir.glob`.
-
-    Note that this change breaks any existing code that is relying on `delete_prefixed` to expand
-    glob metacharacters. This change presumes that is unintended behavior (as other storage services
-    do not respect these metacharacters).
-
-    [CVE-2026-33202]
-
-    *Mike Dalessio*
-
-
-## Rails 7.2.3 (October 28, 2025) ##
-
-*   Fix `config.active_storage.touch_attachment_records` to work with eager loading.
-
-    *fatkodima*
-
-*   A Blob will no longer autosave associated Attachment.
-
-    This fixes an issue where a record with an attachment would have
-    its dirty attributes reset, preventing your `after commit` callbacks
-    on that record to behave as expected.
-
-    Note that this change doesn't require any changes on your application
-    and is supposed to be internal. Active Storage Attachment will continue
-    to be autosaved (through a different relation).
-
-    *Edouard-chin*
-
-
-## Rails 7.2.2.2 (August 13, 2025) ##
-
-*   Remove dangerous transformations
-
-    [CVE-2025-24293]
-
-    *Zack Deveau*
-
-
-## Rails 7.2.2.1 (December 10, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.2.2 (October 30, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.2.1.2 (October 23, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.2.1.1 (October 15, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.2.1 (August 22, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.2.0 (August 09, 2024) ##
-
-*   Remove deprecated `config.active_storage.silence_invalid_content_types_warning`.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated `config.active_storage.replace_on_assign_to_many`.
-
-    *Rafael Mendonça França*
-
-*   Add support for custom `key` in `ActiveStorage::Blob#compose`.
-
-    *Elvin Efendiev*
-
-*   Add `image/webp` to `config.active_storage.web_image_content_types` when `load_defaults "7.2"`
-    is set.
-
-    *Lewis Buckley*
-
-*   Fix JSON-encoding of `ActiveStorage::Filename` instances.
-
-    *Jonathan del Strother*
-
-*   Fix N+1 query when fetching preview images for non-image assets.
-
-    *Aaron Patterson & Justin Searls*
-
-*   Fix all Active Storage database related models to respect
-    `ActiveRecord::Base.table_name_prefix` configuration.
-
-    *Chedli Bourguiba*
-
-*   Fix `ActiveStorage::Representations::ProxyController` not returning the proper
-    preview image variant for previewable files.
-
-    *Chedli Bourguiba*
-
-*   Fix `ActiveStorage::Representations::ProxyController` to proxy untracked
-    variants.
-
-    *Chedli Bourguiba*
-
-*   When using the `preprocessed: true` option, avoid enqueuing transform jobs
-    for blobs that are not representable.
-
-    *Chedli Bourguiba*
-
-*   Prevent `ActiveStorage::Blob#preview` to generate a variant if an empty variation is passed.
-
-    Calls to `#url`, `#key` or `#download` will now use the original preview
-    image instead of generating a variant with the exact same dimensions.
-
-    *Chedli Bourguiba*
-
-*   Process preview image variant when calling `ActiveStorage::Preview#processed`.
-
-    For example, `attached_pdf.preview(:thumb).processed` will now immediately
-    generate the full-sized preview image and the `:thumb` variant of it.
-    Previously, the `:thumb` variant would not be generated until a further call
-    to e.g. `processed.url`.
-
-    *Chedli Bourguiba* and *Jonathan Hefner*
-
-*   Prevent `ActiveRecord::StrictLoadingViolationError` when strict loading is
-    enabled and the variant of an Active Storage preview has already been
-    processed (for example, by calling `ActiveStorage::Preview#url`).
-
-    *Jonathan Hefner*
-
-*   Fix `preprocessed: true` option for named variants of previewable files.
-
-    *Nico Wenterodt*
-
-*   Allow accepting `service` as a proc as well in `has_one_attached` and `has_many_attached`.
-
-    *Yogesh Khater*
-
-Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/activestorage/CHANGELOG.md) for previous changes.
+Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/activestorage/CHANGELOG.md) for previous changes.

data/README.md

@@ -73,7 +73,7 @@ end
 ```erb
 <%= form_with model: @message, local: true do |form| %>
   <%= form.text_field :title, placeholder: "Title" %><br>
-  <%= form.text_area :content %><br><br>
+  <%= form.textarea :content %><br><br>
 
   <%= form.file_field :images, multiple: true %><br>
   <%= form.submit %>
@@ -88,7 +88,7 @@ class MessagesController < ApplicationController
   end
 
   def create
-    message = Message.create! params.require(:message).permit(:title, :content, images: [])
+    message = Message.create! params.expect(message: [ :title, :content, images: [] ])
     redirect_to message
   end
 
@@ -203,6 +203,6 @@ Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-Feature requests should be discussed on the rubyonrails-core forum here:
+Feature requests should be discussed on the rails-core mailing list here:
 
 * https://discuss.rubyonrails.org/c/rubyonrails-core

data/app/assets/javascripts/activestorage.esm.js

@@ -845,4 +845,4 @@ function autostart() {
 
 setTimeout(autostart, 1);
 
-export { DirectUpload, DirectUploadController, DirectUploadsController, start };
+export { DirectUpload, DirectUploadController, DirectUploadsController, dispatchEvent, start };

data/app/assets/javascripts/activestorage.js

@@ -822,6 +822,7 @@
   exports.DirectUpload = DirectUpload;
   exports.DirectUploadController = DirectUploadController;
   exports.DirectUploadsController = DirectUploadsController;
+  exports.dispatchEvent = dispatchEvent;
   exports.start = start;
   Object.defineProperty(exports, "__esModule", {
     value: true

data/app/controllers/active_storage/direct_uploads_controller.rb

@@ -11,7 +11,7 @@ class ActiveStorage::DirectUploadsController < ActiveStorage::BaseController
 
   private
     def blob_args
-      params.require(:blob).permit(:filename, :byte_size, :checksum, :content_type, metadata: {}).to_h.symbolize_keys
+      params.expect(blob: [:filename, :byte_size, :checksum, :content_type, metadata: {}]).to_h.symbolize_keys
     end
 
     def direct_upload_json(blob)

data/app/controllers/active_storage/disk_controller.rb

@@ -17,8 +17,6 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
     end
   rescue Errno::ENOENT
     head :not_found
-  rescue ActiveStorage::InvalidKeyError
-    head :not_found
   end
 
   def update
@@ -27,15 +25,13 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
         named_disk_service(token[:service_name]).upload token[:key], request.body, checksum: token[:checksum]
         head :no_content
       else
-        head ActionDispatch::Constants::UNPROCESSABLE_CONTENT
+        head :unprocessable_entity
       end
     else
       head :not_found
     end
   rescue ActiveStorage::IntegrityError
-    head ActionDispatch::Constants::UNPROCESSABLE_CONTENT
-  rescue ActiveStorage::InvalidKeyError
-    head ActionDispatch::Constants::UNPROCESSABLE_CONTENT
+    head :unprocessable_entity
   end
 
   private

data/app/controllers/concerns/active_storage/streaming.rb

@@ -14,8 +14,7 @@ module ActiveStorage::Streaming
     def send_blob_byte_range_data(blob, range_header, disposition: nil)
       ranges = Rack::Utils.get_byte_ranges(range_header, blob.byte_size)
 
-      return head(:range_not_satisfiable) unless ranges_valid?(ranges)
-      return head(:range_not_satisfiable) if ranges.length > ActiveStorage.streaming_max_ranges
+      return head(:range_not_satisfiable) if ranges.blank? || ranges.all?(&:blank?)
 
       if ranges.length == 1
         range = ranges.first
@@ -52,12 +51,6 @@ module ActiveStorage::Streaming
       )
     end
 
-    def ranges_valid?(ranges)
-      return false if ranges.blank? || ranges.all?(&:blank?)
-
-      ranges.sum { |range| range.end - range.begin } < ActiveStorage.streaming_chunk_max_size
-    end
-
     # Stream the blob from storage directly to the response. The disposition can be controlled by setting +disposition+.
     # The content type and filename is set directly from the +blob+.
     def send_blob_stream(blob, disposition: nil) # :doc:
@@ -68,6 +61,15 @@ module ActiveStorage::Streaming
         blob.download do |chunk|
           stream.write chunk
         end
+      rescue ActiveStorage::FileNotFoundError
+        expires_now
+        head :not_found
+      rescue
+        # Status and caching headers are already set, but not commited.
+        # Change the status to 500 manually.
+        expires_now
+        head :internal_server_error
+        raise
       end
     end
 end

data/app/javascript/activestorage/index.js

@@ -2,7 +2,8 @@ import { start } from "./ujs"
 import { DirectUpload } from "./direct_upload"
 import { DirectUploadController } from "./direct_upload_controller"
 import { DirectUploadsController } from "./direct_uploads_controller"
-export { start, DirectUpload, DirectUploadController, DirectUploadsController }
+import { dispatchEvent } from "./helpers"
+export { start, DirectUpload, DirectUploadController, DirectUploadsController, dispatchEvent }
 
 function autostart() {
   if (window.ActiveStorage) {

data/app/models/active_storage/blob/representable.rb

@@ -31,77 +31,11 @@ module ActiveStorage::Blob::Representable
   # Raises ActiveStorage::InvariableError if the variant processor cannot
   # transform the blob. To determine whether a blob is variable, call
   # ActiveStorage::Blob#variable?.
-  #
-  # ==== Options
-  #
-  # Options are defined by the {image_processing gem}[https://github.com/janko/image_processing],
-  # and depend on which variant processor you are using:
-  # {Vips}[https://github.com/janko/image_processing/blob/master/doc/vips.md] or
-  # {MiniMagick}[https://github.com/janko/image_processing/blob/master/doc/minimagick.md].
-  # However, both variant processors support the following options:
-  #
-  # [+:resize_to_limit+]
-  #   Downsizes the image to fit within the specified dimensions while retaining
-  #   the original aspect ratio. Will only resize the image if it's larger than
-  #   the specified dimensions.
-  #
-  #       user.avatar.variant(resize_to_limit: [100, 100])
-  #
-  # [+:resize_to_fit+]
-  #   Resizes the image to fit within the specified dimensions while retaining
-  #   the original aspect ratio. Will downsize the image if it's larger than the
-  #   specified dimensions or upsize if it's smaller.
-  #
-  #       user.avatar.variant(resize_to_fit: [100, 100])
-  #
-  # [+:resize_to_fill+]
-  #   Resizes the image to fill the specified dimensions while retaining the
-  #   original aspect ratio. If necessary, will crop the image in the larger
-  #   dimension.
-  #
-  #       user.avatar.variant(resize_to_fill: [100, 100])
-  #
-  # [+:resize_and_pad+]
-  #   Resizes the image to fit within the specified dimensions while retaining
-  #   the original aspect ratio. If necessary, will pad the remaining area with
-  #   transparent color if source image has alpha channel, black otherwise.
-  #
-  #       user.avatar.variant(resize_and_pad: [100, 100])
-  #
-  # [+:crop+]
-  #   Extracts an area from an image. The first two arguments are the left and
-  #   top edges of area to extract, while the last two arguments are the width
-  #   and height of the area to extract.
-  #
-  #       user.avatar.variant(crop: [20, 50, 300, 300])
-  #
-  # [+:rotate+]
-  #   Rotates the image by the specified angle.
-  #
-  #       user.avatar.variant(rotate: 90)
-  #
-  # Some options, including those listed above, can accept additional
-  # processor-specific values which can be passed as a trailing hash:
-  #
-  #     <!-- Vips supports configuring `crop` for many of its transformations -->
-  #     <%= image_tag user.avatar.variant(resize_to_fill: [100, 100, { crop: :centre }]) %>
-  #
-  # If migrating an existing application between MiniMagick and Vips, you will
-  # need to update processor-specific options:
-  #
-  #     <!-- MiniMagick -->
-  #     <%= image_tag user.avatar.variant(resize_to_limit: [100, 100], format: :jpeg,
-  #           sampling_factor: "4:2:0", strip: true, interlace: "JPEG", colorspace: "sRGB", quality: 80) %>
-  #
-  #     <!-- Vips -->
-  #     <%= image_tag user.avatar.variant(resize_to_limit: [100, 100], format: :jpeg,
-  #           saver: { subsample_mode: "on", strip: true, interlace: true, quality: 80 }) %>
-  #
   def variant(transformations)
     if variable?
       variant_class.new(self, ActiveStorage::Variation.wrap(transformations).default_to(default_variant_transformations))
     else
-      raise ActiveStorage::InvariableError
+      raise ActiveStorage::InvariableError, "Can't transform blob with ID=#{id} and content_type=#{content_type}"
     end
   end
 
@@ -130,7 +64,7 @@ module ActiveStorage::Blob::Representable
     if previewable?
       ActiveStorage::Preview.new(self, transformations)
     else
-      raise ActiveStorage::UnpreviewableError
+      raise ActiveStorage::UnpreviewableError, "No previewer found for blob with ID=#{id} and content_type=#{content_type}"
     end
   end
 
@@ -155,7 +89,7 @@ module ActiveStorage::Blob::Representable
     when variable?
       variant transformations
     else
-      raise ActiveStorage::UnrepresentableError
+      raise ActiveStorage::UnrepresentableError, "No previewer found and can't transform blob with ID=#{id} and content_type=#{content_type}"
     end
   end
 

data/app/models/active_storage/blob.rb

@@ -16,18 +16,10 @@
 # Blobs are intended to be immutable in as-so-far as their reference to a specific file goes. You're allowed to
 # update a blob's metadata on a subsequent pass, but you should not update the key or change the uploaded file.
 # If you need to create a derivative or otherwise change the blob, simply create a new blob and purge the old one.
-#
-# When using a custom +key+, the value is treated as trusted. Using untrusted user input
-# as the key may result in unexpected behavior.
 class ActiveStorage::Blob < ActiveStorage::Record
   MINIMUM_TOKEN_LENGTH = 28
 
   has_secure_token :key, length: MINIMUM_TOKEN_LENGTH
-
-  # FIXME: these property should never have been stored in the metadata.
-  # The blob table should be migrated to have dedicated columns for theses.
-  PROTECTED_METADATA = %w(analyzed identified composed)
-  private_constant :PROTECTED_METADATA
   store :metadata, accessors: [ :analyzed, :identified, :composed ], coder: ActiveRecord::Coders::JSON
 
   class_attribute :services, default: {}
@@ -37,7 +29,7 @@ class ActiveStorage::Blob < ActiveStorage::Record
   # :method:
   #
   # Returns the associated ActiveStorage::Attachment instances.
-  has_many :attachments, autosave: false
+  has_many :attachments
 
   ##
   # :singleton-method:
@@ -79,9 +71,8 @@ class ActiveStorage::Blob < ActiveStorage::Record
     end
 
     # Works like +find_signed+, but will raise an +ActiveSupport::MessageVerifier::InvalidSignature+
-    # exception if the +signed_id+ has either expired, has a purpose mismatch, is for another record,
-    # or has been tampered with. It will also raise an +ActiveRecord::RecordNotFound+ exception if
-    # the valid signed id can't find a record.
+    # exception if the +signed_id+ has either expired, has a purpose mismatch, or has been tampered with.
+    # It will also raise an +ActiveRecord::RecordNotFound+ exception if the valid signed id can't find a record.
     def find_signed!(id, record: nil, purpose: :blob_id)
       super(id, purpose: purpose)
     end
@@ -101,9 +92,6 @@ class ActiveStorage::Blob < ActiveStorage::Record
     # be saved before the upload begins to prevent the upload clobbering another due to key collisions.
     # When providing a content type, pass <tt>identify: false</tt> to bypass
     # automatic content type inference.
-    #
-    # The optional +key+ parameter is treated as trusted. Using untrusted user input
-    # as the key may result in unexpected behavior.
     def create_and_upload!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil)
       create_after_unfurling!(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap do |blob|
         blob.upload_without_unfurling(io)
@@ -116,7 +104,6 @@ class ActiveStorage::Blob < ActiveStorage::Record
     # Once the form using the direct upload is submitted, the blob can be associated with the right record using
     # the signed ID.
     def create_before_direct_upload!(key: nil, filename:, byte_size:, checksum:, content_type: nil, metadata: nil, service_name: nil, record: nil)
-      metadata = filter_metadata(metadata)
       create! key: key, filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata, service_name: service_name
     end
 
@@ -165,14 +152,21 @@ class ActiveStorage::Blob < ActiveStorage::Record
       end
     end
 
-    private
-      def filter_metadata(metadata)
-        if metadata.is_a?(Hash)
-          metadata.without(*PROTECTED_METADATA)
-        else
-          metadata
+    def validate_service_configuration(service_name, model_class, association_name) # :nodoc:
+      if service_name
+        services.fetch(service_name) do
+          raise ArgumentError, "Cannot configure service #{service_name.inspect} for #{model_class}##{association_name}"
         end
+      else
+        validate_global_service_configuration
       end
+    end
+
+    def validate_global_service_configuration # :nodoc:
+      if connected? && table_exists? && Rails.configuration.active_storage.service.nil?
+        raise RuntimeError, "Missing Active Storage service name. Specify Active Storage service name for config.active_storage.service in config/environments/#{Rails.env}.rb"
+      end
+    end
   end
 
   include Analyzable

data/app/models/active_storage/filename.rb

@@ -57,7 +57,7 @@ class ActiveStorage::Filename
   #
   # Characters considered unsafe for storage (e.g. \, $, and the RTL override character) are replaced with a dash.
   def sanitized
-    @filename.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
+    @filename.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/<>?*\"\t\r\n\\", "-")
   end
 
   # Returns the sanitized version of the filename.

data/lib/active_storage/attached/changes/create_one.rb

@@ -121,7 +121,7 @@ module ActiveStorage
         service_name = record.attachment_reflections[name].options[:service_name]
         if service_name.is_a?(Proc)
           service_name = service_name.call(record)
-          Attached::Model.validate_service_configuration(service_name, record.class, name)
+          ActiveStorage::Blob.validate_service_configuration(service_name, record.class, name)
         end
         service_name
       end

data/lib/active_storage/attached/model.rb

@@ -61,18 +61,16 @@ module ActiveStorage
       # There is no column defined on the model side, Active Storage takes
       # care of the mapping between your records and the attachment.
       #
-      # To avoid N+1 queries, you can include the attached blobs in your query like so:
-      #
-      #   User.with_attached_avatar
-      #
       # Under the covers, this relationship is implemented as a +has_one+ association to a
       # ActiveStorage::Attachment record and a +has_one-through+ association to a
       # ActiveStorage::Blob record. These associations are available as +avatar_attachment+
       # and +avatar_blob+. But you shouldn't need to work with these associations directly in
       # most circumstances.
       #
-      # The system has been designed to having you go through the ActiveStorage::Attached::One
-      # proxy that provides the dynamic proxy to the associations and factory methods, like +attach+.
+      # Instead, +has_one_attached+ generates an ActiveStorage::Attached::One proxy to
+      # provide access to the associations and factory methods, like +attach+:
+      #
+      #   user.avatar.attach(uploaded_file)
       #
       # The +:dependent+ option defaults to +:purge_later+. This means the attachment will be
       # purged (i.e. destroyed) in the background whenever the record is destroyed.
@@ -92,6 +90,10 @@ module ActiveStorage
       #     has_one_attached :avatar, service: ->(user) { user.in_europe_region? ? :s3_europe : :s3_usa }
       #   end
       #
+      # To avoid N+1 queries, you can include the attached blobs in your query like so:
+      #
+      #   User.with_attached_avatar
+      #
       # If you need to enable +strict_loading+ to prevent lazy loading of attachment,
       # pass the +:strict_loading+ option. You can do:
       #
@@ -104,7 +106,7 @@ module ActiveStorage
       # <tt>active_storage_attachments.record_type</tt> polymorphic type column of
       # the corresponding rows.
       def has_one_attached(name, dependent: :purge_later, service: nil, strict_loading: false)
-        Attached::Model.validate_service_configuration(service, self, name) unless service.is_a?(Proc)
+        ActiveStorage::Blob.validate_service_configuration(service, self, name) unless service.is_a?(Proc)
 
         generated_association_methods.class_eval <<-CODE, __FILE__, __LINE__ + 1
           # frozen_string_literal: true
@@ -161,18 +163,16 @@ module ActiveStorage
       # There are no columns defined on the model side, Active Storage takes
       # care of the mapping between your records and the attachments.
       #
-      # To avoid N+1 queries, you can include the attached blobs in your query like so:
-      #
-      #   Gallery.where(user: Current.user).with_attached_photos
-      #
       # Under the covers, this relationship is implemented as a +has_many+ association to a
       # ActiveStorage::Attachment record and a +has_many-through+ association to a
       # ActiveStorage::Blob record. These associations are available as +photos_attachments+
       # and +photos_blobs+. But you shouldn't need to work with these associations directly in
       # most circumstances.
       #
-      # The system has been designed to having you go through the ActiveStorage::Attached::Many
-      # proxy that provides the dynamic proxy to the associations and factory methods, like +#attach+.
+      # Instead, +has_many_attached+ generates an ActiveStorage::Attached::Many proxy to
+      # provide access to the associations and factory methods, like +attach+:
+      #
+      #   user.photos.attach(uploaded_file)
       #
       # The +:dependent+ option defaults to +:purge_later+. This means the attachments will be
       # purged (i.e. destroyed) in the background whenever the record is destroyed.
@@ -192,6 +192,10 @@ module ActiveStorage
       #     has_many_attached :photos, service: ->(gallery) { gallery.personal? ? :personal_s3 : :s3 }
       #   end
       #
+      # To avoid N+1 queries, you can include the attached blobs in your query like so:
+      #
+      #   Gallery.where(user: Current.user).with_attached_photos
+      #
       # If you need to enable +strict_loading+ to prevent lazy loading of attachments,
       # pass the +:strict_loading+ option. You can do:
       #
@@ -204,7 +208,7 @@ module ActiveStorage
       # <tt>active_storage_attachments.record_type</tt> polymorphic type column of
       # the corresponding rows.
       def has_many_attached(name, dependent: :purge_later, service: nil, strict_loading: false)
-        Attached::Model.validate_service_configuration(service, self, name) unless service.is_a?(Proc)
+        ActiveStorage::Blob.validate_service_configuration(service, self, name) unless service.is_a?(Proc)
 
         generated_association_methods.class_eval <<-CODE, __FILE__, __LINE__ + 1
           # frozen_string_literal: true
@@ -255,25 +259,6 @@ module ActiveStorage
       end
     end
 
-    class << self
-      def validate_service_configuration(service_name, model_class, association_name) # :nodoc:
-        if service_name
-          ActiveStorage::Blob.services.fetch(service_name) do
-            raise ArgumentError, "Cannot configure service #{service_name.inspect} for #{model_class}##{association_name}"
-          end
-        else
-          validate_global_service_configuration(model_class)
-        end
-      end
-
-      private
-        def validate_global_service_configuration(model_class)
-          if model_class.connected? && ActiveStorage::Blob.table_exists? && Rails.configuration.active_storage.service.nil?
-            raise RuntimeError, "Missing Active Storage service name. Specify Active Storage service name for config.active_storage.service in config/environments/#{Rails.env}.rb"
-          end
-        end
-    end
-
     def attachment_changes # :nodoc:
       @attachment_changes ||= {}
     end

data/lib/active_storage/engine.rb

@@ -84,10 +84,6 @@ module ActiveStorage
     end
 
     initializer "active_storage.configs" do
-      config.before_initialize do |app|
-        ActiveStorage.touch_attachment_records = app.config.active_storage.touch_attachment_records != false
-      end
-
       config.after_initialize do |app|
         ActiveStorage.logger            = app.config.active_storage.logger || Rails.logger
         ActiveStorage.variant_processor = app.config.active_storage.variant_processor || :mini_magick
@@ -116,13 +112,13 @@ module ActiveStorage
         ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || []
         ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || []
         ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || []
+        ActiveStorage.touch_attachment_records = app.config.active_storage.touch_attachment_records != false
         ActiveStorage.service_urls_expire_in = app.config.active_storage.service_urls_expire_in || 5.minutes
         ActiveStorage.urls_expire_in = app.config.active_storage.urls_expire_in
         ActiveStorage.content_types_allowed_inline = app.config.active_storage.content_types_allowed_inline || []
         ActiveStorage.binary_content_type = app.config.active_storage.binary_content_type || "application/octet-stream"
         ActiveStorage.video_preview_arguments = app.config.active_storage.video_preview_arguments || "-y -vframes 1 -f image2"
         ActiveStorage.track_variants = app.config.active_storage.track_variants || false
-        ActiveStorage.streaming_chunk_max_size = app.config.active_storage.streaming_chunk_max_size || 100.megabytes
       end
     end
 

data/lib/active_storage/errors.rb

@@ -26,8 +26,4 @@ module ActiveStorage
 
   # Raised when a Previewer is unable to generate a preview image.
   class PreviewError < Error; end
-
-  # Raised when a storage key resolves to a path outside the service's root
-  # directory, indicating a potential path traversal attack.
-  class InvalidKeyError < Error; end
 end

data/lib/active_storage/fixture_set.rb

@@ -50,7 +50,7 @@ module ActiveStorage
     # by ActiveSupport::Testing::FileFixtures.file_fixture, and upload
     # the file to the Service
     #
-    # ==== Examples
+    # === Examples
     #
     #   # tests/fixtures/active_storage/blobs.yml
     #   second_thumbnail_blob: <%= ActiveStorage::FixtureSet.blob(

data/lib/active_storage/gem_version.rb

@@ -7,10 +7,10 @@ module ActiveStorage
   end
 
   module VERSION
-    MAJOR = 7
-    MINOR = 2
-    TINY  = 3
-    PRE   = "1"
+    MAJOR = 8
+    MINOR = 0
+    TINY  = 0
+    PRE   = "beta1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/service/azure_storage_service.rb

@@ -15,6 +15,13 @@ module ActiveStorage
     attr_reader :client, :container, :signer
 
     def initialize(storage_account_name:, storage_access_key:, container:, public: false, **options)
+      ActiveStorage.deprecator.warn <<~MSG.squish
+        `ActiveStorage::Service::AzureStorageService` is deprecated and will be
+        removed in Rails 8.1.
+        Please try the `azure-blob` gem instead.
+        This gem is not maintained by the Rails team, so please test your applications before deploying to production.
+      MSG
+
       @client = Azure::Storage::Blob::BlobService.create(storage_account_name: storage_account_name, storage_access_key: storage_access_key, **options)
       @signer = Azure::Storage::Common::Core::Auth::SharedAccessSignature.new(storage_account_name, storage_access_key)
       @container = container

data/lib/active_storage/service/disk_service.rb

@@ -60,16 +60,7 @@ module ActiveStorage
 
     def delete_prefixed(prefix)
       instrument :delete_prefixed, prefix: prefix do
-        prefix_path = path_for(prefix)
-
-        # File.expand_path (called within path_for) strips trailing slashes.
-        # Restore trailing separator if the original prefix had one, so that
-        # the glob "prefix/*" matches files inside the directory, not siblings
-        # whose names start with the prefix string.
-        prefix_path += "/" if prefix.end_with?("/")
-
-        escaped = escape_glob_metacharacters(prefix_path)
-        Dir.glob("#{escaped}*").each do |path|
+        Dir.glob(path_for("#{prefix}*")).each do |path|
           FileUtils.rm_rf(path)
         end
       end
@@ -107,39 +98,8 @@ module ActiveStorage
       { "Content-Type" => content_type }
     end
 
-    # Every filesystem operation in DiskService resolves paths through this method (or through
-    # make_path_for, which delegates here). This is the primary filesystem security check: all
-    # path-traversal protection is enforced here. New methods that touch the filesystem MUST use
-    # path_for or make_path_for -- never construct paths from +root+ directly.
     def path_for(key) # :nodoc:
-      if key.blank?
-        raise ActiveStorage::InvalidKeyError, "key is blank"
-      end
-
-      # Reject keys with dot segments as defense in depth. This prevents path traversal both outside
-      # and within the storage root. The root containment check below is a more fundamental check on
-      # path traversal outside of the disk service root.
-      begin
-        if key.split("/").intersect?(%w[. ..])
-          raise ActiveStorage::InvalidKeyError, "key has path traversal segments"
-        end
-      rescue Encoding::CompatibilityError
-        raise ActiveStorage::InvalidKeyError, "key has incompatible encoding"
-      end
-
-      begin
-        path = File.expand_path(File.join(root, folder_for(key), key))
-      rescue ArgumentError
-        # ArgumentError catches null bytes
-        raise ActiveStorage::InvalidKeyError, "key is an invalid string"
-      end
-
-      # The resolved path must be inside the root directory.
-      unless path.start_with?(File.expand_path(root) + "/")
-        raise ActiveStorage::InvalidKeyError, "key is outside of disk service root"
-      end
-
-      path
+      File.join root, folder_for(key), key
     end
 
     def compose(source_keys, destination_key, **)
@@ -196,10 +156,6 @@ module ActiveStorage
         [ key[0..1], key[2..3] ].join("/")
       end
 
-      def escape_glob_metacharacters(path)
-        path.gsub(/[\[\]*?{}\\]/) { |c| "\\#{c}" }
-      end
-
       def make_path_for(key)
         path_for(key).tap { |path| FileUtils.mkdir_p File.dirname(path) }
       end

data/lib/active_storage/service/mirror_service.rb

@@ -30,6 +30,13 @@ module ActiveStorage
 
     def initialize(primary:, mirrors:)
       @primary, @mirrors = primary, mirrors
+      @executor = Concurrent::ThreadPoolExecutor.new(
+        min_threads: 1,
+        max_threads: mirrors.size,
+        max_queue: 0,
+        fallback_policy: :caller_runs,
+        idle_time: 60
+      )
     end
 
     # Upload the +io+ to the +key+ specified to all services. The upload to the primary service is done synchronously
@@ -75,10 +82,12 @@ module ActiveStorage
       end
 
       def perform_across_services(method, *args)
-        # FIXME: Convert to be threaded
-        each_service.collect do |service|
-          service.public_send method, *args
+        tasks = each_service.collect do |service|
+          Concurrent::Promise.execute(executor: @executor) do
+            service.public_send method, *args
+          end
         end
+        tasks.each(&:value!)
       end
   end
 end

data/lib/active_storage/service/s3_service.rb

@@ -16,7 +16,6 @@ module ActiveStorage
 
     def initialize(bucket:, upload: {}, public: false, **options)
       @client = Aws::S3::Resource.new(**options)
-      @transfer_manager = Aws::S3::TransferManager.new(client: @client.client) if defined?(Aws::S3::TransferManager)
       @bucket = @client.bucket(bucket)
 
       @multipart_upload_threshold = upload.delete(:multipart_threshold) || 100.megabytes
@@ -101,8 +100,7 @@ module ActiveStorage
     def compose(source_keys, destination_key, filename: nil, content_type: nil, disposition: nil, custom_metadata: {})
       content_disposition = content_disposition_with(type: disposition, filename: filename) if disposition && filename
 
-      upload_stream(
-        key: destination_key,
+      object_for(destination_key).upload_stream(
         content_type: content_type,
         content_disposition: content_disposition,
         part_size: MINIMUM_UPLOAD_PART_SIZE,
@@ -118,14 +116,6 @@ module ActiveStorage
     end
 
     private
-      def upload_stream(key:, **options, &block)
-        if @transfer_manager
-          @transfer_manager.upload_stream(key: key, bucket: bucket.name, **options, &block)
-        else
-          object_for(key).upload_stream(**options, &block)
-        end
-      end
-
       def private_url(key, expires_in:, filename:, disposition:, content_type:, **client_opts)
         object_for(key).presigned_url :get, expires_in: expires_in.to_i,
           response_content_disposition: content_disposition_with(type: disposition, filename: filename),
@@ -136,6 +126,7 @@ module ActiveStorage
         object_for(key).public_url(**client_opts)
       end
 
+
       MAXIMUM_UPLOAD_PARTS_COUNT = 10000
       MINIMUM_UPLOAD_PART_SIZE   = 5.megabytes
 
@@ -148,18 +139,12 @@ module ActiveStorage
       def upload_with_multipart(key, io, content_type: nil, content_disposition: nil, custom_metadata: {})
         part_size = [ io.size.fdiv(MAXIMUM_UPLOAD_PARTS_COUNT).ceil, MINIMUM_UPLOAD_PART_SIZE ].max
 
-        upload_stream(
-          key: key,
-          content_type: content_type,
-          content_disposition: content_disposition,
-          part_size: part_size,
-          metadata: custom_metadata,
-          **upload_options
-        ) do |out|
+        object_for(key).upload_stream(content_type: content_type, content_disposition: content_disposition, part_size: part_size, metadata: custom_metadata, **upload_options) do |out|
           IO.copy_stream(io, out)
         end
       end
 
+
       def object_for(key)
         bucket.object(key)
       end

data/lib/active_storage.rb

@@ -27,7 +27,6 @@ require "active_record"
 require "active_support"
 require "active_support/rails"
 require "active_support/core_ext/numeric/time"
-require "active_support/core_ext/numeric/bytes"
 
 require "active_storage/version"
 require "active_storage/deprecator"
@@ -73,6 +72,7 @@ module ActiveStorage
     "annotate",
     "antialias",
     "append",
+    "apply",
     "attenuate",
     "authenticate",
     "auto_gamma",
@@ -213,6 +213,7 @@ module ActiveStorage
     "linewidth",
     "liquid_rescale",
     "list",
+    "loader",
     "log",
     "loop",
     "lowlight_color",
@@ -275,6 +276,7 @@ module ActiveStorage
     "rotate",
     "sample",
     "sampling_factor",
+    "saver",
     "scale",
     "scene",
     "screen",
@@ -351,7 +353,6 @@ module ActiveStorage
   ]
   mattr_accessor :unsupported_image_processing_arguments
 
-  mattr_accessor :streaming_chunk_max_size, default: 100.megabytes
   mattr_accessor :service_urls_expire_in, default: 5.minutes
   mattr_accessor :touch_attachment_records, default: true
   mattr_accessor :urls_expire_in
@@ -362,18 +363,6 @@ module ActiveStorage
 
   mattr_accessor :track_variants, default: false
 
-  singleton_class.attr_accessor :checksum_implementation
-  @checksum_implementation = OpenSSL::Digest::MD5
-  begin
-    @checksum_implementation.hexdigest("test")
-  rescue # OpenSSL may have MD5 disabled
-    require "digest/md5"
-    @checksum_implementation = Digest::MD5
-  end
-
-  singleton_class.attr_accessor :streaming_max_ranges
-  @streaming_max_ranges = 1
-
   mattr_accessor :video_preview_arguments, default: "-y -vframes 1 -f image2"
 
   module Transformers

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 7.2.3.1
+  version: 8.0.0.beta1
 platform: ruby
 authors:
 - David Heinemeier Hansson
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2024-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -15,56 +16,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.3.1
+        version: 8.0.0.beta1
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -189,11 +190,12 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.2.3.1/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.2.3.1/
+  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.beta1/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.0.0.beta1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.2.3.1/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.beta1/activestorage
   rubygems_mfa_required: 'true'
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -201,14 +203,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: Local and cloud file storage framework.
 test_files: []