activestorage 8.1.2 → 8.1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b700aaa6ff149a5ce6ff88794c94141d8d7e0895c6561578756727ecf5a3128b
-  data.tar.gz: 2eecb99972e95b8495aafbf2458d775bae6a7bcabf4abbc1fc0dd2286b1b140e
+  metadata.gz: 95a8a27a89ab0f4be63e4f466fcf5a7eedf15ed806d7b061257ab56aafadc1a6
+  data.tar.gz: 4f7046ccc16df5fb3bd06080e914fb54c0ad2009d5dbcb1080dcab7bf945f1e3
 SHA512:
-  metadata.gz: ddb19a88f6c95a4be6d198a7342e830a53d03a24c2f62e63ae2b41d1a94cb863dde34079d168a90e7c661736974691395605f991987ade4ff5164e187ad860e4
-  data.tar.gz: 3499297b88322fa207ace2e9f140a53f678f88c7fbe06646d2924c2b29c17e1d8fd8723058382310d307960ba3813733fb5848f232f17c868f09c2d75be6b373
+  metadata.gz: f187b18f73b712921f1dc2252fe5a645ce83b84dad1dc97d6b24be9f136a634e2b0da3290d2a8f9284ae6134bfc8b62fc8e7a7b9f4974b9f3dee6a6ed0af17aa
+  data.tar.gz: 24b2da33d24f7f2d34623482b2a2c818e3d87d7dfa8a165e1ff6091134548e37b8dc9eb3908a69231d3e8e9fa3320f75db1a0dabcb54b048e4e543319ec2f555

data/CHANGELOG.md

@@ -1,3 +1,55 @@
+## Rails 8.1.2.1 (March 23, 2026) ##
+
+*   Filter user supplied metadata in DirectUploadController
+
+    [CVE-2026-33173]
+
+    *Jean Boussier*
+
+*   Configurable maxmimum streaming chunk size
+
+    Makes sure that byte ranges for blobs don't exceed 100mb by default.
+    Content ranges that are too big can result in denial of service.
+
+    [CVE-2026-33174]
+
+    *Gannon McGibbon*
+
+*   Limit range requests to a single range
+
+    [CVE-2026-33658]
+
+    *Jean Boussier*
+
+
+*   Prevent path traversal in `DiskService`.
+
+    `DiskService#path_for` now raises an `InvalidKeyError` when passed keys with dot segments (".",
+    ".."), or if the resolved path is outside the storage root directory.
+
+    `#path_for` also now consistently raises `InvalidKeyError` if the key is invalid in any way, for
+    example containing null bytes or having an incompatible encoding. Previously, the exception
+    raised may have been `ArgumentError` or `Encoding::CompatibilityError`.
+
+    `DiskController` now explicitly rescues `InvalidKeyError` with appropriate HTTP status codes.
+
+    [CVE-2026-33195]
+
+    *Mike Dalessio*
+
+*   Prevent glob injection in `DiskService#delete_prefixed`.
+
+    Escape glob metacharacters in the resolved path before passing to `Dir.glob`.
+
+    Note that this change breaks any existing code that is relying on `delete_prefixed` to expand
+    glob metacharacters. This change presumes that is unintended behavior (as other storage services
+    do not respect these metacharacters).
+
+    [CVE-2026-33202]
+
+    *Mike Dalessio*
+
+
 ## Rails 8.1.2 (January 08, 2026) ##
 
 *   Restore ADC when signing URLs with IAM for GCS

data/app/controllers/active_storage/disk_controller.rb

@@ -17,6 +17,8 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
     end
   rescue Errno::ENOENT
     head :not_found
+  rescue ActiveStorage::InvalidKeyError
+    head :not_found
   end
 
   def update
@@ -32,6 +34,8 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
     end
   rescue ActiveStorage::IntegrityError
     head ActionDispatch::Constants::UNPROCESSABLE_CONTENT
+  rescue ActiveStorage::InvalidKeyError
+    head ActionDispatch::Constants::UNPROCESSABLE_CONTENT
   end
 
   private

data/app/controllers/concerns/active_storage/streaming.rb

@@ -14,7 +14,8 @@ module ActiveStorage::Streaming
     def send_blob_byte_range_data(blob, range_header, disposition: nil)
       ranges = Rack::Utils.get_byte_ranges(range_header, blob.byte_size)
 
-      return head(:range_not_satisfiable) if ranges.blank? || ranges.all?(&:blank?)
+      return head(:range_not_satisfiable) unless ranges_valid?(ranges)
+      return head(:range_not_satisfiable) if ranges.length > ActiveStorage.streaming_max_ranges
 
       if ranges.length == 1
         range = ranges.first
@@ -51,6 +52,12 @@ module ActiveStorage::Streaming
       )
     end
 
+    def ranges_valid?(ranges)
+      return false if ranges.blank? || ranges.all?(&:blank?)
+
+      ranges.sum { |range| range.end - range.begin } < ActiveStorage.streaming_chunk_max_size
+    end
+
     # Stream the blob from storage directly to the response. The disposition can be controlled by setting +disposition+.
     # The content type and filename is set directly from the +blob+.
     def send_blob_stream(blob, disposition: nil) # :doc:

data/app/models/active_storage/blob.rb

@@ -16,10 +16,18 @@
 # Blobs are intended to be immutable in as-so-far as their reference to a specific file goes. You're allowed to
 # update a blob's metadata on a subsequent pass, but you should not update the key or change the uploaded file.
 # If you need to create a derivative or otherwise change the blob, simply create a new blob and purge the old one.
+#
+# When using a custom +key+, the value is treated as trusted. Using untrusted user input
+# as the key may result in unexpected behavior.
 class ActiveStorage::Blob < ActiveStorage::Record
   MINIMUM_TOKEN_LENGTH = 28
 
   has_secure_token :key, length: MINIMUM_TOKEN_LENGTH
+
+  # FIXME: these property should never have been stored in the metadata.
+  # The blob table should be migrated to have dedicated columns for theses.
+  PROTECTED_METADATA = %w(analyzed identified composed)
+  private_constant :PROTECTED_METADATA
   store :metadata, accessors: [ :analyzed, :identified, :composed ], coder: ActiveRecord::Coders::JSON
 
   class_attribute :services, default: {}
@@ -92,6 +100,9 @@ class ActiveStorage::Blob < ActiveStorage::Record
     # be saved before the upload begins to prevent the upload clobbering another due to key collisions.
     # When providing a content type, pass <tt>identify: false</tt> to bypass
     # automatic content type inference.
+    #
+    # The optional +key+ parameter is treated as trusted. Using untrusted user input
+    # as the key may result in unexpected behavior.
     def create_and_upload!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil)
       create_after_unfurling!(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap do |blob|
         blob.upload_without_unfurling(io)
@@ -104,6 +115,7 @@ class ActiveStorage::Blob < ActiveStorage::Record
     # Once the form using the direct upload is submitted, the blob can be associated with the right record using
     # the signed ID.
     def create_before_direct_upload!(key: nil, filename:, byte_size:, checksum:, content_type: nil, metadata: nil, service_name: nil, record: nil)
+      metadata = filter_metadata(metadata)
       create! key: key, filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata, service_name: service_name
     end
 
@@ -151,6 +163,15 @@ class ActiveStorage::Blob < ActiveStorage::Record
         combined_blob.save!
       end
     end
+
+    private
+      def filter_metadata(metadata)
+        if metadata.is_a?(Hash)
+          metadata.without(*PROTECTED_METADATA)
+        else
+          metadata
+        end
+      end
   end
 
   include Analyzable

data/lib/active_storage/engine.rb

@@ -149,6 +149,7 @@ module ActiveStorage
         ActiveStorage.binary_content_type = app.config.active_storage.binary_content_type || "application/octet-stream"
         ActiveStorage.video_preview_arguments = app.config.active_storage.video_preview_arguments || "-y -vframes 1 -f image2"
         ActiveStorage.track_variants = app.config.active_storage.track_variants || false
+        ActiveStorage.streaming_chunk_max_size = app.config.active_storage.streaming_chunk_max_size || 100.megabytes
       end
     end
 

data/lib/active_storage/errors.rb

@@ -26,4 +26,8 @@ module ActiveStorage
 
   # Raised when a Previewer is unable to generate a preview image.
   class PreviewError < Error; end
+
+  # Raised when a storage key resolves to a path outside the service's root
+  # directory, indicating a potential path traversal attack.
+  class InvalidKeyError < Error; end
 end

data/lib/active_storage/gem_version.rb

@@ -10,7 +10,7 @@ module ActiveStorage
     MAJOR = 8
     MINOR = 1
     TINY  = 2
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/active_storage/service/disk_service.rb

@@ -60,7 +60,16 @@ module ActiveStorage
 
     def delete_prefixed(prefix)
       instrument :delete_prefixed, prefix: prefix do
-        Dir.glob(path_for("#{prefix}*")).each do |path|
+        prefix_path = path_for(prefix)
+
+        # File.expand_path (called within path_for) strips trailing slashes.
+        # Restore trailing separator if the original prefix had one, so that
+        # the glob "prefix/*" matches files inside the directory, not siblings
+        # whose names start with the prefix string.
+        prefix_path += "/" if prefix.end_with?("/")
+
+        escaped = escape_glob_metacharacters(prefix_path)
+        Dir.glob("#{escaped}*").each do |path|
           FileUtils.rm_rf(path)
         end
       end
@@ -98,8 +107,39 @@ module ActiveStorage
       { "Content-Type" => content_type }
     end
 
+    # Every filesystem operation in DiskService resolves paths through this method (or through
+    # make_path_for, which delegates here). This is the primary filesystem security check: all
+    # path-traversal protection is enforced here. New methods that touch the filesystem MUST use
+    # path_for or make_path_for -- never construct paths from +root+ directly.
     def path_for(key) # :nodoc:
-      File.join root, folder_for(key), key
+      if key.blank?
+        raise ActiveStorage::InvalidKeyError, "key is blank"
+      end
+
+      # Reject keys with dot segments as defense in depth. This prevents path traversal both outside
+      # and within the storage root. The root containment check below is a more fundamental check on
+      # path traversal outside of the disk service root.
+      begin
+        if key.split("/").intersect?(%w[. ..])
+          raise ActiveStorage::InvalidKeyError, "key has path traversal segments"
+        end
+      rescue Encoding::CompatibilityError
+        raise ActiveStorage::InvalidKeyError, "key has incompatible encoding"
+      end
+
+      begin
+        path = File.expand_path(File.join(root, folder_for(key), key))
+      rescue ArgumentError
+        # ArgumentError catches null bytes
+        raise ActiveStorage::InvalidKeyError, "key is an invalid string"
+      end
+
+      # The resolved path must be inside the root directory.
+      unless path.start_with?(File.expand_path(root) + "/")
+        raise ActiveStorage::InvalidKeyError, "key is outside of disk service root"
+      end
+
+      path
     end
 
     def compose(source_keys, destination_key, **)
@@ -156,6 +196,10 @@ module ActiveStorage
         [ key[0..1], key[2..3] ].join("/")
       end
 
+      def escape_glob_metacharacters(path)
+        path.gsub(/[\[\]*?{}\\]/) { |c| "\\#{c}" }
+      end
+
       def make_path_for(key)
         path_for(key).tap { |path| FileUtils.mkdir_p File.dirname(path) }
       end

data/lib/active_storage.rb

@@ -27,6 +27,7 @@ require "active_record"
 require "active_support"
 require "active_support/rails"
 require "active_support/core_ext/numeric/time"
+require "active_support/core_ext/numeric/bytes"
 
 require "active_storage/version"
 require "active_storage/deprecator"
@@ -352,6 +353,7 @@ module ActiveStorage
   ]
   mattr_accessor :unsupported_image_processing_arguments
 
+  mattr_accessor :streaming_chunk_max_size, default: 100.megabytes
   mattr_accessor :service_urls_expire_in, default: 5.minutes
   mattr_accessor :touch_attachment_records, default: true
   mattr_accessor :urls_expire_in
@@ -362,6 +364,18 @@ module ActiveStorage
 
   mattr_accessor :track_variants, default: false
 
+  singleton_class.attr_accessor :checksum_implementation
+  @checksum_implementation = OpenSSL::Digest::MD5
+  begin
+    @checksum_implementation.hexdigest("test")
+  rescue # OpenSSL may have MD5 disabled
+    require "digest/md5"
+    @checksum_implementation = Digest::MD5
+  end
+
+  singleton_class.attr_accessor :streaming_max_ranges
+  @streaming_max_ranges = 1
+
   mattr_accessor :video_preview_arguments, default: "-y -vframes 1 -f image2"
 
   module Transformers

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: activestorage
 version: !ruby/object:Gem::Version
-  version: 8.1.2
+  version: 8.1.2.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -15,56 +15,56 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
 - !ruby/object:Gem::Dependency
   name: activejob
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.1.2
+        version: 8.1.2.1
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -192,10 +192,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v8.1.2/activestorage/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v8.1.2/
+  changelog_uri: https://github.com/rails/rails/blob/v8.1.2.1/activestorage/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.1.2.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v8.1.2/activestorage
+  source_code_uri: https://github.com/rails/rails/tree/v8.1.2.1/activestorage
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
@@ -211,7 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: Local and cloud file storage framework.
 test_files: []