camaleon_cms 2.7.5 → 2.8.1

data/app/controllers/camaleon_cms/admin/media_controller.rb

@@ -30,6 +30,8 @@ module CamaleonCms
 
         file = cama_uploader.fetch_file("private/#{params[:file]}")
 
+        return render plain: helpers.sanitize(file[:error]) if file.is_a?(Hash) && file[:error].present?
+
         send_file file, disposition: 'inline'
       end
 
@@ -51,16 +53,15 @@ module CamaleonCms
       def actions
         authorize! :manage, :media if params[:media_action] != 'crop_url'
         params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+
         case params[:media_action]
         when 'new_folder'
           params[:folder] = slugify_folder(params[:folder])
-          render partial: 'render_file_item', locals: { files: [cama_uploader.add_folder(params[:folder])] }
+          return render partial: 'render_file_item', locals: { files: [cama_uploader.add_folder(params[:folder])] }
         when 'del_folder'
-          cama_uploader.delete_folder(params[:folder])
-          render plain: ''
+          r = cama_uploader.delete_folder(params[:folder])
         when 'del_file'
-          cama_uploader.delete_file(params[:folder].gsub('//', '/'))
-          render plain: ''
+          r = cama_uploader.delete_file(params[:folder].gsub('//', '/'))
         when 'crop_url'
           user_url = params[:url].to_s
           user_url = "#{current_site.the_url(locale: nil)}#{user_url}" unless user_url.start_with?('data:', 'http')
@@ -70,16 +71,18 @@ module CamaleonCms
               else
                 cama_tmp_upload(user_url, formats: params[:formats], name: params[:name])
               end
-          if r[:error].present?
-            render plain: helpers.sanitize(r[:error])
-          else
+          if r[:error].blank?
             params[:file_upload] = r[:file_path]
             sett = { remove_source: true }
             sett[:same_name] = true if params[:same_name].present?
             sett[:name] = params[:name] if params[:name].present?
-            upload(sett)
+            return upload(sett)
           end
         end
+
+        return render plain: helpers.sanitize(r[:error]) if r[:error].present?
+
+        render plain: ''
       end
 
       # upload files from media uploader

data/app/controllers/camaleon_cms/admin/settings_controller.rb

@@ -26,7 +26,7 @@ module CamaleonCms
           flash[:notice] = t('camaleon_cms.admin.settings.message.site_updated')
           args = { action: :site }
           args[:host], args[:port] = @site.get_domain.to_s.split(':') if cache_slug != @site.slug
-          redirect_to(args)
+          redirect_to(args, allow_other_host: true)
         else
           render 'site'
         end

data/app/controllers/camaleon_cms/camaleon_controller.rb

@@ -51,7 +51,7 @@ module CamaleonCms
     # generate captcha image
     def captcha
       image = cama_captcha_build(params[:len])
-      send_data image.to_blob, type: image.mime_type, disposition: 'inline'
+      send_data image.to_blob, type: MiniMime.lookup_by_extension(image.type).content_type, disposition: 'inline'
     end
 
     private
@@ -103,7 +103,13 @@ module CamaleonCms
     def cama_site_check_existence
       if !current_site.present?
         if Cama::Site.main_site.present?
-          redirect_to Cama::Site.main_site.decorate.the_url
+          url = Cama::Site.main_site.decorate.the_url
+          # TODO: Remove this condition when Rails 6.x won't be supported
+          if Rails.gem_version >= Gem::Version.new('7.0.0')
+            redirect_to url, allow_other_host: true
+          else
+            redirect_to url
+          end
         else
           redirect_to cama_admin_installers_path
         end

data/app/decorators/camaleon_cms/application_decorator.rb

@@ -4,6 +4,14 @@ module CamaleonCms
     @_deco_locale = nil
     include CamaleonCms::MetasDecoratorMethods
 
+    def marshal_dump
+      @object
+    end
+
+    def marshal_load(obj)
+      @object = obj
+    end
+
     # return the keywords for this model
     def the_keywords
       k = object.get_option('keywords', '')

data/app/decorators/camaleon_cms/category_decorator.rb

@@ -21,7 +21,7 @@ module CamaleonCms
 
     # return all children categories for the current category (active_record) filtered by permissions + hidden posts + roles + etc...
     # in return object, you can add custom where's or pagination like here:
-    # http://edgeguides.rubyonrails.org/active_record_querying.html
+    # https://edgeguides.rubyonrails.org/active_record_querying.html
     def the_categories
       object.children
     end

data/app/decorators/camaleon_cms/post_decorator.rb

@@ -41,8 +41,8 @@ module CamaleonCms
       if th.present?
         th
       else
-        (default || object.post_type.get_option('default_thumb',
-                                                nil) || h.asset_url('camaleon_cms/image-not-found.png'))
+        default || object.post_type.get_option('default_thumb',
+                                               nil) || h.asset_url('camaleon_cms/image-not-found.png')
       end
     end
     alias the_image_url the_thumb_url
@@ -61,12 +61,12 @@ module CamaleonCms
     end
 
     # return front url for this post
-    # sample: http://localhost.com/my-page.html
+    # sample: https://localhost.com/my-page.html
     # args:
     #   locale: language (default current language)
     #   as_path: return the path instead of full url, sample: /my-page.html
     #   Also, you can pass extra attributes as params for the url, sample: page.the_url(my_param: 'value', other: "asd")
-    #     => http://localhost.com/my-page.html?my_param=value&other=asd
+    #     => https://localhost.com/my-page.html?my_param=value&other=asd
     # Return String URL
     def the_url(*args)
       args = args.extract_options!
@@ -127,7 +127,7 @@ module CamaleonCms
     end
 
     # return a hash of frontend urls for this post
-    # sample: {es: 'http://mydomain.com/es/articulo-3.html', en: 'http://mydomain.com/en/post-3.html'}
+    # sample: {es: 'https://mydomain.com/es/articulo-3.html', en: 'https://mydomain.com/en/post-3.html'}
     def the_urls(*args)
       args = args.extract_options!
       res = {}

data/app/decorators/camaleon_cms/post_type_decorator.rb

@@ -55,14 +55,14 @@ module CamaleonCms
 
     # return main categories (first level) for the post_type (active_record) filtered by permissions
     # in return object, you can add custom where's or pagination like here:
-    # http://edgeguides.rubyonrails.org/active_record_querying.html
+    # https://edgeguides.rubyonrails.org/active_record_querying.html
     def the_categories
       object.categories
     end
 
     # return full categories (all levels) for the post_type (active_record) filtered by permissions
     # in return object, you can add custom where's or pagination like here:
-    # http://edgeguides.rubyonrails.org/active_record_querying.html
+    # https://edgeguides.rubyonrails.org/active_record_querying.html
     def the_full_categories
       object.full_categories
     end
@@ -76,7 +76,7 @@ module CamaleonCms
 
     # return all post_tags for the post_type (active_record) filtered by permissions + hidden posts + roles + etc...
     # in return object, you can add custom where's or pagination like here:
-    # http://edgeguides.rubyonrails.org/active_record_querying.html
+    # https://edgeguides.rubyonrails.org/active_record_querying.html
     def the_post_tags
       object.post_tags
     end

data/app/decorators/camaleon_cms/term_taxonomy_decorator.rb

@@ -48,7 +48,7 @@ module CamaleonCms
     # ---------------------- filters
     # return all posts for this model (active_record) filtered by permissions + hidden posts + roles + etc...
     # in return object, you can add custom where's or pagination like here:
-    # http://edgeguides.rubyonrails.org/active_record_querying.html
+    # https://edgeguides.rubyonrails.org/active_record_querying.html
     def the_posts
       h.verify_front_visibility(object.posts)
     end

data/app/helpers/camaleon_cms/admin/category_helper.rb

@@ -17,7 +17,7 @@ module CamaleonCms
           options << [('—' * level) + category.the_title, category.id]
           children = attrs[:max_level] < level ? [] : category.children
           children = [] if attrs[:until_cats].include?(category.id)
-          options += cama_category_get_options_html(children, level + 1, attrs) if children.size.positive?
+          options += cama_category_get_options_html(children, level + 1, attrs) unless children.empty?
         end
         options
       end

data/app/helpers/camaleon_cms/frontend/nav_menu_helper.rb

@@ -23,7 +23,7 @@ module CamaleonCms
           item_class_parent: 'dropdown', # class for all menu items that contain sub items
           sub_container: 'ul', # type of container for sub items
           sub_class: 'dropdown-menu', # class for sub container
-          callback_item: ->(args) {},
+          callback_item: ->(args) {}, # rubocop:disable Lint/ShadowingOuterLocalVariable
           # callback executed for each item (args = { menu_item, link, level, settings, has_children, link_attrs = "", index}).
           #     menu_item: (Object) Menu object
           #     link: (Hash) link data: {link: '', name: ''}
@@ -48,10 +48,11 @@ module CamaleonCms
           container_append: '' # content append for menu container
         }
 
-        args = args_def.merge(args)
+        args = args_def.merge!(args)
         nav_menu = current_site.nav_menus.find_by_slug(args[:menu_slug])
-        nav_menu = current_site.nav_menus.first unless nav_menu.present?
-        html = "<#{args[:container]} class='#{args[:container_class]}' id='#{args[:container_id]}'>#{args[:container_prepend]}{__}#{args[:container_append]}</#{args[:container]}>"
+        nav_menu ||= current_site.nav_menus.first
+        html = "<#{args[:container]} class='#{args[:container_class]}' "\
+          "id='#{args[:container_id]}'>#{args[:container_prepend]}{__}#{args[:container_append]}</#{args[:container]}>"
         if nav_menu.present?
           html.sub('{__}', cama_menu_draw_items(args, nav_menu.children.reorder(:term_order)))
         else
@@ -69,10 +70,10 @@ module CamaleonCms
           data_nav_item = cama_parse_menu_item(nav_menu_item)
           next if data_nav_item == false
 
-          _is_current = data_nav_item[:current] || site_current_path == data_nav_item[:link] || site_current_path == data_nav_item[:link].sub(
-            '.html', ''
-          )
-          has_children = nav_menu_item.have_children? && (args[:levels] == -1 || (args[:levels] != -1 && level <= args[:levels]))
+          _is_current = data_nav_item[:current] || site_current_path == data_nav_item[:link] ||
+                        site_current_path == data_nav_item[:link].sub('.html', '')
+          has_children = nav_menu_item.have_children? && (args[:levels] == -1 ||
+                         (args[:levels] != -1 && level <= args[:levels]))
           r = {
             menu_item: nav_menu_item.decorate,
             link: data_nav_item,
@@ -116,7 +117,7 @@ module CamaleonCms
           index += 1
         end
 
-        if level.zero?
+        if level == 0
           html
         else
           html = "<#{args[:sub_container]} class='#{args[:sub_class]} #{if parent_current
@@ -142,7 +143,7 @@ module CamaleonCms
             '.html', ''
           )
           has_children = nav_menu_item.have_children?
-          has_children = false if max_levels.positive? && max_levels == internal_level
+          has_children = false if max_levels > 0 && max_levels == internal_level
           data_nav_item[:label] = data_nav_item[:name]
           data_nav_item[:url] = data_nav_item[:link]
           r = {
@@ -169,7 +170,7 @@ module CamaleonCms
           res << r
         end
 
-        if internal_level.zero?
+        if internal_level == 0
           res
         else
           [res, is_current_parent, levels.max]

data/app/helpers/camaleon_cms/html_helper.rb

@@ -72,14 +72,14 @@ module CamaleonCms
     def cama_draw_custom_assets
       cama_html_helpers_init unless @_assets_libraries.present?
       libs = []
-      @_assets_libraries.each do |_key, assets|
+      @_assets_libraries.each_value do |assets|
         libs += assets[:css] if assets[:css].present?
       end
       stylesheets = libs.uniq
       css = stylesheet_link_tag(*stylesheets, media: 'all')
 
       libs = []
-      @_assets_libraries.each do |_key, assets|
+      @_assets_libraries.each_value do |assets|
         libs += assets[:js] if assets[:js].present?
       end
       javascripts = libs.uniq
@@ -98,7 +98,7 @@ module CamaleonCms
       terms.all.each do |term|
         options << [('—' * level) + term.name, term.id] unless @term.id == term.id
         children = term.children
-        options += cama_get_options_html_from_items(children, level + 1) if children.size.positive?
+        options += cama_get_options_html_from_items(children, level + 1) unless children.empty?
       end
       options
     end
@@ -117,22 +117,22 @@ module CamaleonCms
 
       libs = {}
       libs[:colorpicker] =
-        { js: ['camaleon_cms/admin/bootstrap-colorpicker'], css: ['camaleon_cms/admin/colorpicker.css'] }
+        { js: ['camaleon_cms/admin/bootstrap-colorpicker'], css: ['camaleon_cms/admin/colorpicker'] }
       libs[:datepicker] = { js: [] }
       libs[:datetimepicker] = { js: [], css: [] }
       libs[:tinymce] =
-        { js: ['camaleon_cms/admin/tinymce/tinymce.min', 'camaleon_cms/admin/tinymce/plugins/filemanager/plugin.min'],
+        { js: %w[camaleon_cms/admin/tinymce/tinymce.min camaleon_cms/admin/tinymce/plugins/filemanager/plugin.min],
           css: ['camaleon_cms/admin/tinymce/skins/lightgray/content.min'] }
       libs[:form_ajax] = { js: ['camaleon_cms/admin/form/jquery.form'] }
       libs[:cropper] = {} # loaded by default
       libs[:post] =
-        { js: ['camaleon_cms/admin/jquery.tagsinput.min', 'camaleon_cms/admin/post'],
+        { js: %w[camaleon_cms/admin/jquery.tagsinput.min camaleon_cms/admin/post],
           css: ['camaleon_cms/admin/jquery.tagsinput'] }
       libs[:multiselect] = { js: ['camaleon_cms/admin/bootstrap-select.js'] }
       libs[:validate] = { js: ['camaleon_cms/admin/jquery.validate'] }
       libs[:nav_menu] =
         { css: ['camaleon_cms/admin/nestable/jquery.nestable'],
-          js: ['camaleon_cms/admin/jquery.nestable', 'camaleon_cms/admin/nav_menu'] }
+          js: %w[camaleon_cms/admin/jquery.nestable camaleon_cms/admin/nav_menu] }
       libs[:admin_intro] =
         { js: ['camaleon_cms/admin/introjs/intro.min'], css: ['camaleon_cms/admin/introjs/introjs.min'] }
       @_cama_assets_libraries = libs

data/app/helpers/camaleon_cms/plugins_helper.rb

@@ -127,7 +127,7 @@ module CamaleonCms
     # asset: (String) asset name
     # plugin_key: (optional) plugin name, default (current plugin caller to this function)
     # sample:
-    #   plugin_asset_url("css/main.css") => return: http://myhost.com/assets/plugins/my_plugin/assets/css/main-54505620f.css
+    #   plugin_asset_url("css/main.css") => return: https://myhost.com/assets/plugins/my_plugin/assets/css/main-54505620f.css
     def plugin_asset_url(asset, plugin_key = nil)
       key = plugin_key || self_plugin_key(1)
       p = PluginRoutes.plugin_info(key)['gem_mode'] ? "plugins/#{key}/#{asset}" : "plugins/#{key}/assets/#{asset}"

data/app/helpers/camaleon_cms/session_helper.rb

@@ -6,7 +6,7 @@ module CamaleonCms
     # redirect_url (default nil): after initialized the session, this will be redirected to
     #   "redirect_url" if defined
     #   it doesn't redirect if redirect_url === false
-    #   return to previous page if defined the cookie['return_to'] or login url received extra param: return_to=http://mysite.com
+    #   return to previous page if defined the cookie['return_to'] or login url received extra param: return_to=https://mysite.com
     def login_user(user, remember_me = false, redirect_url = nil)
       c = { value: [user.auth_token, request.user_agent, request.ip], expires: 24.hours.from_now }
       c[:domain] = :all if PluginRoutes.system_info['users_share_sites'].present? && CamaleonCms::Site.count > 1

data/app/helpers/camaleon_cms/short_code_helper.rb

@@ -15,7 +15,7 @@ module CamaleonCms
                       return args[:shortcode] unless attrs.present?
 
                       cama_load_libraries(*attrs['data'].to_s.split(','))
-                      return ''
+                      ''
                     },
                     "Permit to load libraries on demand, sample: [load_libraries data='datepicker,tinymce']")
 

data/app/helpers/camaleon_cms/site_helper.rb

@@ -32,7 +32,7 @@ module CamaleonCms
         nil
       end
       unless r[:site].present?
-        Rails.logger.error 'Camaleon CMS - Please define your current site: $current_site = CamaleonCms::Site.first.decorate or map your domains: http://camaleon.tuzitio.com/documentation/category/139779-examples/how.html'.cama_log_style(:red)
+        Rails.logger.error 'Camaleon CMS - Please define your current site: $current_site = CamaleonCms::Site.first.decorate or map your domains: https://camaleon.website/documentation/category/139779-examples/how.html'.cama_log_style(:red)
       end
       @current_site = r[:site]
     end

data/app/helpers/camaleon_cms/theme_helper.rb

@@ -26,7 +26,7 @@ module CamaleonCms
     # asset: (String) asset name
     # theme_name: (optional) theme name, default (current theme caller to this function)
     # sample:
-    #   theme_asset_url("css/main.css") => return: http://myhost.com/assets/themes/my_theme/assets/css/main-54505620f.css
+    #   theme_asset_url("css/main.css") => return: https://myhost.com/assets/themes/my_theme/assets/css/main-54505620f.css
     def theme_asset_url(asset, theme_name = nil)
       p = theme_asset_path(asset, theme_name)
       begin

data/app/helpers/camaleon_cms/uploader_helper.rb

@@ -1,7 +1,21 @@
+# frozen_string_literal: true
+
 module CamaleonCms
   module UploaderHelper
+    SUSPICIOUS_PATTERNS = [
+      /<script[\s>]/i,  # Script tags
+      /on\w{3,}\s*=/i,  # Inline event handlers like oncut, onload, onclick, etc.
+      /javascript:/i,   # JavaScript in href/src attributes
+      /<iframe[\s>]/i,  # Iframes
+      /<object[\s>]/i,  # Object tags
+      /<embed[\s>]/i,   # Embed tags
+      /<base[\s>]/i,    # Base tags (can be used to manipulate URLs)
+      /data:/i          # data: URLs (which can include scripts)
+    ].freeze
+
     include ActionView::Helpers::NumberHelper
     include CamaleonCms::CamaleonHelper
+
     # upload a file into server
     # settings:
     #   folder: Directory where the file will be saved (default: "")
@@ -12,11 +26,12 @@ module CamaleonCms
     #   formats: extensions permitted, sample: jpg,png,... or generic: images | videos | audios | documents (default *)
     #   remove_source: Boolean (delete source file after saved if this is true, default false)
     #   same_name: Boolean (save the file with the same name if defined true, else search for a non used name)
-    #   versions: (String) Create addtional multiple versions of the image uploaded, sample: '300x300,505x350' ==> Will create two extra images with these dimensions
-    #       sample "test.png", versions: '200x200,450x450' will generate: thumb/test-png_200x200.png, test-png_450x450.png
+    #   versions: (String) Create additional multiple versions of the image uploaded,
+    #     sample: '300x300,505x350' ==> Will create two extra images with these dimensions
+    #     sample "test.png", versions: '200x200,450x450' will generate: thumb/test-png_200x200.png, test-png_450x450.png
     #   thumb_size: String (redefine the dimensions of the thumbnail, sample: '100x100' ==> only for images)
     #   temporal_time: if great than 0 seconds, then this file will expire (removed) in that time (default: 0)
-    #     To manage jobs, please check http://edgeguides.rubyonrails.org/active_job_basics.html
+    #     To manage jobs, please check https://edgeguides.rubyonrails.org/active_job_basics.html
     #     Note: if you are using temporal_time, you will need to copy the file to another directory later
     # sample: upload_file(params[:my_file], {formats: "images", folder: "temporal"})
     # sample: upload_file(params[:my_file], {formats: "jpg,png,gif,mp3,mp4", temporal_time: 10.minutes, maximum: 10.megabytes})
@@ -36,6 +51,8 @@ module CamaleonCms
         uploaded_io = File.open(cama_resize_upload(uploaded_io.path, settings[:dimension]))
       end
 
+      return { error: 'Potentially malicious content found!' } if file_content_unsafe?(uploaded_io)
+
       settings = settings.to_sym
       settings[:uploaded_io] = uploaded_io
       settings = {
@@ -45,7 +62,7 @@ module CamaleonCms
         generate_thumb: true,
         temporal_time: 0,
         filename: begin
-          (cached_name || uploaded_io.original_filename)
+          cached_name || uploaded_io.original_filename
         rescue StandardError
           uploaded_io.path.split('/').last
         end.cama_fix_filename,
@@ -54,10 +71,13 @@ module CamaleonCms
         same_name: false,
         versions: '',
         thumb_size: nil
-      }.merge(settings)
+      }.merge!(settings)
       hooks_run('before_upload', settings)
       res = { error: nil }
 
+      # guard against path traversal
+      return { error: 'Invalid file path' } unless cama_uploader.class.valid_folder_path?(settings[:folder])
+
       # formats validations
       return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
         uploaded_io.path, settings[:formats]
@@ -72,7 +92,6 @@ module CamaleonCms
       # save file
       key = File.join(settings[:folder], settings[:filename]).to_s.cama_fix_slash
       res = cama_uploader.add_file(settings[:uploaded_io], key, { same_name: settings[:same_name] })
-      {} if (settings[:temporal_time]).positive?
 
       # generate image versions
       if res['file_type'] == 'image'
@@ -92,6 +111,12 @@ module CamaleonCms
       FileUtils.rm_f(uploaded_io.path) if settings[:remove_source] && File.exist?(uploaded_io.path)
 
       hooks_run('after_upload', settings)
+
+      # temporal file upload (always put as local for temporal files)
+      if settings[:temporal_time] > 0
+        CamaleonCmsUploader.delete_block.call(settings, cama_uploader, key)
+      end
+
       res
     end
 
@@ -189,7 +214,7 @@ module CamaleonCms
     # Return: (String) file path where saved this cropped
     # sample: cama_resize_and_crop(my_file, 200, 200, {gravity: :north_east, overwrite: false})
     def cama_resize_and_crop(file, w, h, settings = {})
-      settings = { gravity: :north_east, overwrite: true, output_name: '' }.merge(settings)
+      settings = { gravity: :north_east, overwrite: true, output_name: +'' }.merge!(settings)
       img = MiniMagick::Image.open(file)
       if file.end_with? '.svg'
         img.format 'jpg'
@@ -237,7 +262,7 @@ module CamaleonCms
     # upload tmp file
     # support for url and local path
     # sample:
-    # cama_tmp_upload('http://camaleon.tuzitio.com/media/132/logo2.png')  ==> /var/rails/my_project/public/tmp/1/logo2.png
+    # cama_tmp_upload('https://camaleon.website/media/132/logo2.png')  ==> /var/rails/my_project/public/tmp/1/logo2.png
     # cama_tmp_upload('/var/www/media/132/logo 2.png')  ==> /var/rails/my_project/public/tmp/1/logo-2.png
     # accept args:
     #   name: to indicate the name to use, sample: cama_tmp_upload('/var/www/media/132/logo 2.png', {name: 'owen.png', formats: 'images'})
@@ -295,10 +320,11 @@ module CamaleonCms
 
     # resize image if the format is correct
     # return resized file path
-    def cama_resize_upload(image_path, dimesion, args = {})
-      if cama_uploader.class.validate_file_format(image_path, 'image') && dimesion.present?
-        r = { file: image_path, w: dimesion.split('x')[0], h: dimesion.split('x')[1], w_offset: 0, h_offset: 0,
-              resize: !dimesion.split('x')[2] || dimesion.split('x')[2] == 'resize', replace: true, gravity: :north_east }.merge(args)
+    def cama_resize_upload(image_path, dimension, args = {})
+      if cama_uploader.class.validate_file_format(image_path, 'image') && dimension.present?
+        r = { file: image_path, w: dimension.split('x')[0], h: dimension.split('x')[1], w_offset: 0, h_offset: 0,
+              resize: !dimension.split('x')[2] || dimension.split('x')[2] == 'resize',
+              replace: true, gravity: :north_east }.merge!(args)
         hooks_run('on_uploader_resize', r)
         image_path = if r[:w].present? && r[:h].present?
                        cama_resize_and_crop(r[:file], r[:w], r[:h], { overwrite: r[:replace], gravity: r[:gravity] })
@@ -324,12 +350,12 @@ module CamaleonCms
             cloud_front: current_site.get_option('filesystem_s3_cloudfront'),
             aws_file_upload_settings: lambda { |settings|
                                         settings
-                                      }, # permit to add your custom attributes for file_upload http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#upload_file-instance_method
+                                      }, # permit to add your custom attributes for file_upload https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#upload_file-instance_method
             aws_file_read_settings: lambda { |data, _s3_file|
                                       data
                                     } # permit to read custom attributes from aws file and add to file parsed object
           },
-          custom_uploader: nil # posibility to use custom file uploader
+          custom_uploader: nil # possibility to use custom file uploader
         }
         hooks_run('on_uploader', args)
         return args[:custom_uploader] if args[:custom_uploader].present?
@@ -350,13 +376,30 @@ module CamaleonCms
     end
 
     def slugify_folder(val)
-      splitted_folder = val.split('/')
-      splitted_folder[-1] = slugify(splitted_folder.last)
-      splitted_folder.join('/')
+      split_folder = val.split('/')
+      split_folder[-1] = slugify(split_folder.last)
+      split_folder.join('/')
     end
 
     private
 
+    def file_content_unsafe?(uploaded_io)
+      file = uploaded_io.is_a?(ActionDispatch::Http::UploadedFile) ? uploaded_io.tempfile : uploaded_io
+      file_content_unsafe = nil
+
+      file.set_encoding(Encoding::BINARY) if file.respond_to?(:binmode) && file.respond_to?(:set_encoding)
+
+      file_content = file.read
+      SUSPICIOUS_PATTERNS.each do |pattern|
+        if file_content =~ pattern
+          Rails.logger.info { "Potentially malicious content found: #{pattern.inspect}" }
+          break file_content_unsafe = pattern.inspect
+        end
+      end
+
+      file_content_unsafe
+    end
+
     # helper for resize and crop method
     def cama_crop_offsets_by_gravity(gravity, original_dimensions, cropped_dimensions)
       original_width, original_height = original_dimensions

data/app/models/camaleon_cms/ability.rb

@@ -105,7 +105,7 @@ module CamaleonCms
         end
 
         # support for custom abilities for each posttype
-        # sample: http://camaleon.tuzitio.com/documentation/category/40756-uncategorized/custom-models.html
+        # sample: https://camaleon.website/documentation/category/40756-uncategorized/custom-models.html
         @roles_post_type.each do |k, v|
           next if %w[edit edit_other edit_publish publish manage_categories].include?(k.to_s)
 

data/app/models/camaleon_cms/custom_field_group.rb

@@ -5,8 +5,8 @@ module CamaleonCms
     alias_attribute :site_id, :parent_id
 
     default_scope do
-      where.not(object_class: '_fields')
-           .reorder("#{CamaleonCms::CustomField.table_name}.field_order ASC")
+      where("object_class != '_fields'")
+        .reorder("#{CamaleonCms::CustomField.table_name}.field_order ASC")
     end
 
     has_many :metas, -> { where(object_class: 'CustomFieldGroup') }, foreign_key: :objectid, dependent: :destroy
@@ -24,12 +24,9 @@ module CamaleonCms
     # -  options (textbox sample):  {"field_key":"text_box","multiple":"1","required":"1",
     #     "translate":"1"}
     #   * field_key (string) | translate (boolean) | default_value (unique value) |
-    #      default_values (array - multiple values for this field) | label_eval (boolean) |
-    #      multiple_options (array)
+    #      default_values (array - multiple values for this field) | multiple_options (array)
     #   * multiple_options (used for select, radio and checkboxes ): [{"title"=>"Option Title",
     #      "value"=>"2", "default"=>"1"}, {"title"=>"abcde", "value"=>"3"}]
-    #   * label_eval: (Boolean, default false), true => will evaluate the label and description of
-    #       current field using (eval('my_label')) to have translatable|dynamic labels
     # ****** check all options for each case in Admin::CustomFieldsHelper ****
     # SAMPLE: my_model.add_field({"name"=>"Sub Title", "slug"=>"subtitle"}, {"field_key"=>"text_box",
     #   "translate"=>true, default_value: "Get in Touch"})

data/app/models/camaleon_cms/nav_menu.rb

@@ -10,7 +10,7 @@ module CamaleonCms
     # add menu item for current menu
     # value: (Hash) is a hash object that contains label, type, link
     #   options for type: post | category | post_type | post_tag | external
-    # sample: {label: "my label", type: "external", link: "http://camaleon.tuzitio.com", target: '_blank'}
+    # sample: {label: "my label", type: "external", link: "https://camaleon.website", target: '_blank'}
     # sample: {label: "my label", type: "post", link: 10}
     # sample: {label: "my label", type: "category", link: 12}
     # return item created

data/app/models/camaleon_cms/post.rb

@@ -42,7 +42,7 @@ module CamaleonCms
     validates_with CamaleonCms::PostUniqValidator
     attr_accessor :show_title_with_parent
 
-    before_create :fix_post_order, if: ->(p) { !p.post_order.present? || p.post_order.zero? }
+    before_create :fix_post_order, if: ->(p) { !p.post_order.present? || p.post_order == 0 }
 
     # return all parents for current page hierarchy ordered bottom to top
     def parents

data/app/models/camaleon_cms/post_default.rb

@@ -42,7 +42,7 @@ module CamaleonCms
       res = where("#{CamaleonCms::Post.table_name}.slug = ? OR #{CamaleonCms::Post.table_name}.slug LIKE ? ", slug,
                   "%-->#{slug}<!--%")
       # end
-      res.reorder('').first
+      res.take
     end
 
     # return the parent of a post (support for sub contents or tree of posts)