carrierwave-bombshelter 0.1.1.6 → 0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +23 -3
  3. data/lib/carrierwave/bombshelter.rb +6 -2
  4. data/lib/carrierwave/bombshelter/version.rb +1 -1
  5. data/lib/locale/en.yml +1 -1
  6. data/lib/locale/ru.yml +1 -1
  7. metadata +3 -5
  8. data/lib/locale/fr.yml +0 -5
  9. data/lib/locale/tr.yml +0 -5
  10. data/lib/locale/zh-TW.yml +0 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: ddc7a42dec427229cd79adddd0c03ad8bf33e41c
4
- data.tar.gz: 9693a53421f74da194e5462723a8ccedb9bec55f
3
+ metadata.gz: f7c3a39b71c781524915e471ed4e30b5bd2537b7
4
+ data.tar.gz: 7a5da68b7018a758449334c576c774c404b61c41
5
5
  SHA512:
6
- metadata.gz: c5f9d4ac7e4746b93da1b9468d7af7d96d69abced9dbb2c75ebf6e28e9636f28dce9cdff020f8601191c0a382b0cf2a90a12a6d17ac1206f0db5dd6afea5e52d
7
- data.tar.gz: 2352d890f35459d9e952a364ea38952a54ffb3d84ced7d71c1420d6b1e7f775a46e991f9c0a79119f65305829cf2901e8019d6afa1289159ecc58d3825536f7b
6
+ metadata.gz: bd06151492894cc3b0a32220e6cba3004563a60b0183b54d720f7d0a1965e921fd1f0b16b7d3fefb35e58bc45161fd7275a38ec8a4ee4859a33b1cc25cf4d9f8
7
+ data.tar.gz: 4154b8f5264f7fad9830b61ed9c814baf767bd76a256ed2c660a17f904225e967976b84a37b70d487a5aaecffc2059835567783a5a6bb8d90b71fe30a166903a
data/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  [![Build Status](https://travis-ci.org/DarthSim/carrierwave-bombshelter.svg)](https://travis-ci.org/DarthSim/carrierwave-bombshelter)
4
4
 
5
- BombShelter is a module which protects your uploaders from [image bombs](https://www.bamsoftware.com/hacks/deflate.html). It checks pixel dimensions of uploaded image before ImageMagick touches it.
5
+ BombShelter is a module which protects your uploaders from image bombs like [https://www.bamsoftware.com/hacks/deflate.html]() and [http://www.openwall.com/lists/oss-security/2016/05/03/18](). It checks type and pixel dimensions of uploaded image before ImageMagick touches it.
6
6
 
7
7
  <a href="https://evilmartians.com/">
8
8
  <img src="https://evilmartians.com/badges/sponsored-by-evil-martians.svg" alt="Sponsored by Evil Martians" width="236" height="54">
@@ -10,7 +10,7 @@ BombShelter is a module which protects your uploaders from [image bombs](https:/
10
10
 
11
11
  ## How it works
12
12
 
13
- BombShelter uses [fastimage](https://github.com/sdsykes/fastimage) gem, which reads just a header of an image to get info about it. BombShelter compares pixel dimensions of the uploaded image with maximum allowed ones and raises integrity error if image is too big. Works perfectly with ActiveRecord validators.
13
+ BombShelter uses [fastimage](https://github.com/sdsykes/fastimage) gem, which reads just a header of an image to get info about it. BombShelter compares type and pixel dimensions of the uploaded image with allowed ones and raises integrity error if image is too big or have unsupported type. Works perfectly with ActiveRecord validators.
14
14
 
15
15
  ## Installation
16
16
 
@@ -38,7 +38,23 @@ class YourUploader < CarrierWave::Uploader::Base
38
38
  end
39
39
  ```
40
40
 
41
- By default BombShelter sets maximum allowed dimensions to 4096x4096, but you can set your own ones by defining `max_pixel_dimensions` method:
41
+ You can change allowed image types by defining `image_type_whitelist` method (default are `[:jpeg, :png, :gif]`):
42
+
43
+ ```ruby
44
+ class YourUploader < CarrierWave::Uploader::Base
45
+ include CarrierWave::BombShelter
46
+
47
+ def image_type_whitelist
48
+ %i(bmp jpeg png gif)
49
+ end
50
+ end
51
+ ```
52
+
53
+ **Note:** Whitelisted file types should be supported by [fastimage](https://github.com/sdsykes/fastimage).
54
+
55
+ **Warning:** Allowing `svg` and `mvg` is totally insecure.
56
+
57
+ You can change maximum allowed dimensions by defining `max_pixel_dimensions` method (default is 4096x4096):
42
58
 
43
59
  ```ruby
44
60
  class YourUploader < CarrierWave::Uploader::Base
@@ -54,6 +70,10 @@ end
54
70
 
55
71
  Bug reports and pull requests are welcome on GitHub at https://github.com/DarthSim/carrierwave-bombshelter. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org/) code of conduct.
56
72
 
73
+ #### Locales
74
+
75
+ Please don't create PRs that add locales. I can't maintain locales of languages that I don't know, and I can't poke you every time when I need to add a new string.
76
+
57
77
  ## License
58
78
 
59
79
  The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
data/lib/carrierwave/bombshelter.rb CHANGED
@@ -26,6 +26,10 @@ module CarrierWave
26
26
  [4096, 4096]
27
27
  end
28
28
 
29
+ def image_type_whitelist
30
+ %i(jpeg png gif)
31
+ end
32
+
29
33
  private
30
34
 
31
35
  def protect_from_image_bomb!(new_file)
@@ -35,9 +39,9 @@ module CarrierWave
35
39
  end
36
40
 
37
41
  def check_image_type!(image)
38
- return if image.type
42
+ return if image.type && image_type_whitelist.include?(image.type)
39
43
  raise CarrierWave::IntegrityError,
40
- I18n.translate(:'errors.messages.not_image')
44
+ I18n.translate(:'errors.messages.unsupported_image_type')
41
45
  end
42
46
 
43
47
  def check_pixel_dimensions!(image)
data/lib/carrierwave/bombshelter/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module CarrierWave
2
2
  module BombShelter
3
- VERSION = '0.1.1.6'.freeze
3
+ VERSION = '0.2'.freeze
4
4
  end
5
5
  end
data/lib/locale/en.yml CHANGED
@@ -2,4 +2,4 @@ en:
2
2
  errors:
3
3
  messages:
4
4
  pixel_dimensions_error: "Image size should be less than or equal to %{x_size}x%{y_size}"
5
- not_image: "File is not an image"
5
+ unsupported_image_type: "Image has an unsupported type"
data/lib/locale/ru.yml CHANGED
@@ -2,4 +2,4 @@ ru:
2
2
  errors:
3
3
  messages:
4
4
  pixel_dimensions_error: "Изображение не должно превышать размера %{x_size}x%{y_size}"
5
- not_image: "Файл не является изображением"
5
+ unsupported_image_type: "Изображение имеет неподдерживаемый тип"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: carrierwave-bombshelter
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1.6
4
+ version: '0.2'
5
5
  platform: ruby
6
6
  authors:
7
7
  - DarthSim
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-04-12 00:00:00.000000000 Z
11
+ date: 2016-05-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -126,10 +126,7 @@ files:
126
126
  - lib/carrierwave/bombshelter.rb
127
127
  - lib/carrierwave/bombshelter/version.rb
128
128
  - lib/locale/en.yml
129
- - lib/locale/fr.yml
130
129
  - lib/locale/ru.yml
131
- - lib/locale/tr.yml
132
- - lib/locale/zh-TW.yml
133
130
  homepage: https://github.com/DarthSim/carrierwave-bombshelter
134
131
  licenses:
135
132
  - MIT
@@ -155,3 +152,4 @@ signing_key:
155
152
  specification_version: 4
156
153
  summary: Protect your carrierwave from image bombs
157
154
  test_files: []
155
+ has_rdoc:
data/lib/locale/fr.yml DELETED
@@ -1,5 +0,0 @@
1
- fr:
2
- errors:
3
- messages:
4
- pixel_dimensions_error: "La taille de l'image doit être inférieure ou égale à %{x_size}x%{y_size}"
5
- not_image: "Ce fichier n'est pas une image"
data/lib/locale/tr.yml DELETED
@@ -1,5 +0,0 @@
1
- tr:
2
- errors:
3
- messages:
4
- pixel_dimensions_error: "Görüntü boyutu %{x_size}x%{y_size} ölçüsüne eşit ya da daha küçük olmalıdır"
5
- not_image: "Bir görüntü dosyası değil"
data/lib/locale/zh-TW.yml DELETED
@@ -1,5 +0,0 @@
1
- zh-TW:
2
- errors:
3
- messages:
4
- pixel_dimensions_error: "圖片大小必須小於等於%{x_size}x%{y_size}"
5
- not_image: "檔案不是圖片"