carrierwave 0.10.0 → 2.1.1

data/lib/carrierwave/compatibility/paperclip.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 module CarrierWave
   module Compatibility
 

data/lib/carrierwave/downloader/base.rb

@@ -0,0 +1,83 @@
+require 'open-uri'
+require 'ssrf_filter'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+
+module CarrierWave
+  module Downloader
+    class Base
+      attr_reader :uploader
+
+      def initialize(uploader)
+        @uploader = uploader
+      end
+
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
+        begin
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            response = SsrfFilter.get(uri, headers: headers) do |req|
+              request = req
+            end
+            response.uri = request.uri
+            response.value
+          end
+        rescue StandardError => e
+          raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+        end
+        CarrierWave::Downloader::RemoteFile.new(response)
+      end
+
+      ##
+      # Processes the given URL by parsing and escaping it. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(uri)
+        uri_parts = uri.split('?')
+        encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
+        encoded_uri << '?' << Addressable::URI.encode(uri_parts.join('?')).gsub('%5B', '[').gsub('%5D', ']') if uri_parts.any?
+        URI.parse(encoded_uri)
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
+      end
+
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
+    end
+  end
+end

data/lib/carrierwave/downloader/remote_file.rb

@@ -0,0 +1,65 @@
+module CarrierWave
+  module Downloader
+    class RemoteFile
+      attr_reader :file, :uri
+
+      def initialize(file)
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          @file = StringIO.new(file.body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+
+      def headers
+        @headers || {}
+      end
+
+      def original_filename
+        filename = filename_from_header || filename_from_uri
+        mime_type = MiniMime.lookup_by_content_type(content_type)
+        unless File.extname(filename).present? || mime_type.blank?
+          filename = "#{filename}.#{mime_type.extension}"
+        end
+        filename
+      end
+
+      def respond_to?(*args)
+        super || file.respond_to?(*args)
+      end
+
+      private
+
+      def filename_from_header
+        return nil unless headers['content-disposition']
+
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+
+        match[1].presence || match[2].presence
+      end
+
+      def filename_from_uri
+        CGI.unescape(File.basename(uri.path))
+      end
+
+      def method_missing(*args, &block)
+        file.send(*args, &block)
+      end
+    end
+  end
+end
+

data/lib/carrierwave/error.rb

@@ -4,4 +4,5 @@ module CarrierWave
   class InvalidParameter < UploadError; end
   class ProcessingError < UploadError; end
   class DownloadError < UploadError; end
+  class UnknownStorageError < StandardError; end
 end

data/lib/carrierwave/locale/en.yml

@@ -4,8 +4,11 @@ en:
       carrierwave_processing_error: failed to be processed
       carrierwave_integrity_error: is not of an allowed file type
       carrierwave_download_error: could not be downloaded
-      extension_white_list_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-      extension_black_list_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image? Original Error: %{e}"
-      mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type? Original Error: %{e}"
+      extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+      extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+      content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+      content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
+      rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
       mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
+      min_size_error: "File size should be greater than %{min_size}"
+      max_size_error: "File size should be less than %{max_size}"

data/lib/carrierwave/mount.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 module CarrierWave
 
   ##
@@ -62,7 +60,7 @@ module CarrierWave
     # will create an anonymous uploader class.
     #
     # Passing a block makes it possible to customize the uploader. This can be
-    # convenient for brevity, but if there is any significatnt logic in the
+    # convenient for brevity, but if there is any significant logic in the
     # uploader, you should do the right thing and have it in its own file.
     #
     # === Added instance methods
@@ -92,7 +90,6 @@ module CarrierWave
     # [image_processing_error]  Returns an error object if the last file to be assigned caused a processing error
     # [image_download_error]    Returns an error object if the last file to be remotely assigned caused a download error
     #
-    # [write_image_identifier]  Uses the write_uploader method to set the identifier.
     # [image_identifier]        Reads out the identifier of the file
     #
     # === Parameters
@@ -135,131 +132,298 @@ module CarrierWave
     #     end
     #
     def mount_uploader(column, uploader=nil, options={}, &block)
-      include CarrierWave::Mount::Extension
-
-      uploader = build_uploader(uploader, &block)
-      uploaders[column.to_sym] = uploader
-      uploader_options[column.to_sym] = options
-
-      # Make sure to write over accessors directly defined on the class.
-      # Simply super to the included module below.
-      class_eval <<-RUBY, __FILE__, __LINE__+1
-        def #{column}; super; end
-        def #{column}=(new_file); super; end
-      RUBY
+      mount_base(column, uploader, options, &block)
 
-      # Mixing this in as a Module instead of class_evaling directly, so we
-      # can maintain the ability to super to any of these methods from within
-      # the class.
       mod = Module.new
       include mod
       mod.class_eval <<-RUBY, __FILE__, __LINE__+1
 
         def #{column}
-          _mounter(:#{column}).uploader
+          _mounter(:#{column}).uploaders[0] ||= _mounter(:#{column}).blank_uploader
         end
 
         def #{column}=(new_file)
-          _mounter(:#{column}).cache(new_file)
-        end
-
-        def #{column}?
-          _mounter(:#{column}).present?
+          _mounter(:#{column}).cache([new_file])
         end
 
         def #{column}_url(*args)
-          _mounter(:#{column}).url(*args)
+          #{column}.url(*args)
         end
 
         def #{column}_cache
-          _mounter(:#{column}).cache_name
+          _mounter(:#{column}).cache_names[0]
         end
 
         def #{column}_cache=(cache_name)
-          _mounter(:#{column}).cache_name = cache_name
+          _mounter(:#{column}).cache_names = [cache_name]
         end
 
         def remote_#{column}_url
-          _mounter(:#{column}).remote_url
+          [_mounter(:#{column}).remote_urls].flatten[0]
         end
 
         def remote_#{column}_url=(url)
-          _mounter(:#{column}).remote_url = url
+          _mounter(:#{column}).remote_urls = [url]
         end
 
-        def remove_#{column}
-          _mounter(:#{column}).remove
+        def remote_#{column}_request_header=(header)
+          _mounter(:#{column}).remote_request_headers = [header]
         end
 
-        def remove_#{column}!
-          _mounter(:#{column}).remove!
-        end
-
-        def remove_#{column}=(value)
-          _mounter(:#{column}).remove = value
-        end
+        def write_#{column}_identifier
+          return if frozen?
+          mounter = _mounter(:#{column})
 
-        def remove_#{column}?
-          _mounter(:#{column}).remove?
+          mounter.clear! if mounter.remove?
+          write_uploader(mounter.serialization_column, mounter.identifiers.first)
         end
 
-        def store_#{column}!
-          _mounter(:#{column}).store!
+        def #{column}_identifier
+          _mounter(:#{column}).read_identifiers[0]
         end
 
         def #{column}_integrity_error
-          _mounter(:#{column}).integrity_error
+          #{column}_integrity_errors.last
         end
 
         def #{column}_processing_error
-          _mounter(:#{column}).processing_error
+          #{column}_processing_errors.last
         end
 
         def #{column}_download_error
-          _mounter(:#{column}).download_error
+          #{column}_download_errors.last
         end
 
-        def write_#{column}_identifier
-          _mounter(:#{column}).write_identifier
+        def store_previous_changes_for_#{column}
+          attribute_changes = ::ActiveRecord.version.to_s.to_f >= 5.1 ? saved_changes : changes
+          @_previous_changes_for_#{column} = attribute_changes[_mounter(:#{column}).serialization_column]
         end
 
-        def #{column}_identifier
-          _mounter(:#{column}).identifier
+        def remove_previously_stored_#{column}
+          before, after = @_previous_changes_for_#{column}
+          _mounter(:#{column}).remove_previous([before], [after])
+        end
+      RUBY
+    end
+
+    ##
+    # Mounts the given uploader on the given array column. This means that
+    # assigning and reading from the array column will upload and retrieve
+    # multiple files. Supposing that a User class has an uploader mounted on
+    # images, and that images can store an array, for example it could be a
+    # PostgreSQL JSON column. You can assign and retrieve files like this:
+    #
+    #     @user.images # => []
+    #     @user.images = [some_file_object]
+    #     @user.images # => [<Uploader>]
+    #
+    #     @user.images[0].url # => '/some_url.png'
+    #
+    # It is also possible (but not recommended) to omit the uploader, which
+    # will create an anonymous uploader class.
+    #
+    # Passing a block makes it possible to customize the uploader. This can be
+    # convenient for brevity, but if there is any significant logic in the
+    # uploader, you should do the right thing and have it in its own file.
+    #
+    # === Added instance methods
+    #
+    # Supposing a class has used +mount_uploaders+ to mount an uploader on a column
+    # named +images+, in that case the following methods will be added to the class:
+    #
+    # [images]                  Returns an array of uploaders for each uploaded file
+    # [images=]                 Caches the given files
+    #
+    # [images_urls]             Returns the urls to the uploaded files
+    #
+    # [images_cache]            Returns a string that identifies the cache location of the files
+    # [images_cache=]           Retrieves the files from the cache based on the given cache name
+    #
+    # [remote_image_urls]       Returns previously cached remote urls
+    # [remote_image_urls=]      Retrieve files from the given remote urls
+    #
+    # [remove_images]           An attribute reader that can be used with a checkbox to mark the files for removal
+    # [remove_images=]          An attribute writer that can be used with a checkbox to mark the files for removal
+    # [remove_images?]          Whether the files should be removed when store_image! is called.
+    #
+    # [store_images!]           Stores all files that have been assigned with +images=+
+    # [remove_images!]          Removes the uploaded file from the filesystem.
+    #
+    # [image_integrity_errors]   Returns error objects of files which failed to pass integrity check
+    # [image_processing_errors]  Returns error objects of files which failed to be processed
+    # [image_download_errors]    Returns error objects of files which failed to be downloaded
+    #
+    # [image_identifiers]       Reads out the identifiers of the files
+    #
+    # === Parameters
+    #
+    # [column (Symbol)]                   the attribute to mount this uploader on
+    # [uploader (CarrierWave::Uploader)]  the uploader class to mount
+    # [options (Hash{Symbol => Object})]  a set of options
+    # [&block (Proc)]                     customize anonymous uploaders
+    #
+    # === Options
+    #
+    # [:mount_on => Symbol] if the name of the column to be serialized to differs you can override it using this option
+    # [:ignore_integrity_errors => Boolean] if set to true, integrity errors will result in caching failing silently
+    # [:ignore_processing_errors => Boolean] if set to true, processing errors will result in caching failing silently
+    #
+    # === Examples
+    #
+    # Mounting uploaders on different columns.
+    #
+    #     class Song
+    #       mount_uploaders :lyrics, LyricsUploader
+    #       mount_uploaders :alternative_lyrics, LyricsUploader
+    #       mount_uploaders :files, SongUploader
+    #     end
+    #
+    # This will add an anonymous uploader with only the default settings:
+    #
+    #     class Data
+    #       mount_uploaders :csv_files
+    #     end
+    #
+    # this will add an anonymous uploader overriding the store_dir:
+    #
+    #     class Product
+    #       mount_uploaders :blueprints do
+    #         def store_dir
+    #           'blueprints'
+    #         end
+    #       end
+    #     end
+    #
+    def mount_uploaders(column, uploader=nil, options={}, &block)
+      mount_base(column, uploader, options, &block)
+
+      mod = Module.new
+      include mod
+      mod.class_eval <<-RUBY, __FILE__, __LINE__+1
+
+        def #{column}
+          _mounter(:#{column}).uploaders
         end
 
-        def store_previous_model_for_#{column}
-          serialization_column = _mounter(:#{column}).serialization_column
+        def #{column}=(new_files)
+          _mounter(:#{column}).cache(new_files)
+        end
 
-          if #{column}.remove_previously_stored_files_after_update && send(:"\#{serialization_column}_changed?")
-            @previous_model_for_#{column} ||= self.find_previous_model_for_#{column}
-          end
+        def #{column}_urls(*args)
+          _mounter(:#{column}).urls(*args)
         end
 
-        def find_previous_model_for_#{column}
-          self.class.find(to_key.first)
+        def #{column}_cache
+          names = _mounter(:#{column}).cache_names
+          names.to_json if names.present?
         end
 
-        def remove_previously_stored_#{column}
-          if @previous_model_for_#{column} && @previous_model_for_#{column}.#{column}.path != #{column}.path
-            @previous_model_for_#{column}.#{column}.remove!
-            @previous_model_for_#{column} = nil
-          end
+        def #{column}_cache=(cache_name)
+          _mounter(:#{column}).cache_names = JSON.parse(cache_name) if cache_name.present?
         end
 
-        def mark_remove_#{column}_false
-          _mounter(:#{column}).remove = false
+        def remote_#{column}_urls
+          _mounter(:#{column}).remote_urls
+        end
+
+        def remote_#{column}_urls=(urls)
+          _mounter(:#{column}).remote_urls = urls
         end
 
+        def remote_#{column}_request_headers=(headers)
+          _mounter(:#{column}).remote_request_headers = headers
+        end
+
+        def write_#{column}_identifier
+          return if frozen?
+          mounter = _mounter(:#{column})
+
+          mounter.clear! if mounter.remove?
+          write_uploader(mounter.serialization_column, mounter.identifiers.presence)
+        end
+
+        def #{column}_identifiers
+          _mounter(:#{column}).read_identifiers
+        end
+
+        def store_previous_changes_for_#{column}
+          attribute_changes = ::ActiveRecord.version.to_s.to_f >= 5.1 ? saved_changes : changes
+          @_previous_changes_for_#{column} = attribute_changes[_mounter(:#{column}).serialization_column]
+        end
+
+        def remove_previously_stored_#{column}
+          _mounter(:#{column}).remove_previous(*@_previous_changes_for_#{column})
+        end
       RUBY
     end
 
     private
 
+    def mount_base(column, uploader=nil, options={}, &block)
+      include CarrierWave::Mount::Extension
+
+      uploader = build_uploader(uploader, &block)
+      uploaders[column.to_sym] = uploader
+      uploader_options[column.to_sym] = options
+
+      # Make sure to write over accessors directly defined on the class.
+      # Simply super to the included module below.
+      class_eval <<-RUBY, __FILE__, __LINE__+1
+        def #{column}; super; end
+        def #{column}=(new_file); super; end
+      RUBY
+
+      mod = Module.new
+      include mod
+      mod.class_eval <<-RUBY, __FILE__, __LINE__+1
+
+        def #{column}?
+          _mounter(:#{column}).present?
+        end
+
+        def remove_#{column}
+          _mounter(:#{column}).remove
+        end
+
+        def remove_#{column}!
+          _mounter(:#{column}).remove!
+        end
+
+        def remove_#{column}=(value)
+          _mounter(:#{column}).remove = value
+        end
+
+        def remove_#{column}?
+          _mounter(:#{column}).remove?
+        end
+
+        def store_#{column}!
+          _mounter(:#{column}).store!
+        end
+
+        def #{column}_integrity_errors
+          _mounter(:#{column}).integrity_errors
+        end
+
+        def #{column}_processing_errors
+          _mounter(:#{column}).processing_errors
+        end
+
+        def #{column}_download_errors
+          _mounter(:#{column}).download_errors
+        end
+
+        def mark_remove_#{column}_false
+          _mounter(:#{column}).remove = false
+        end
+      RUBY
+    end
+
     def build_uploader(uploader, &block)
       return uploader if uploader && !block_given?
 
       uploader = Class.new(uploader || CarrierWave::Uploader::Base)
-      const_set("Uploader#{uploader.object_id}".gsub('-', '_'), uploader)
+      const_set("Uploader#{uploader.object_id}".tr('-', '_'), uploader)
 
       if block_given?
         uploader.class_eval(&block)
@@ -292,120 +456,5 @@ module CarrierWave
 
     end # Extension
 
-    # this is an internal class, used by CarrierWave::Mount so that
-    # we don't pollute the model with a lot of methods.
-    class Mounter #:nodoc:
-      attr_reader :column, :record, :remote_url, :integrity_error, :processing_error, :download_error
-      attr_accessor :remove
-
-      def initialize(record, column, options={})
-        @record = record
-        @column = column
-        @options = record.class.uploader_options[column]
-      end
-
-      def write_identifier
-        return if record.frozen?
-
-        if remove?
-          record.write_uploader(serialization_column, nil)
-        elsif uploader.identifier.present?
-          record.write_uploader(serialization_column, uploader.identifier)
-        end
-      end
-
-      def identifier
-        record.read_uploader(serialization_column)
-      end
-
-      def uploader
-        @uploader ||= record.class.uploaders[column].new(record, column)
-        @uploader.retrieve_from_store!(identifier) if @uploader.blank? && identifier.present?
-
-        @uploader
-      end
-
-      def cache(new_file)
-        uploader.cache!(new_file)
-        @integrity_error = nil
-        @processing_error = nil
-      rescue CarrierWave::IntegrityError => e
-        @integrity_error = e
-        raise e unless option(:ignore_integrity_errors)
-      rescue CarrierWave::ProcessingError => e
-        @processing_error = e
-        raise e unless option(:ignore_processing_errors)
-      end
-
-      def cache_name
-        uploader.cache_name
-      end
-
-      def cache_name=(cache_name)
-        uploader.retrieve_from_cache!(cache_name) unless uploader.cached?
-      rescue CarrierWave::InvalidParameter
-      end
-
-      def remote_url=(url)
-        return if url.blank?
-
-        @remote_url = url
-        @download_error = nil
-        @integrity_error = nil
-
-        uploader.download!(url)
-
-      rescue CarrierWave::DownloadError => e
-        @download_error = e
-        raise e unless option(:ignore_download_errors)
-      rescue CarrierWave::ProcessingError => e
-        @processing_error = e
-        raise e unless option(:ignore_processing_errors)
-      rescue CarrierWave::IntegrityError => e
-        @integrity_error = e
-        raise e unless option(:ignore_integrity_errors)
-      end
-
-      def store!
-        return if uploader.blank?
-
-        if remove?
-          uploader.remove!
-        else
-          uploader.store!
-        end
-      end
-
-      def url(*args)
-        uploader.url(*args)
-      end
-
-      def blank?
-        uploader.blank?
-      end
-
-      def remove?
-        remove.present? && remove !~ /\A0|false$\z/
-      end
-
-      def remove!
-        uploader.remove!
-      end
-
-      def serialization_column
-        option(:mount_on) || column
-      end
-
-      attr_accessor :uploader_options
-
-    private
-
-      def option(name)
-        self.uploader_options ||= {}
-        self.uploader_options[name] ||= record.class.uploader_option(column, name)
-      end
-
-    end # Mounter
-
   end # Mount
 end # CarrierWave