RubyGems - carrierwave - Versions diffs - 0.11.2 → 3.0.3 - Mend

carrierwave 0.11.2 → 3.0.3

Potentially problematic release.

This version of carrierwave might be problematic. Click here for more details.

Files changed (69) hide show

checksums.yaml +5 -5
data/README.md +452 -178
data/lib/carrierwave/compatibility/paperclip.rb +4 -4
data/lib/carrierwave/downloader/base.rb +101 -0
data/lib/carrierwave/downloader/remote_file.rb +68 -0
data/lib/carrierwave/error.rb +1 -0
data/lib/carrierwave/locale/en.yml +11 -5
data/lib/carrierwave/mount.rb +212 -182
data/lib/carrierwave/mounter.rb +255 -0
data/lib/carrierwave/orm/activerecord.rb +22 -33
data/lib/carrierwave/processing/mini_magick.rb +140 -84
data/lib/carrierwave/processing/rmagick.rb +72 -21
data/lib/carrierwave/processing/vips.rb +284 -0
data/lib/carrierwave/processing.rb +1 -1
data/lib/carrierwave/sanitized_file.rb +83 -84
data/lib/carrierwave/storage/abstract.rb +16 -3
data/lib/carrierwave/storage/file.rb +71 -3
data/lib/carrierwave/storage/fog.rb +215 -57
data/lib/carrierwave/storage.rb +1 -9
data/lib/carrierwave/test/matchers.rb +88 -19
data/lib/carrierwave/uploader/cache.rb +75 -45
data/lib/carrierwave/uploader/callbacks.rb +1 -3
data/lib/carrierwave/uploader/configuration.rb +80 -16
data/lib/carrierwave/uploader/content_type_allowlist.rb +62 -0
data/lib/carrierwave/uploader/content_type_denylist.rb +62 -0
data/lib/carrierwave/uploader/default_url.rb +3 -5
data/lib/carrierwave/uploader/dimension.rb +66 -0
data/lib/carrierwave/uploader/download.rb +4 -74
data/lib/carrierwave/uploader/extension_allowlist.rb +63 -0
data/lib/carrierwave/uploader/extension_denylist.rb +64 -0
data/lib/carrierwave/uploader/file_size.rb +43 -0
data/lib/carrierwave/uploader/mountable.rb +13 -8
data/lib/carrierwave/uploader/processing.rb +48 -13
data/lib/carrierwave/uploader/proxy.rb +20 -9
data/lib/carrierwave/uploader/remove.rb +0 -2
data/lib/carrierwave/uploader/serialization.rb +2 -4
data/lib/carrierwave/uploader/store.rb +59 -28
data/lib/carrierwave/uploader/url.rb +8 -7
data/lib/carrierwave/uploader/versions.rb +170 -122
data/lib/carrierwave/uploader.rb +12 -10
data/lib/carrierwave/utilities/file_name.rb +47 -0
data/lib/carrierwave/utilities/uri.rb +14 -12
data/lib/carrierwave/utilities.rb +1 -3
data/lib/carrierwave/validations/active_model.rb +7 -11
data/lib/carrierwave/version.rb +1 -1
data/lib/carrierwave.rb +39 -21
data/lib/generators/templates/{uploader.rb → uploader.rb.erb} +5 -9
data/lib/generators/uploader_generator.rb +3 -3
metadata +132 -80
data/lib/carrierwave/locale/cs.yml +0 -11
data/lib/carrierwave/locale/de.yml +0 -11
data/lib/carrierwave/locale/el.yml +0 -11
data/lib/carrierwave/locale/es.yml +0 -11
data/lib/carrierwave/locale/fr.yml +0 -11
data/lib/carrierwave/locale/ja.yml +0 -11
data/lib/carrierwave/locale/nb.yml +0 -11
data/lib/carrierwave/locale/nl.yml +0 -11
data/lib/carrierwave/locale/pl.yml +0 -11
data/lib/carrierwave/locale/pt-BR.yml +0 -11
data/lib/carrierwave/locale/pt-PT.yml +0 -11
data/lib/carrierwave/locale/ru.yml +0 -11
data/lib/carrierwave/locale/sk.yml +0 -11
data/lib/carrierwave/locale/tr.yml +0 -11
data/lib/carrierwave/processing/mime_types.rb +0 -74
data/lib/carrierwave/uploader/content_type_blacklist.rb +0 -48
data/lib/carrierwave/uploader/content_type_whitelist.rb +0 -48
data/lib/carrierwave/uploader/extension_blacklist.rb +0 -47
data/lib/carrierwave/uploader/extension_whitelist.rb +0 -49
data/lib/carrierwave/utilities/deprecation.rb +0 -18

data/lib/carrierwave/compatibility/paperclip.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module CarrierWave
   module Compatibility
@@ -58,10 +56,11 @@ module CarrierWave
         :basename     => lambda{|u, f| u.filename.gsub(/#{File.extname(u.filename)}$/, "") },
         :extension    => lambda{|u, d| File.extname(u.filename).gsub(/^\.+/, "")},
         :class        => lambda{|u, f| u.model.class.name.underscore.pluralize}
-      }
+      }.freeze
       included do
         attr_accessor :filename
         class_attribute :mappings
         self.mappings ||= DEFAULT_MAPPINGS.dup
       end
@@ -94,7 +93,8 @@ module CarrierWave
         end
       end
-      private
+    private
       def interpolate_paperclip_path(path)
         mappings.each_pair.inject(path) do |agg, pair|
           agg.gsub(":#{pair[0]}") { pair[1].call(self, self.paperclip_style).to_s }

data/lib/carrierwave/downloader/base.rb ADDED Viewed

@@ -0,0 +1,101 @@
+require 'open-uri'
+require 'ssrf_filter'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+module CarrierWave
+  module Downloader
+    class Base
+      include CarrierWave::Utilities::Uri
+      attr_reader :uploader
+      def initialize(uploader)
+        @uploader = uploader
+      end
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        @current_download_retry_count = 0
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
+        begin
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            if ::SsrfFilter::VERSION.to_f < 1.1
+              response = SsrfFilter.get(uri, headers: headers) do |req|
+                request = req
+              end
+            else
+              response = SsrfFilter.get(uri, headers: headers, request_proc: ->(req) { request = req }) do |res|
+                res.body # ensure to read body
+              end
+            end
+            response.uri = request.uri
+            response.value
+          end
+        rescue StandardError => e
+          if @current_download_retry_count < @uploader.download_retry_count
+            @current_download_retry_count += 1
+            sleep @uploader.download_retry_wait_time
+            retry
+          else
+            raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+          end
+        end
+        CarrierWave::Downloader::RemoteFile.new(response)
+      end
+      ##
+      # Processes the given URL by parsing it, and escaping if necessary. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(source)
+        uri = Addressable::URI.parse(source)
+        uri.host = uri.normalized_host
+        # Perform decode first, as the path is likely to be already encoded
+        uri.path = encode_path(decode_uri(uri.path)) if uri.path =~ CarrierWave::Utilities::Uri::PATH_UNSAFE
+        uri.query = encode_non_ascii(uri.query) if uri.query
+        uri.fragment = encode_non_ascii(uri.fragment) if uri.fragment
+        URI.parse(uri.to_s)
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{source}"
+      end
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
+    end
+  end
+end

data/lib/carrierwave/downloader/remote_file.rb ADDED Viewed

@@ -0,0 +1,68 @@
+module CarrierWave
+  module Downloader
+    class RemoteFile
+      attr_reader :file, :uri
+      def initialize(file)
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          body = file.body
+          raise CarrierWave::DownloadError, 'could not download file: No Content' if body.nil?
+          @file = StringIO.new(body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+      def headers
+        @headers || {}
+      end
+      def original_filename
+        filename = filename_from_header || filename_from_uri
+        mime_type = Marcel::TYPES[content_type]
+        unless File.extname(filename).present? || mime_type.blank?
+          extension = mime_type[0].first
+          filename = "#{filename}.#{extension}"
+        end
+        filename
+      end
+    private
+      def filename_from_header
+        return nil unless headers['content-disposition']
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+        match[1].presence || match[2].presence
+      end
+      def filename_from_uri
+        CGI.unescape(File.basename(uri.path))
+      end
+      def method_missing(*args, &block)
+        file.send(*args, &block)
+      end
+      def respond_to_missing?(*args)
+        super || file.respond_to?(*args)
+      end
+    end
+  end
+end

data/lib/carrierwave/error.rb CHANGED Viewed

@@ -4,4 +4,5 @@ module CarrierWave
   class InvalidParameter < UploadError; end
   class ProcessingError < UploadError; end
   class DownloadError < UploadError; end
+  class UnknownStorageError < StandardError; end
 end

data/lib/carrierwave/locale/en.yml CHANGED Viewed

@@ -4,8 +4,14 @@ en:
       carrierwave_processing_error: failed to be processed
       carrierwave_integrity_error: is not of an allowed file type
       carrierwave_download_error: could not be downloaded
-      extension_white_list_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-      extension_black_list_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image? Original Error: %{e}"
-      mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type? Original Error: %{e}"
-      mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
+      extension_allowlist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+      extension_denylist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+      content_type_allowlist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+      content_type_denylist_error: "You are not allowed to upload %{content_type} files"
+      processing_error: "Failed to manipulate, maybe it is not an image?"
+      min_size_error: "File size should be greater than %{min_size}"
+      max_size_error: "File size should be less than %{max_size}"
+      min_width_error: "Image width should be greater than %{min_width}px"
+      max_width_error: "Image width should be less than %{max_width}px"
+      min_height_error: "Image height should be greater than %{min_height}px"
+      max_height_error: "Image height should be less than %{max_height}px"