carrierwave 0.11.2 → 3.0.7

data/lib/carrierwave/uploader/content_type_allowlist.rb

@@ -0,0 +1,62 @@
+module CarrierWave
+  module Uploader
+    module ContentTypeAllowlist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_content_type_allowlist!
+      end
+
+      ##
+      # Override this method in your uploader to provide an allowlist of files content types
+      # which are allowed to be uploaded.
+      # Not only strings but Regexp are allowed as well.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] an allowlist of content types which are allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def content_type_allowlist
+      #       %w(text/json application/json)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def content_type_allowlist
+      #       [/(text|application)\/json/]
+      #     end
+      #
+      def content_type_allowlist
+      end
+
+    private
+
+      def check_content_type_allowlist!(new_file)
+        allowlist = content_type_allowlist
+        if !allowlist && respond_to?(:content_type_whitelist) && content_type_whitelist
+          ActiveSupport::Deprecation.warn "#content_type_whitelist is deprecated, use #content_type_allowlist instead." unless instance_variable_defined?(:@content_type_whitelist_warned)
+          @content_type_whitelist_warned = true
+          allowlist = content_type_whitelist
+        end
+
+        return unless allowlist
+
+        content_type = new_file.content_type
+        if !allowlisted_content_type?(allowlist, content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_allowlist_error", content_type: content_type,
+                                                            allowed_types: Array(allowlist).join(", "), default: :"errors.messages.content_type_whitelist_error")
+        end
+      end
+
+      def allowlisted_content_type?(allowlist, content_type)
+        Array(allowlist).any? do |item|
+          item = Regexp.quote(item) if item.class != Regexp
+          content_type =~ /\A#{item}/
+        end
+      end
+
+    end # ContentTypeAllowlist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/content_type_denylist.rb

@@ -0,0 +1,62 @@
+module CarrierWave
+  module Uploader
+    module ContentTypeDenylist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_content_type_denylist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a denylist of files content types
+      # which are not allowed to be uploaded.
+      # Not only strings but Regexp are allowed as well.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] a denylist of content types which are not allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def content_type_denylist
+      #       %w(text/json application/json)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def content_type_denylist
+      #       [/(text|application)\/json/]
+      #     end
+      #
+      def content_type_denylist
+      end
+
+    private
+
+      def check_content_type_denylist!(new_file)
+        denylist = content_type_denylist
+        if !denylist && respond_to?(:content_type_blacklist) && content_type_blacklist
+          ActiveSupport::Deprecation.warn "#content_type_blacklist is deprecated, use #content_type_denylist instead." unless instance_variable_defined?(:@content_type_blacklist_warned)
+          @content_type_blacklist_warned = true
+          denylist = content_type_blacklist
+        end
+
+        return unless denylist
+
+        ActiveSupport::Deprecation.warn "Use of #content_type_denylist is deprecated for the security reason, use #content_type_allowlist instead to explicitly state what are safe to accept" unless instance_variable_defined?(:@content_type_denylist_warned)
+        @content_type_denylist_warned = true
+
+        content_type = new_file.content_type
+        if denylisted_content_type?(denylist, content_type)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.content_type_denylist_error",
+                                                            content_type: content_type, default: :"errors.messages.content_type_blacklist_error")
+        end
+      end
+
+      def denylisted_content_type?(denylist, content_type)
+        Array(denylist).any? { |item| content_type =~ /#{item}/ }
+      end
+
+    end # ContentTypeDenylist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/default_url.rb

@@ -1,19 +1,17 @@
-# encoding: utf-8
-
 module CarrierWave
   module Uploader
     module DefaultUrl
 
       def url(*args)
-        super || default_url
+        super || default_url(*args)
       end
 
       ##
       # Override this method in your uploader to provide a default url
       # in case no file has been cached/stored yet.
       #
-      def default_url; end
+      def default_url(*args); end
 
     end # DefaultPath
   end # Uploader
-end # CarrierWave
+end # CarrierWave

data/lib/carrierwave/uploader/dimension.rb

@@ -0,0 +1,66 @@
+require 'active_support'
+
+module CarrierWave
+  module Uploader
+    module Dimension
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_dimensions!
+      end
+
+      ##
+      # Override this method in your uploader to provide a Range of width which
+      # are allowed to be uploaded.
+      # === Returns
+      #
+      # [NilClass, Range] a width range which are permitted to be uploaded
+      #
+      # === Examples
+      #
+      #     def width_range
+      #       1000..2000
+      #     end
+      #
+      def width_range; end
+
+      ##
+      # Override this method in your uploader to provide a Range of height which
+      # are allowed to be uploaded.
+      # === Returns
+      #
+      # [NilClass, Range] a height range which are permitted to be uploaded
+      #
+      # === Examples
+      #
+      #     def height_range
+      #       1000..
+      #     end
+      #
+      def height_range; end
+
+    private
+
+      def check_dimensions!(new_file)
+        # NOTE: Skip the check for resized images
+        return if version_name.present?
+        return unless width_range || height_range
+
+        unless respond_to?(:width) || respond_to?(:height)
+          raise 'You need to include one of CarrierWave::MiniMagick, CarrierWave::RMagick, or CarrierWave::Vips to perform image dimension validation'
+        end
+
+        if width_range&.begin && width < width_range.begin
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.min_width_error", :min_width => ActiveSupport::NumberHelper.number_to_delimited(width_range.begin))
+        elsif width_range&.end && width > width_range.end
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.max_width_error", :max_width => ActiveSupport::NumberHelper.number_to_delimited(width_range.end))
+        elsif height_range&.begin && height < height_range.begin
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.min_height_error", :min_height => ActiveSupport::NumberHelper.number_to_delimited(height_range.begin))
+        elsif height_range&.end && height > height_range.end
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.max_height_error", :max_height => ActiveSupport::NumberHelper.number_to_delimited(height_range.end))
+        end
+      end
+
+    end # Dimension
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/download.rb

@@ -1,7 +1,3 @@
-# encoding: utf-8
-
-require 'open-uri'
-
 module CarrierWave
   module Uploader
     module Download
@@ -11,84 +7,18 @@ module CarrierWave
       include CarrierWave::Uploader::Configuration
       include CarrierWave::Uploader::Cache
 
-      class RemoteFile
-        def initialize(uri)
-          @uri = uri
-        end
-
-        def original_filename
-          filename = filename_from_header || File.basename(file.base_uri.path)
-          mime_type = MIME::Types[file.content_type].first
-          unless File.extname(filename).present? || mime_type.blank?
-            filename = "#{filename}.#{mime_type.extensions.first}"
-          end
-          filename
-        end
-
-        def respond_to?(*args)
-          super or file.respond_to?(*args)
-        end
-
-        def http?
-          @uri.scheme =~ /^https?$/
-        end
-
-      private
-
-        def file
-          if @file.blank?
-            @file = Kernel.open(@uri.to_s)
-            @file = @file.is_a?(String) ? StringIO.new(@file) : @file
-          end
-          @file
-
-        rescue Exception => e
-          raise CarrierWave::DownloadError, "could not download file: #{e.message}"
-        end
-
-        def filename_from_header
-          if file.meta.include? 'content-disposition'
-            match = file.meta['content-disposition'].match(/filename="?([^"]+)/)
-            return match[1] unless match.nil? || match[1].empty?
-          end
-        end
-
-        def method_missing(*args, &block)
-          file.send(*args, &block)
-        end
-      end
-
       ##
-      # Caches the file by downloading it from the given URL.
+      # Caches the file by downloading it from the given URL, using downloader.
       #
       # === Parameters
       #
       # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
       #
-      def download!(uri)
-        processed_uri = process_uri(uri)
-        file = RemoteFile.new(processed_uri)
-        raise CarrierWave::DownloadError, "trying to download a file which is not served over HTTP" unless file.http?
+      def download!(uri, remote_headers = {})
+        file = downloader.new(self).download(uri, remote_headers)
         cache!(file)
       end
-
-      ##
-      # Processes the given URL by parsing and escaping it. Public to allow overriding.
-      #
-      # === Parameters
-      #
-      # [url (String)] The URL where the remote file is stored
-      #
-      def process_uri(uri)
-        URI.parse(uri)
-      rescue URI::InvalidURIError
-        uri_parts = uri.split('?')
-        # regexp from Ruby's URI::Parser#regexp[:UNSAFE], with [] specifically removed
-        encoded_uri = URI.encode(uri_parts.shift, /[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,]/)
-        encoded_uri << '?' << URI.encode(uri_parts.join('?')) if uri_parts.any?
-        URI.parse(encoded_uri) rescue raise CarrierWave::DownloadError, "couldn't parse URL"
-      end
-
     end # Download
   end # Uploader
 end # CarrierWave

data/lib/carrierwave/uploader/extension_allowlist.rb

@@ -0,0 +1,63 @@
+module CarrierWave
+  module Uploader
+    module ExtensionAllowlist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_extension_allowlist!
+      end
+
+      ##
+      # Override this method in your uploader to provide an allowlist of extensions which
+      # are allowed to be uploaded. Compares the file's extension case insensitive.
+      # Furthermore, not only strings but Regexp are allowed as well.
+      #
+      # When using a Regexp in the allowlist, `\A` and `\z` are automatically added to
+      # the Regexp expression, also case insensitive.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] an allowlist of extensions which are allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def extension_allowlist
+      #       %w(jpg jpeg gif png)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def extension_allowlist
+      #       [/jpe?g/, 'gif', 'png']
+      #     end
+      #
+      def extension_allowlist
+      end
+
+    private
+
+      def check_extension_allowlist!(new_file)
+        allowlist = extension_allowlist
+        if !allowlist && respond_to?(:extension_whitelist) && extension_whitelist
+          ActiveSupport::Deprecation.warn "#extension_whitelist is deprecated, use #extension_allowlist instead." unless instance_variable_defined?(:@extension_whitelist_warned)
+          @extension_whitelist_warned = true
+          allowlist = extension_whitelist
+        end
+
+        return unless allowlist
+
+        extension = new_file.extension.to_s
+        if !allowlisted_extension?(allowlist, extension)
+          # Look for whitelist first, then fallback to allowlist
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.extension_allowlist_error", extension: new_file.extension.inspect,
+                                                            allowed_types: Array(allowlist).join(", "), default: :"errors.messages.extension_whitelist_error")
+        end
+      end
+
+      def allowlisted_extension?(allowlist, extension)
+        downcase_extension = extension.downcase
+        Array(allowlist).any? { |item| downcase_extension =~ /\A#{item}\z/i }
+      end
+    end # ExtensionAllowlist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/extension_denylist.rb

@@ -0,0 +1,64 @@
+module CarrierWave
+  module Uploader
+    module ExtensionDenylist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_extension_denylist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a denylist of extensions which
+      # are prohibited to be uploaded. Compares the file's extension case insensitive.
+      # Furthermore, not only strings but Regexp are allowed as well.
+      #
+      # When using a Regexp in the denylist, `\A` and `\z` are automatically added to
+      # the Regexp expression, also case insensitive.
+      #
+      # === Returns
+
+      # [NilClass, String, Regexp, Array[String, Regexp]] a deny list of extensions which are prohibited to be uploaded
+      #
+      # === Examples
+      #
+      #     def extension_denylist
+      #       %w(swf tiff)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def extension_denylist
+      #       [/swf/, 'tiff']
+      #     end
+      #
+      def extension_denylist
+      end
+
+    private
+
+      def check_extension_denylist!(new_file)
+        denylist = extension_denylist
+        if !denylist && respond_to?(:extension_blacklist) && extension_blacklist
+          ActiveSupport::Deprecation.warn "#extension_blacklist is deprecated, use #extension_denylist instead." unless instance_variable_defined?(:@extension_blacklist_warned)
+          @extension_blacklist_warned = true
+          denylist = extension_blacklist
+        end
+
+        return unless denylist
+
+        ActiveSupport::Deprecation.warn "Use of #extension_denylist is deprecated for the security reason, use #extension_allowlist instead to explicitly state what are safe to accept" unless instance_variable_defined?(:@extension_denylist_warned)
+        @extension_denylist_warned = true
+
+        extension = new_file.extension.to_s
+        if denylisted_extension?(denylist, extension)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.extension_denylist_error", extension: new_file.extension.inspect,
+                                                            prohibited_types: Array(extension_denylist).join(", "), default: :"errors.messages.extension_blacklist_error")
+        end
+      end
+
+      def denylisted_extension?(denylist, extension)
+        Array(denylist).any? { |item| extension =~ /\A#{item}\z/i }
+      end
+    end
+  end
+end

data/lib/carrierwave/uploader/file_size.rb

@@ -0,0 +1,43 @@
+require 'active_support'
+
+module CarrierWave
+  module Uploader
+    module FileSize
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_size!
+      end
+
+      ##
+      # Override this method in your uploader to provide a Range of Size which
+      # are allowed to be uploaded.
+      # === Returns
+      #
+      # [NilClass, Range] a size range (in bytes) which are permitted to be uploaded
+      #
+      # === Examples
+      #
+      #     def size_range
+      #       3256...5748
+      #     end
+      #
+      def size_range; end
+
+    private
+
+      def check_size!(new_file)
+        size = new_file.size
+        expected_size_range = size_range
+        if expected_size_range.is_a?(::Range)
+          if size < expected_size_range.min
+            raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.min_size_error", :min_size => ActiveSupport::NumberHelper.number_to_human_size(expected_size_range.min))
+          elsif size > expected_size_range.max
+            raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.max_size_error", :max_size => ActiveSupport::NumberHelper.number_to_human_size(expected_size_range.max))
+          end
+        end
+      end
+
+    end # FileSize
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/mountable.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 module CarrierWave
   module Uploader
     module Mountable
@@ -7,13 +5,14 @@ module CarrierWave
       attr_reader :model, :mounted_as
 
       ##
-      # If a model is given as the first parameter, it will be stored in the uploader, and
-      # available throught +#model+. Likewise, mounted_as stores the name of the column
-      # where this instance of the uploader is mounted. These values can then be used inside
-      # your uploader.
+      # If a model is given as the first parameter, it will be stored in the
+      # uploader, and available through +#model+. Likewise, mounted_as stores
+      # the name of the column where this instance of the uploader is mounted.
+      # These values can then be used inside your uploader.
       #
-      # If you do not wish to mount your uploaders with the ORM extensions in -more then you
-      # can override this method inside your uploader. Just be sure to call +super+
+      # If you do not wish to mount your uploaders with the ORM extensions in
+      # -more then you can override this method inside your uploader. Just be
+      # sure to call +super+
       #
       # === Parameters
       #
@@ -34,6 +33,12 @@ module CarrierWave
         @mounted_as = mounted_as
       end
 
+      ##
+      # Returns array index of given uploader within currently mounted uploaders
+      #
+      def index
+        model.__send__(:_mounter, mounted_as).uploaders.index(self)
+      end
     end # Mountable
   end # Uploader
 end # CarrierWave

data/lib/carrierwave/uploader/processing.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 module CarrierWave
   module Uploader
     module Processing
@@ -11,7 +9,7 @@ module CarrierWave
         class_attribute :processors, :instance_writer => false
         self.processors = []
 
-        after :cache, :process!
+        before :cache, :process!
       end
 
       module ClassMethods
@@ -20,7 +18,7 @@ module CarrierWave
         # Adds a processor callback which applies operations as a file is uploaded.
         # The argument may be the name of any method of the uploader, expressed as a symbol,
         # or a list of such methods, or a hash where the key is a method and the value is
-        # an array of arguments to call the method with
+        # an array of arguments to call the method with. Also accepts an :if or :unless condition
         #
         # === Parameters
         #
@@ -33,6 +31,7 @@ module CarrierWave
         #       process :sepiatone, :vignette
         #       process :scale => [200, 200]
         #       process :scale => [200, 200], :if => :image?
+        #       process :scale => [200, 200], :unless => :disallowed_image_type?
         #       process :sepiatone, :if => :image?
         #
         #       def sepiatone
@@ -51,6 +50,10 @@ module CarrierWave
         #         ...
         #       end
         #
+        #       def disallowed_image_type?
+        #         ...
+        #       end
+        #
         #     end
         #
         def process(*args)
@@ -59,12 +62,17 @@ module CarrierWave
             hash.merge!(arg)
           end
 
-          condition = new_processors.delete(:if)
+          condition_type = new_processors.keys.detect { |key| [:if, :unless].include?(key) }
+          condition = new_processors.delete(:if) || new_processors.delete(:unless)
           new_processors.each do |processor, processor_args|
-            self.processors += [[processor, processor_args, condition]]
+            self.processors += [[processor, processor_args, condition, condition_type]]
+
+            if processor == :convert
+              # Treat :convert specially, since it should trigger the file extension change
+              force_extension processor_args
+            end
           end
         end
-
       end # ClassMethods
 
       ##
@@ -73,18 +81,45 @@ module CarrierWave
       def process!(new_file=nil)
         return unless enable_processing
 
-        self.class.processors.each do |method, args, condition|
-          if(condition)
-            if condition.respond_to?(:call)
-              next unless condition.call(self, :args => args, :method => method, :file => new_file)
+        with_callbacks(:process, new_file) do
+          self.class.processors.each do |method, args, condition, condition_type|
+            if condition && condition_type == :if
+              if condition.respond_to?(:call)
+                next unless condition.call(self, :args => args, :method => method, :file => new_file)
+              else
+                next unless self.send(condition, new_file)
+              end
+            elsif condition && condition_type == :unless
+              if condition.respond_to?(:call)
+                next if condition.call(self, :args => args, :method => method, :file => new_file)
+              elsif self.send(condition, new_file)
+                next
+              end
+            end
+
+            if args.is_a? Array
+              kwargs, args = args.partition { |arg| arg.is_a? Hash }
+            end
+
+            if kwargs.present?
+              kwargs = kwargs.reduce(:merge)
+              self.send(method, *args, **kwargs)
             else
-              next unless self.send(condition, new_file)
+              self.send(method, *args)
             end
           end
-          self.send(method, *args)
         end
       end
 
+    private
+
+      def forcing_extension(filename)
+        if force_extension && filename
+          Pathname.new(filename).sub_ext(".#{force_extension.to_s.delete_prefix('.')}").to_s
+        else
+          filename
+        end
+      end
     end # Processing
   end # Uploader
 end # CarrierWave