RubyGems - carrierwave - Versions diffs - 0.9.0 → 2.1.1 - Mend

carrierwave 0.9.0 → 2.1.1

Potentially problematic release.

This version of carrierwave might be problematic. Click here for more details.

Files changed (51) hide show

checksums.yaml +7 -0
data/README.md +362 -116
data/lib/carrierwave/compatibility/paperclip.rb +29 -21
data/lib/carrierwave/downloader/base.rb +83 -0
data/lib/carrierwave/downloader/remote_file.rb +65 -0
data/lib/carrierwave/error.rb +1 -0
data/lib/carrierwave/locale/en.yml +7 -4
data/lib/carrierwave/mount.rb +238 -186
data/lib/carrierwave/mounter.rb +188 -0
data/lib/carrierwave/orm/activerecord.rb +60 -24
data/lib/carrierwave/processing/mini_magick.rb +139 -78
data/lib/carrierwave/processing/rmagick.rb +68 -23
data/lib/carrierwave/processing.rb +0 -1
data/lib/carrierwave/sanitized_file.rb +67 -27
data/lib/carrierwave/storage/abstract.rb +15 -2
data/lib/carrierwave/storage/file.rb +69 -2
data/lib/carrierwave/storage/fog.rb +180 -41
data/lib/carrierwave/storage.rb +1 -7
data/lib/carrierwave/test/matchers.rb +77 -12
data/lib/carrierwave/uploader/cache.rb +74 -38
data/lib/carrierwave/uploader/callbacks.rb +0 -2
data/lib/carrierwave/uploader/configuration.rb +72 -6
data/lib/carrierwave/uploader/content_type_blacklist.rb +48 -0
data/lib/carrierwave/uploader/content_type_whitelist.rb +48 -0
data/lib/carrierwave/uploader/default_url.rb +3 -5
data/lib/carrierwave/uploader/download.rb +5 -69
data/lib/carrierwave/uploader/extension_blacklist.rb +14 -10
data/lib/carrierwave/uploader/extension_whitelist.rb +13 -10
data/lib/carrierwave/uploader/file_size.rb +43 -0
data/lib/carrierwave/uploader/mountable.rb +13 -8
data/lib/carrierwave/uploader/processing.rb +15 -17
data/lib/carrierwave/uploader/proxy.rb +16 -7
data/lib/carrierwave/uploader/remove.rb +0 -2
data/lib/carrierwave/uploader/serialization.rb +3 -5
data/lib/carrierwave/uploader/store.rb +17 -24
data/lib/carrierwave/uploader/url.rb +3 -5
data/lib/carrierwave/uploader/versions.rb +117 -86
data/lib/carrierwave/uploader.rb +6 -2
data/lib/carrierwave/utilities/uri.rb +5 -6
data/lib/carrierwave/utilities.rb +1 -3
data/lib/carrierwave/validations/active_model.rb +3 -7
data/lib/carrierwave/version.rb +1 -1
data/lib/carrierwave.rb +36 -3
data/lib/generators/templates/uploader.rb +4 -8
data/lib/generators/uploader_generator.rb +1 -1
metadata +195 -94
data/lib/carrierwave/locale/cs.yml +0 -11
data/lib/carrierwave/locale/de.yml +0 -11
data/lib/carrierwave/locale/nl.yml +0 -11
data/lib/carrierwave/locale/sk.yml +0 -11
data/lib/carrierwave/processing/mime_types.rb +0 -73

data/lib/carrierwave/compatibility/paperclip.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module CarrierWave
   module Compatibility
@@ -46,11 +44,31 @@ module CarrierWave
     # THE SOFTWARE.
     #
     module Paperclip
+      extend ActiveSupport::Concern
+      DEFAULT_MAPPINGS = {
+        :rails_root   => lambda{|u, f| Rails.root.to_s },
+        :rails_env    => lambda{|u, f| Rails.env },
+        :id_partition => lambda{|u, f| ("%09d" % u.model.id).scan(/\d{3}/).join("/")},
+        :id           => lambda{|u, f| u.model.id },
+        :attachment   => lambda{|u, f| u.mounted_as.to_s.downcase.pluralize },
+        :style        => lambda{|u, f| u.paperclip_style },
+        :basename     => lambda{|u, f| u.filename.gsub(/#{File.extname(u.filename)}$/, "") },
+        :extension    => lambda{|u, d| File.extname(u.filename).gsub(/^\.+/, "")},
+        :class        => lambda{|u, f| u.model.class.name.underscore.pluralize}
+      }
+      included do
+        attr_accessor :filename
+        class_attribute :mappings
+        self.mappings ||= DEFAULT_MAPPINGS.dup
+      end
       def store_path(for_file=filename)
         path = paperclip_path
+        self.filename = for_file
         path ||= File.join(*[store_dir, paperclip_style.to_s, for_file].compact)
-        interpolate_paperclip_path(path, for_file)
+        interpolate_paperclip_path(path)
       end
       def store_dir
@@ -68,28 +86,18 @@ module CarrierWave
         version_name || paperclip_default_style
       end
-    private
-      def interpolate_paperclip_path(path, filename)
-        mappings.inject(path) do |agg, pair|
-          agg.gsub(":#{pair[0]}") { pair[1].call(self, filename).to_s }
+      module ClassMethods
+        def interpolate(sym, &block)
+          mappings[sym] = block
         end
       end
-      def mappings
-        [
-          [:rails_root   , lambda{|u, f| Rails.root }],
-          [:rails_env    , lambda{|u, f| Rails.env }],
-          [:class        , lambda{|u, f| u.model.class.name.underscore.pluralize}],
-          [:id_partition , lambda{|u, f| ("%09d" % u.model.id).scan(/\d{3}/).join("/")}],
-          [:id           , lambda{|u, f| u.model.id }],
-          [:attachment   , lambda{|u, f| u.mounted_as.to_s.downcase.pluralize }],
-          [:style        , lambda{|u, f| u.paperclip_style }],
-          [:basename     , lambda{|u, f| f.gsub(/#{File.extname(f)}$/, "") }],
-          [:extension    , lambda{|u, f| File.extname(f).gsub(/^\.+/, "")}]
-        ]
+      private
+      def interpolate_paperclip_path(path)
+        mappings.each_pair.inject(path) do |agg, pair|
+          agg.gsub(":#{pair[0]}") { pair[1].call(self, self.paperclip_style).to_s }
+        end
       end
     end # Paperclip
   end # Compatibility
 end # CarrierWave

data/lib/carrierwave/downloader/base.rb ADDED Viewed

@@ -0,0 +1,83 @@
+require 'open-uri'
+require 'ssrf_filter'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+module CarrierWave
+  module Downloader
+    class Base
+      attr_reader :uploader
+      def initialize(uploader)
+        @uploader = uploader
+      end
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
+        begin
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            response = SsrfFilter.get(uri, headers: headers) do |req|
+              request = req
+            end
+            response.uri = request.uri
+            response.value
+          end
+        rescue StandardError => e
+          raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+        end
+        CarrierWave::Downloader::RemoteFile.new(response)
+      end
+      ##
+      # Processes the given URL by parsing and escaping it. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(uri)
+        uri_parts = uri.split('?')
+        encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
+        encoded_uri << '?' << Addressable::URI.encode(uri_parts.join('?')).gsub('%5B', '[').gsub('%5D', ']') if uri_parts.any?
+        URI.parse(encoded_uri)
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
+      end
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
+    end
+  end
+end

data/lib/carrierwave/downloader/remote_file.rb ADDED Viewed

@@ -0,0 +1,65 @@
+module CarrierWave
+  module Downloader
+    class RemoteFile
+      attr_reader :file, :uri
+      def initialize(file)
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          @file = StringIO.new(file.body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+      def headers
+        @headers || {}
+      end
+      def original_filename
+        filename = filename_from_header || filename_from_uri
+        mime_type = MiniMime.lookup_by_content_type(content_type)
+        unless File.extname(filename).present? || mime_type.blank?
+          filename = "#{filename}.#{mime_type.extension}"
+        end
+        filename
+      end
+      def respond_to?(*args)
+        super || file.respond_to?(*args)
+      end
+      private
+      def filename_from_header
+        return nil unless headers['content-disposition']
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+        match[1].presence || match[2].presence
+      end
+      def filename_from_uri
+        CGI.unescape(File.basename(uri.path))
+      end
+      def method_missing(*args, &block)
+        file.send(*args, &block)
+      end
+    end
+  end
+end

data/lib/carrierwave/error.rb CHANGED Viewed

@@ -4,4 +4,5 @@ module CarrierWave
   class InvalidParameter < UploadError; end
   class ProcessingError < UploadError; end
   class DownloadError < UploadError; end
+  class UnknownStorageError < StandardError; end
 end

data/lib/carrierwave/locale/en.yml CHANGED Viewed

@@ -4,8 +4,11 @@ en:
       carrierwave_processing_error: failed to be processed
       carrierwave_integrity_error: is not of an allowed file type
       carrierwave_download_error: could not be downloaded
-      extension_white_list_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-      extension_black_list_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image? Original Error: %{e}"
-      mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type? Original Error: %{e}"
+      extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+      extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+      content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+      content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
+      rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
       mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
+      min_size_error: "File size should be greater than %{min_size}"
+      max_size_error: "File size should be less than %{max_size}"