RubyGems - carrierwave - Versions diffs - 0.9.0 → 3.0.2 - Mend

carrierwave 0.9.0 → 3.0.2

Potentially problematic release.

This version of carrierwave might be problematic. Click here for more details.

Files changed (56) hide show

checksums.yaml +7 -0
data/README.md +508 -158
data/lib/carrierwave/compatibility/paperclip.rb +31 -21
data/lib/carrierwave/downloader/base.rb +101 -0
data/lib/carrierwave/downloader/remote_file.rb +68 -0
data/lib/carrierwave/error.rb +1 -0
data/lib/carrierwave/locale/en.yml +11 -5
data/lib/carrierwave/mount.rb +220 -187
data/lib/carrierwave/mounter.rb +255 -0
data/lib/carrierwave/orm/activerecord.rb +24 -34
data/lib/carrierwave/processing/mini_magick.rb +142 -79
data/lib/carrierwave/processing/rmagick.rb +76 -35
data/lib/carrierwave/processing/vips.rb +284 -0
data/lib/carrierwave/processing.rb +1 -1
data/lib/carrierwave/sanitized_file.rb +89 -70
data/lib/carrierwave/storage/abstract.rb +16 -3
data/lib/carrierwave/storage/file.rb +71 -3
data/lib/carrierwave/storage/fog.rb +215 -58
data/lib/carrierwave/storage.rb +1 -7
data/lib/carrierwave/test/matchers.rb +88 -19
data/lib/carrierwave/uploader/cache.rb +88 -44
data/lib/carrierwave/uploader/callbacks.rb +1 -3
data/lib/carrierwave/uploader/configuration.rb +81 -9
data/lib/carrierwave/uploader/content_type_allowlist.rb +62 -0
data/lib/carrierwave/uploader/content_type_denylist.rb +62 -0
data/lib/carrierwave/uploader/default_url.rb +3 -5
data/lib/carrierwave/uploader/dimension.rb +66 -0
data/lib/carrierwave/uploader/download.rb +5 -69
data/lib/carrierwave/uploader/extension_allowlist.rb +63 -0
data/lib/carrierwave/uploader/extension_denylist.rb +64 -0
data/lib/carrierwave/uploader/file_size.rb +43 -0
data/lib/carrierwave/uploader/mountable.rb +13 -8
data/lib/carrierwave/uploader/processing.rb +54 -21
data/lib/carrierwave/uploader/proxy.rb +30 -8
data/lib/carrierwave/uploader/remove.rb +0 -2
data/lib/carrierwave/uploader/serialization.rb +3 -5
data/lib/carrierwave/uploader/store.rb +59 -28
data/lib/carrierwave/uploader/url.rb +8 -7
data/lib/carrierwave/uploader/versions.rb +173 -124
data/lib/carrierwave/uploader.rb +12 -6
data/lib/carrierwave/utilities/file_name.rb +47 -0
data/lib/carrierwave/utilities/uri.rb +14 -12
data/lib/carrierwave/utilities.rb +2 -3
data/lib/carrierwave/validations/active_model.rb +7 -13
data/lib/carrierwave/version.rb +1 -1
data/lib/carrierwave.rb +41 -16
data/lib/generators/templates/{uploader.rb → uploader.rb.erb} +5 -9
data/lib/generators/uploader_generator.rb +3 -3
metadata +224 -100
data/lib/carrierwave/locale/cs.yml +0 -11
data/lib/carrierwave/locale/de.yml +0 -11
data/lib/carrierwave/locale/nl.yml +0 -11
data/lib/carrierwave/locale/sk.yml +0 -11
data/lib/carrierwave/processing/mime_types.rb +0 -73
data/lib/carrierwave/uploader/extension_blacklist.rb +0 -47
data/lib/carrierwave/uploader/extension_whitelist.rb +0 -49

data/lib/carrierwave/compatibility/paperclip.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module CarrierWave
   module Compatibility
@@ -46,11 +44,32 @@ module CarrierWave
     # THE SOFTWARE.
     #
     module Paperclip
+      extend ActiveSupport::Concern
+      DEFAULT_MAPPINGS = {
+        :rails_root   => lambda{|u, f| Rails.root.to_s },
+        :rails_env    => lambda{|u, f| Rails.env },
+        :id_partition => lambda{|u, f| ("%09d" % u.model.id).scan(/\d{3}/).join("/")},
+        :id           => lambda{|u, f| u.model.id },
+        :attachment   => lambda{|u, f| u.mounted_as.to_s.downcase.pluralize },
+        :style        => lambda{|u, f| u.paperclip_style },
+        :basename     => lambda{|u, f| u.filename.gsub(/#{File.extname(u.filename)}$/, "") },
+        :extension    => lambda{|u, d| File.extname(u.filename).gsub(/^\.+/, "")},
+        :class        => lambda{|u, f| u.model.class.name.underscore.pluralize}
+      }.freeze
+      included do
+        attr_accessor :filename
+        class_attribute :mappings
+        self.mappings ||= DEFAULT_MAPPINGS.dup
+      end
       def store_path(for_file=filename)
         path = paperclip_path
+        self.filename = for_file
         path ||= File.join(*[store_dir, paperclip_style.to_s, for_file].compact)
-        interpolate_paperclip_path(path, for_file)
+        interpolate_paperclip_path(path)
       end
       def store_dir
@@ -68,28 +87,19 @@ module CarrierWave
         version_name || paperclip_default_style
       end
-    private
-      def interpolate_paperclip_path(path, filename)
-        mappings.inject(path) do |agg, pair|
-          agg.gsub(":#{pair[0]}") { pair[1].call(self, filename).to_s }
+      module ClassMethods
+        def interpolate(sym, &block)
+          mappings[sym] = block
         end
       end
-      def mappings
-        [
-          [:rails_root   , lambda{|u, f| Rails.root }],
-          [:rails_env    , lambda{|u, f| Rails.env }],
-          [:class        , lambda{|u, f| u.model.class.name.underscore.pluralize}],
-          [:id_partition , lambda{|u, f| ("%09d" % u.model.id).scan(/\d{3}/).join("/")}],
-          [:id           , lambda{|u, f| u.model.id }],
-          [:attachment   , lambda{|u, f| u.mounted_as.to_s.downcase.pluralize }],
-          [:style        , lambda{|u, f| u.paperclip_style }],
-          [:basename     , lambda{|u, f| f.gsub(/#{File.extname(f)}$/, "") }],
-          [:extension    , lambda{|u, f| File.extname(f).gsub(/^\.+/, "")}]
-        ]
-      end
+    private
+      def interpolate_paperclip_path(path)
+        mappings.each_pair.inject(path) do |agg, pair|
+          agg.gsub(":#{pair[0]}") { pair[1].call(self, self.paperclip_style).to_s }
+        end
+      end
     end # Paperclip
   end # Compatibility
 end # CarrierWave

data/lib/carrierwave/downloader/base.rb ADDED Viewed

@@ -0,0 +1,101 @@
+require 'open-uri'
+require 'ssrf_filter'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+module CarrierWave
+  module Downloader
+    class Base
+      include CarrierWave::Utilities::Uri
+      attr_reader :uploader
+      def initialize(uploader)
+        @uploader = uploader
+      end
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        @current_download_retry_count = 0
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
+        begin
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            if ::SsrfFilter::VERSION.to_f < 1.1
+              response = SsrfFilter.get(uri, headers: headers) do |req|
+                request = req
+              end
+            else
+              response = SsrfFilter.get(uri, headers: headers, request_proc: ->(req) { request = req }) do |res|
+                res.body # ensure to read body
+              end
+            end
+            response.uri = request.uri
+            response.value
+          end
+        rescue StandardError => e
+          if @current_download_retry_count < @uploader.download_retry_count
+            @current_download_retry_count += 1
+            sleep @uploader.download_retry_wait_time
+            retry
+          else
+            raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+          end
+        end
+        CarrierWave::Downloader::RemoteFile.new(response)
+      end
+      ##
+      # Processes the given URL by parsing it, and escaping if necessary. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(source)
+        uri = Addressable::URI.parse(source)
+        uri.host = uri.normalized_host
+        # Perform decode first, as the path is likely to be already encoded
+        uri.path = encode_path(decode_uri(uri.path)) if uri.path =~ CarrierWave::Utilities::Uri::PATH_UNSAFE
+        uri.query = encode_non_ascii(uri.query) if uri.query
+        uri.fragment = encode_non_ascii(uri.fragment) if uri.fragment
+        URI.parse(uri.to_s)
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{source}"
+      end
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
+    end
+  end
+end

data/lib/carrierwave/downloader/remote_file.rb ADDED Viewed

@@ -0,0 +1,68 @@
+module CarrierWave
+  module Downloader
+    class RemoteFile
+      attr_reader :file, :uri
+      def initialize(file)
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          body = file.body
+          raise CarrierWave::DownloadError, 'could not download file: No Content' if body.nil?
+          @file = StringIO.new(body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+      def headers
+        @headers || {}
+      end
+      def original_filename
+        filename = filename_from_header || filename_from_uri
+        mime_type = Marcel::TYPES[content_type]
+        unless File.extname(filename).present? || mime_type.blank?
+          extension = mime_type[0].first
+          filename = "#{filename}.#{extension}"
+        end
+        filename
+      end
+    private
+      def filename_from_header
+        return nil unless headers['content-disposition']
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+        match[1].presence || match[2].presence
+      end
+      def filename_from_uri
+        CGI.unescape(File.basename(uri.path))
+      end
+      def method_missing(*args, &block)
+        file.send(*args, &block)
+      end
+      def respond_to_missing?(*args)
+        super || file.respond_to?(*args)
+      end
+    end
+  end
+end

data/lib/carrierwave/error.rb CHANGED Viewed

@@ -4,4 +4,5 @@ module CarrierWave
   class InvalidParameter < UploadError; end
   class ProcessingError < UploadError; end
   class DownloadError < UploadError; end
+  class UnknownStorageError < StandardError; end
 end

data/lib/carrierwave/locale/en.yml CHANGED Viewed

@@ -4,8 +4,14 @@ en:
       carrierwave_processing_error: failed to be processed
       carrierwave_integrity_error: is not of an allowed file type
       carrierwave_download_error: could not be downloaded
-      extension_white_list_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-      extension_black_list_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image? Original Error: %{e}"
-      mime_types_processing_error: "Failed to process file with MIME::Types, maybe not valid content-type? Original Error: %{e}"
-      mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
+      extension_allowlist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+      extension_denylist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+      content_type_allowlist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+      content_type_denylist_error: "You are not allowed to upload %{content_type} files"
+      processing_error: "Failed to manipulate, maybe it is not an image?"
+      min_size_error: "File size should be greater than %{min_size}"
+      max_size_error: "File size should be less than %{max_size}"
+      min_width_error: "Image width should be greater than %{min_width}px"
+      max_width_error: "Image width should be less than %{max_width}px"
+      min_height_error: "Image height should be greater than %{min_height}px"
+      max_height_error: "Image height should be less than %{max_height}px"