carrierwave 1.3.2 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5e6d1dd656203f5e14c43b75b807e793d623126006ddf8c5a4f9f4706faa750
-  data.tar.gz: 82281b939837f54716f580a1deb6397d87cc9bb867dc6a6938a4322d795500b1
+  metadata.gz: b815c0a48b4df1ed7a3c3ea6f0d3cf4748b9197d5507b7b99ba262bcf703f8de
+  data.tar.gz: b162ccab7c487c367702310819a3e14a05f014abed916a79112520550877a477
 SHA512:
-  metadata.gz: 8eca3a53204f520d0cabf6e2384e6670cb634159e4b6c1e8d3915b6bab8473f21fb116047129b142a986588ea27401131d095186657770d7c31b03d6c929a1c9
-  data.tar.gz: 316797cffad6d2568e50929862cd80ba3e56c05d557f70f8631b66fc60ffd65fe5862afe4121a1e5e775e55a5f6c9a6c14414bce6a57deab2d12a8a127ed5b0d
+  metadata.gz: a6341493e822abeaa770f1c202e3ca62c43b54a2dcf1768e7d485208f825a546354d66b9c45d1169c2636d32a39b36312a8029729009504b87ab2ff6b8500187
+  data.tar.gz: 9a8f6b9f5c2ba84f500a051f1ad9f7da603af42a746422f5a727fe79c02eb1cd9063c5b082fd7a051f263b52918d76a1abeb16ee4bb2dd8ecaea73d4a9f732fe

data/README.md

@@ -3,7 +3,7 @@
 This gem provides a simple and extremely flexible way to upload files from Ruby applications.
 It works well with Rack based web applications, such as Ruby on Rails.
 
-[![Build Status](https://travis-ci.org/carrierwaveuploader/carrierwave.svg?branch=master)](http://travis-ci.org/carrierwaveuploader/carrierwave)
+[![Build Status](https://github.com/carrierwaveuploader/carrierwave/workflows/Test/badge.svg)](https://github.com/carrierwaveuploader/carrierwave/actions)
 [![Code Climate](https://codeclimate.com/github/carrierwaveuploader/carrierwave.svg)](https://codeclimate.com/github/carrierwaveuploader/carrierwave)
 [![SemVer](https://api.dependabot.com/badges/compatibility_score?dependency-name=carrierwave&package-manager=bundler&version-scheme=semver)](https://dependabot.com/compatibility-score.html?dependency-name=carrierwave&package-manager=bundler&version-scheme=semver)
 
@@ -30,13 +30,13 @@ $ gem install carrierwave
 In Rails, add it to your Gemfile:
 
 ```ruby
-gem 'carrierwave', '~> 1.0'
+gem 'carrierwave', '~> 2.0'
 ```
 
 Finally, restart the server to apply the changes.
 
-As of version 1.0, CarrierWave requires Rails 4.0 or higher and Ruby 2.0
-or higher. If you're on Rails 3, you should use v0.11.0.
+As of version 2.0, CarrierWave requires Rails 5.0 or higher and Ruby 2.2
+or higher. If you're on Rails 4, you should use 1.x.
 
 ## Getting Started
 
@@ -94,7 +94,7 @@ a migration:
 Open your model file and mount the uploader:
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   mount_uploader :avatar, AvatarUploader
 end
 ```
@@ -157,7 +157,7 @@ Open your model file and mount the uploader:
 
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   mount_uploaders :avatars, AvatarUploader
   serialize :avatars, JSON # If you use SQLite, add this line.
 end
@@ -190,6 +190,17 @@ u.avatars[0].current_path # => 'path/to/file.png'
 u.avatars[0].identifier # => 'file.png'
 ```
 
+If you want to preserve existing files on uploading new one, you can go like:
+
+```erb
+<% user.avatars.each do |avatar| %>
+  <%= hidden_field :user, :avatars, multiple: true, value: avatar.identifier %>
+<% end %>
+<%= form.file_field :avatars, multiple: true %>
+```
+
+Sorting avatars is supported as well by reordering `hidden_field`, an example using jQuery UI Sortable is available [here](https://github.com/carrierwaveuploader/carrierwave/wiki/How-to%3A-Add%2C-remove-and-reorder-images-using-multiple-file-upload).
+
 ## Changing the storage directory
 
 In order to change where uploaded files are put, just override the `store_dir`
@@ -219,7 +230,7 @@ end
 ## Securing uploads
 
 Certain files might be dangerous if uploaded to the wrong location, such as PHP
-files or other script files. CarrierWave allows you to specify a whitelist of
+files or other script files. CarrierWave allows you to specify an allowlist of
 allowed extensions or content types.
 
 If you're mounting the uploader, uploading a file with the wrong extension will
@@ -227,7 +238,7 @@ make the record invalid instead. Otherwise, an error is raised.
 
 ```ruby
 class MyUploader < CarrierWave::Uploader::Base
-  def extension_whitelist
+  def extension_allowlist
     %w(jpg jpeg gif png)
   end
 end
@@ -238,29 +249,45 @@ Let's say we need an uploader that accepts only images. This can be done like th
 
 ```ruby
 class MyUploader < CarrierWave::Uploader::Base
-  def content_type_whitelist
+  def content_type_allowlist
     /image\//
   end
 end
 ```
 
-You can use a blacklist to reject content types.
+You can use a denylist to reject content types.
 Let's say we need an uploader that reject JSON files. This can be done like this
 
 ```ruby
 class NoJsonUploader < CarrierWave::Uploader::Base
-  def content_type_blacklist
+  def content_type_denylist
     ['application/text', 'application/json']
   end
 end
 ```
 
+### CVE-2016-3714 (ImageTragick)
+This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a content_type_allowlist in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
+
+
+A valid allowlist that will restrict your uploader to images only, and mitigate the CVE is:
+
+```ruby
+class MyUploader < CarrierWave::Uploader::Base
+  def content_type_allowlist
+    [/image\//]
+  end
+end
+```
+
+**WARNING**: A `content_type_allowlist` is the only form of allowlist or denylist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_allowlist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
+
 ### Filenames and unicode chars
 
 Another security issue you should care for is the file names (see
 [Ruby On Rails Security Guide](http://guides.rubyonrails.org/security.html#file-uploads)).
 By default, CarrierWave provides only English letters, arabic numerals and some symbols as
-white-listed characters in the file name. If you want to support local scripts (Cyrillic letters, letters with diacritics and so on), you
+allowlisted characters in the file name. If you want to support local scripts (Cyrillic letters, letters with diacritics and so on), you
 have to override `sanitize_regexp` method. It should return regular expression which would match
 all *non*-allowed symbols.
 
@@ -280,7 +307,7 @@ You no longer need to do this manually.
 
 Often you'll want to add different versions of the same file. The classic example is image thumbnails. There is built in support for this*:
 
-*Note:* You must have Imagemagick and MiniMagick installed to do image resizing. MiniMagick is a Ruby interface for Imagemagick which is a C program. This is why MiniMagick fails on 'bundle install' without Imagemagick installed.
+*Note:* You must have Imagemagick installed to do image resizing.
 
 Some documentation refers to RMagick instead of MiniMagick but MiniMagick is recommended.
 
@@ -305,15 +332,13 @@ end
 
 When this uploader is used, an uploaded image would be scaled to be no larger
 than 800 by 800 pixels. The original aspect ratio will be kept.
-A version called thumb is then created, which is scaled
-to exactly 200 by 200 pixels.
 
-If you would like to crop images to a specific height and width you
-can use the alternative option of '''resize_to_fill'''. It will make sure
+A version called `:thumb` is then created, which is scaled
+to exactly 200 by 200 pixels. The thumbnail uses `resize_to_fill` which makes sure
 that the width and height specified are filled, only cropping
 if the aspect ratio requires it.
 
-The uploader could be used like this:
+The above uploader could be used like this:
 
 ```ruby
 uploader = AvatarUploader.new
@@ -326,6 +351,34 @@ uploader.thumb.url # => '/url/to/thumb_my_file.png'   # size: 200x200
 One important thing to remember is that process is called *before* versions are
 created. This can cut down on processing cost.
 
+### Processing Methods: mini_magick
+
+- `convert` - Changes the image encoding format to the given format, eg. jpg
+- `resize_to_limit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. Will only resize the image if it is larger than the specified dimensions. The resulting image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. The image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fill` - Resize the image to fit within the specified dimensions while retaining the aspect ratio of the original image. If necessary, crop the image in the larger dimension. Optionally, a "gravity" may be specified, for example "Center", or "NorthEast".
+- `resize_and_pad` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. If necessary, will pad the remaining area with the given color, which defaults to transparent (for gif and png, white for jpeg). Optionally, a "gravity" may be specified, as above.
+
+See `carrierwave/processing/mini_magick.rb` for details.
+
+### conditional process
+
+If you want to use conditional process, you can only use `if` statement.
+
+See `carrierwave/uploader/processing.rb` for details.
+
+```ruby
+class MyUploader < CarrierWave::Uploader::Base
+  process :scale => [200, 200], :if => :image?
+  
+  def image?(carrier_wave_sanitized_file)
+    true
+  end
+end
+```
+
+### Nested versions
+
 It is possible to nest versions within versions:
 
 ```ruby
@@ -362,7 +415,7 @@ private
   end
 
   def is_landscape? picture
-    image = MiniMagick::Image.open(picture.path)
+    image = MiniMagick::Image.new(picture.path)
     image[:width] > image[:height]
   end
 
@@ -651,7 +704,6 @@ If you want to use fog you must add in your CarrierWave initializer the
 following lines
 
 ```ruby
-config.fog_provider = 'fog' # 'fog/aws' etc. Defaults to 'fog'
 config.fog_credentials = { ... } # Provider specific credentials
 ```
 
@@ -669,7 +721,6 @@ You can also pass in additional options, as documented fully in lib/carrierwave/
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = 'fog/aws'                        # required
   config.fog_credentials = {
     provider:              'AWS',                        # required
     aws_access_key_id:     'xxx',                        # required unless using use_iam_profile
@@ -682,6 +733,9 @@ CarrierWave.configure do |config|
   config.fog_directory  = 'name_of_bucket'                                      # required
   config.fog_public     = false                                                 # optional, defaults to true
   config.fog_attributes = { cache_control: "public, max-age=#{365.days.to_i}" } # optional, defaults to {}
+  # For an application which utilizes multiple servers but does not need caches persisted across requests,
+  # uncomment the line :file instead of the default :storage.  Otherwise, it will use AWS as the temp cache store.
+  # config.cache_storage = :file
 end
 ```
 
@@ -695,6 +749,14 @@ end
 
 That's it! You can still use the `CarrierWave::Uploader#url` method to return the url to the file on Amazon S3.
 
+**Note**: for Carrierwave to work properly it needs credentials with the following permissions:
+
+* `s3:ListBucket`
+* `s3:PutObject`
+* `s3:GetObject`
+* `s3:DeleteObject`
+* `s3:PutObjectAcl`
+
 ## Using Rackspace Cloud Files
 
 [Fog](http://github.com/fog/fog) is used to support Rackspace Cloud Files. Ensure you have it in your Gemfile:
@@ -710,7 +772,6 @@ Using a US-based account:
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = "fog/rackspace/storage"   # optional, defaults to "fog"
   config.fog_credentials = {
     provider:           'Rackspace',
     rackspace_username: 'xxxxxx',
@@ -725,7 +786,6 @@ Using a UK-based account:
 
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = "fog/rackspace/storage"   # optional, defaults to "fog"
   config.fog_credentials = {
     provider:           'Rackspace',
     rackspace_username: 'xxxxxx',
@@ -756,31 +816,43 @@ end
 That's it! You can still use the `CarrierWave::Uploader#url` method to return
 the url to the file on Rackspace Cloud Files.
 
-## Using Google Storage for Developers
+## Using Google Cloud Storage
 
-[Fog](http://github.com/fog/fog-google) is used to support Google Storage for Developers. Ensure you have it in your Gemfile:
+[Fog](http://github.com/fog/fog-google) is used to support Google Cloud Storage. Ensure you have it in your Gemfile:
 
 ```ruby
 gem "fog-google"
-gem "google-api-client", "> 0.8.5", "< 0.9"
-gem "mime-types"
 ```
 
-You'll need to configure a directory (also known as a bucket), access key id and secret access key in the initializer.
+You'll need to configure a directory (also known as a bucket) and the credentials in the initializer.
 For the sake of performance it is assumed that the directory already exists, so please create it if need be.
 
 Please read the [fog-google README](https://github.com/fog/fog-google/blob/master/README.md) on how to get credentials.
 
+For Google Storage JSON API (recommended):
+```ruby
+CarrierWave.configure do |config|
+    config.fog_provider = 'fog/google'
+    config.fog_credentials = {
+        provider:               'Google',
+        google_project:         'my-project',
+        google_json_key_string: 'xxxxxx'
+        # or use google_json_key_location if using an actual file
+    }
+    config.fog_directory = 'google_cloud_storage_bucket_name'
+end
+```
 
+For Google Storage XML API:
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_provider = 'fog/google'                        # required
-  config.fog_credentials = {
-    provider:                         'Google',
-    google_storage_access_key_id:     'xxxxxx',
-    google_storage_secret_access_key: 'yyyyyy'
-  }
-  config.fog_directory = 'name_of_directory'
+    config.fog_provider = 'fog/google'
+    config.fog_credentials = {
+        provider:                         'Google',
+        google_storage_access_key_id:     'xxxxxx',
+        google_storage_secret_access_key: 'yyyyyy'
+    }
+    config.fog_directory = 'google_cloud_storage_bucket_name'
 end
 ```
 
@@ -871,8 +943,8 @@ manipulation methods.
 
 ## Using MiniMagick
 
-MiniMagick is similar to RMagick but performs all the operations using the 'mogrify'
-command which is part of the standard ImageMagick kit. This allows you to have the power
+MiniMagick is similar to RMagick but performs all the operations using the 'convert'
+CLI which is part of the standard ImageMagick kit. This allows you to have the power
 of ImageMagick without having to worry about installing all the RMagick libraries.
 
 See the MiniMagick site for more details:
@@ -924,10 +996,10 @@ errors:
     carrierwave_processing_error: failed to be processed
     carrierwave_integrity_error: is not of an allowed file type
     carrierwave_download_error: could not be downloaded
-    extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-    extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-    content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
-    content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
+    extension_allowlist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+    extension_denylist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+    content_type_allowlist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+    content_type_denylist_error: "You are not allowed to upload %{content_type} files"
     rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
     mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
     min_size_error: "File size should be greater than %{min_size}"
@@ -975,12 +1047,12 @@ end
 Will add these callbacks:
 
 ```ruby
-after_save :store_avatar!
 before_save :write_avatar_identifier
+after_save :store_previous_changes_for_avatar
 after_commit :remove_avatar!, on: :destroy
 after_commit :mark_remove_avatar_false, on: :update
-after_save :store_previous_changes_for_avatar
 after_commit :remove_previously_stored_avatar, on: :update
+after_commit :store_avatar!, on: [:create, :update]
 ```
 
 If you want to skip any of these callbacks (eg. you want to keep the existing
@@ -1000,6 +1072,8 @@ See [CONTRIBUTING.md](https://github.com/carrierwaveuploader/carrierwave/blob/ma
 
 ## License
 
+The MIT License (MIT)
+
 Copyright (c) 2008-2015 Jonas Nicklas
 
 Permission is hereby granted, free of charge, to any person obtaining

data/lib/carrierwave.rb

@@ -72,6 +72,10 @@ elsif defined?(Rails)
           require 'carrierwave/orm/activerecord'
         end
       end
+
+      config.before_eager_load do
+        CarrierWave::Storage::Fog.eager_load
+      end
     end
   end
 

data/lib/carrierwave/downloader/base.rb

@@ -0,0 +1,87 @@
+require 'open-uri'
+require 'ssrf_filter'
+require 'addressable'
+require 'carrierwave/downloader/remote_file'
+
+module CarrierWave
+  module Downloader
+    class Base
+      attr_reader :uploader
+
+      def initialize(uploader)
+        @uploader = uploader
+      end
+
+      ##
+      # Downloads a file from given URL and returns a RemoteFile.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      # [remote_headers (Hash)] Request headers
+      #
+      def download(url, remote_headers = {})
+        headers = remote_headers.
+          reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
+        begin
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            response = SsrfFilter.get(uri, headers: headers) do |req|
+              request = req
+            end
+            response.uri = request.uri
+            response.value
+          end
+        rescue StandardError => e
+          raise CarrierWave::DownloadError, "could not download file: #{e.message}"
+        end
+        CarrierWave::Downloader::RemoteFile.new(response)
+      end
+
+      ##
+      # Processes the given URL by parsing it, and escaping if necessary. Public to allow overriding.
+      #
+      # === Parameters
+      #
+      # [url (String)] The URL where the remote file is stored
+      #
+      def process_uri(uri)
+        uri_parts = uri.split('?')
+        encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
+        query = uri_parts.any? ? "?#{uri_parts.join('?')}" : ''
+        begin
+          URI.parse("#{encoded_uri}#{query}")
+        rescue URI::InvalidURIError
+          URI.parse("#{encoded_uri}#{URI::DEFAULT_PARSER.escape(query)}")
+        end
+      rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
+        raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
+      end
+
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
+    end
+  end
+end