carrierwave 1.3.2 → 3.0.7

data/lib/carrierwave/uploader/extension_allowlist.rb

@@ -0,0 +1,63 @@
+module CarrierWave
+  module Uploader
+    module ExtensionAllowlist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_extension_allowlist!
+      end
+
+      ##
+      # Override this method in your uploader to provide an allowlist of extensions which
+      # are allowed to be uploaded. Compares the file's extension case insensitive.
+      # Furthermore, not only strings but Regexp are allowed as well.
+      #
+      # When using a Regexp in the allowlist, `\A` and `\z` are automatically added to
+      # the Regexp expression, also case insensitive.
+      #
+      # === Returns
+      #
+      # [NilClass, String, Regexp, Array[String, Regexp]] an allowlist of extensions which are allowed to be uploaded
+      #
+      # === Examples
+      #
+      #     def extension_allowlist
+      #       %w(jpg jpeg gif png)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def extension_allowlist
+      #       [/jpe?g/, 'gif', 'png']
+      #     end
+      #
+      def extension_allowlist
+      end
+
+    private
+
+      def check_extension_allowlist!(new_file)
+        allowlist = extension_allowlist
+        if !allowlist && respond_to?(:extension_whitelist) && extension_whitelist
+          ActiveSupport::Deprecation.warn "#extension_whitelist is deprecated, use #extension_allowlist instead." unless instance_variable_defined?(:@extension_whitelist_warned)
+          @extension_whitelist_warned = true
+          allowlist = extension_whitelist
+        end
+
+        return unless allowlist
+
+        extension = new_file.extension.to_s
+        if !allowlisted_extension?(allowlist, extension)
+          # Look for whitelist first, then fallback to allowlist
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.extension_allowlist_error", extension: new_file.extension.inspect,
+                                                            allowed_types: Array(allowlist).join(", "), default: :"errors.messages.extension_whitelist_error")
+        end
+      end
+
+      def allowlisted_extension?(allowlist, extension)
+        downcase_extension = extension.downcase
+        Array(allowlist).any? { |item| downcase_extension =~ /\A#{item}\z/i }
+      end
+    end # ExtensionAllowlist
+  end # Uploader
+end # CarrierWave

data/lib/carrierwave/uploader/extension_denylist.rb

@@ -0,0 +1,64 @@
+module CarrierWave
+  module Uploader
+    module ExtensionDenylist
+      extend ActiveSupport::Concern
+
+      included do
+        before :cache, :check_extension_denylist!
+      end
+
+      ##
+      # Override this method in your uploader to provide a denylist of extensions which
+      # are prohibited to be uploaded. Compares the file's extension case insensitive.
+      # Furthermore, not only strings but Regexp are allowed as well.
+      #
+      # When using a Regexp in the denylist, `\A` and `\z` are automatically added to
+      # the Regexp expression, also case insensitive.
+      #
+      # === Returns
+
+      # [NilClass, String, Regexp, Array[String, Regexp]] a deny list of extensions which are prohibited to be uploaded
+      #
+      # === Examples
+      #
+      #     def extension_denylist
+      #       %w(swf tiff)
+      #     end
+      #
+      # Basically the same, but using a Regexp:
+      #
+      #     def extension_denylist
+      #       [/swf/, 'tiff']
+      #     end
+      #
+      def extension_denylist
+      end
+
+    private
+
+      def check_extension_denylist!(new_file)
+        denylist = extension_denylist
+        if !denylist && respond_to?(:extension_blacklist) && extension_blacklist
+          ActiveSupport::Deprecation.warn "#extension_blacklist is deprecated, use #extension_denylist instead." unless instance_variable_defined?(:@extension_blacklist_warned)
+          @extension_blacklist_warned = true
+          denylist = extension_blacklist
+        end
+
+        return unless denylist
+
+        ActiveSupport::Deprecation.warn "Use of #extension_denylist is deprecated for the security reason, use #extension_allowlist instead to explicitly state what are safe to accept" unless instance_variable_defined?(:@extension_denylist_warned)
+        @extension_denylist_warned = true
+
+        extension = new_file.extension.to_s
+        if denylisted_extension?(denylist, extension)
+          raise CarrierWave::IntegrityError, I18n.translate(:"errors.messages.extension_denylist_error", extension: new_file.extension.inspect,
+                                                            prohibited_types: Array(extension_denylist).join(", "), default: :"errors.messages.extension_blacklist_error")
+        end
+      end
+
+      def denylisted_extension?(denylist, extension)
+        Array(denylist).any? { |item| extension =~ /\A#{item}\z/i }
+      end
+    end
+  end
+end

data/lib/carrierwave/uploader/file_size.rb

@@ -14,7 +14,7 @@ module CarrierWave
       # are allowed to be uploaded.
       # === Returns
       #
-      # [NilClass, Range] a size range which are permitted to be uploaded
+      # [NilClass, Range] a size range (in bytes) which are permitted to be uploaded
       #
       # === Examples
       #
@@ -24,7 +24,7 @@ module CarrierWave
       #
       def size_range; end
 
-      private
+    private
 
       def check_size!(new_file)
         size = new_file.size

data/lib/carrierwave/uploader/mountable.rb

@@ -33,6 +33,12 @@ module CarrierWave
         @mounted_as = mounted_as
       end
 
+      ##
+      # Returns array index of given uploader within currently mounted uploaders
+      #
+      def index
+        model.__send__(:_mounter, mounted_as).uploaders.index(self)
+      end
     end # Mountable
   end # Uploader
 end # CarrierWave

data/lib/carrierwave/uploader/processing.rb

@@ -18,7 +18,7 @@ module CarrierWave
         # Adds a processor callback which applies operations as a file is uploaded.
         # The argument may be the name of any method of the uploader, expressed as a symbol,
         # or a list of such methods, or a hash where the key is a method and the value is
-        # an array of arguments to call the method with
+        # an array of arguments to call the method with. Also accepts an :if or :unless condition
         #
         # === Parameters
         #
@@ -31,6 +31,7 @@ module CarrierWave
         #       process :sepiatone, :vignette
         #       process :scale => [200, 200]
         #       process :scale => [200, 200], :if => :image?
+        #       process :scale => [200, 200], :unless => :disallowed_image_type?
         #       process :sepiatone, :if => :image?
         #
         #       def sepiatone
@@ -49,6 +50,10 @@ module CarrierWave
         #         ...
         #       end
         #
+        #       def disallowed_image_type?
+        #         ...
+        #       end
+        #
         #     end
         #
         def process(*args)
@@ -57,12 +62,17 @@ module CarrierWave
             hash.merge!(arg)
           end
 
-          condition = new_processors.delete(:if)
+          condition_type = new_processors.keys.detect { |key| [:if, :unless].include?(key) }
+          condition = new_processors.delete(:if) || new_processors.delete(:unless)
           new_processors.each do |processor, processor_args|
-            self.processors += [[processor, processor_args, condition]]
+            self.processors += [[processor, processor_args, condition, condition_type]]
+
+            if processor == :convert
+              # Treat :convert specially, since it should trigger the file extension change
+              force_extension processor_args
+            end
           end
         end
-
       end # ClassMethods
 
       ##
@@ -72,19 +82,44 @@ module CarrierWave
         return unless enable_processing
 
         with_callbacks(:process, new_file) do
-          self.class.processors.each do |method, args, condition|
-            if(condition)
+          self.class.processors.each do |method, args, condition, condition_type|
+            if condition && condition_type == :if
               if condition.respond_to?(:call)
                 next unless condition.call(self, :args => args, :method => method, :file => new_file)
               else
                 next unless self.send(condition, new_file)
               end
+            elsif condition && condition_type == :unless
+              if condition.respond_to?(:call)
+                next if condition.call(self, :args => args, :method => method, :file => new_file)
+              elsif self.send(condition, new_file)
+                next
+              end
+            end
+
+            if args.is_a? Array
+              kwargs, args = args.partition { |arg| arg.is_a? Hash }
+            end
+
+            if kwargs.present?
+              kwargs = kwargs.reduce(:merge)
+              self.send(method, *args, **kwargs)
+            else
+              self.send(method, *args)
             end
-            self.send(method, *args)
           end
         end
       end
 
+    private
+
+      def forcing_extension(filename)
+        if force_extension && filename
+          Pathname.new(filename).sub_ext(".#{force_extension.to_s.delete_prefix('.')}").to_s
+        else
+          filename
+        end
+      end
     end # Processing
   end # Uploader
 end # CarrierWave

data/lib/carrierwave/uploader/proxy.rb

@@ -23,14 +23,27 @@ module CarrierWave
       alias_method :path, :current_path
 
       ##
-      # Returns a string that uniquely identifies the last stored file
+      # Returns a string that uniquely identifies the retrieved or last stored file
       #
       # === Returns
       #
       # [String] uniquely identifies a file
       #
       def identifier
-        storage.try(:identifier)
+        @identifier || (file && storage.try(:identifier))
+      end
+
+      ##
+      # Returns a String which is to be used as a temporary value which gets assigned to the column.
+      # The purpose is to mark the column that it will be updated. Finally before the save it will be
+      # overwritten by the #identifier value, which is usually #filename.
+      #
+      # === Returns
+      #
+      # [String] a temporary_identifier, by default the value of #cache_name is used
+      #
+      def temporary_identifier
+        cache_name || @identifier
       end
 
       ##
@@ -40,8 +53,8 @@ module CarrierWave
       #
       # [String] contents of the file
       #
-      def read
-        file.try(:read)
+      def read(*args)
+        file.try(:read, *args)
       end
 
       ##

data/lib/carrierwave/uploader/serialization.rb

@@ -7,7 +7,7 @@ module CarrierWave
       extend ActiveSupport::Concern
 
       def serializable_hash(options = nil)
-        {"url" => url}.merge Hash[versions.map { |name, version| [name, { "url" => version.url }] }]
+        {"url" => url}.merge Hash[versions.map { |name, version| [name.to_s, { "url" => version.url }] }]
       end
 
       def as_json(options=nil)

data/lib/carrierwave/uploader/store.rb

@@ -11,7 +11,7 @@ module CarrierWave
         prepend Module.new {
           def initialize(*)
             super
-            @file, @filename, @cache_id = nil
+            @file, @filename, @cache_id, @identifier, @deduplication_index = nil
           end
         }
       end
@@ -34,9 +34,26 @@ module CarrierWave
         @filename
       end
 
+      ##
+      # Returns a filename which doesn't conflict with already-stored files.
+      #
+      # === Returns
+      #
+      # [String] the filename with suffix added for deduplication
+      #
+      def deduplicated_filename
+        return unless filename
+        return filename unless @deduplication_index
+
+        parts = filename.split('.')
+        basename = parts.shift
+        basename.sub!(/ ?\(\d+\)\z/, '')
+        ([basename.to_s + (@deduplication_index > 1 ? "(#{@deduplication_index})" : '')] + parts).join('.')
+      end
+
       ##
       # Calculates the path where the file should be stored. If +for_file+ is given, it will be
-      # used as the filename, otherwise +CarrierWave::Uploader#filename+ is assumed.
+      # used as the identifier, otherwise +CarrierWave::Uploader#identifier+ is assumed.
       #
       # === Parameters
       #
@@ -46,7 +63,7 @@ module CarrierWave
       #
       # [String] the store path
       #
-      def store_path(for_file=filename)
+      def store_path(for_file=identifier)
         File.join([store_dir, full_filename(for_file)].compact)
       end
 
@@ -60,8 +77,8 @@ module CarrierWave
       # [new_file (File, IOString, Tempfile)] any kind of file object
       #
       def store!(new_file=nil)
-        cache!(new_file) if new_file && ((@cache_id != parent_cache_id) || @cache_id.nil?)
-        if !cache_only and @file and @cache_id
+        cache!(new_file) if new_file && !cached?
+        if !cache_only && @file && @cache_id
           with_callbacks(:store, new_file) do
             new_file = storage.store!(@file)
             if delete_tmp_file_after_storage
@@ -69,7 +86,9 @@ module CarrierWave
               cache_storage.delete_dir!(cache_path(nil))
             end
             @file = new_file
-            @cache_id = nil
+            @identifier = storage.identifier
+            @original_filename = @cache_id = @deduplication_index = nil
+            @staged = false
           end
         end
       end
@@ -84,13 +103,34 @@ module CarrierWave
       def retrieve_from_store!(identifier)
         with_callbacks(:retrieve_from_store, identifier) do
           @file = storage.retrieve!(identifier)
+          @identifier = identifier
+        end
+      end
+
+      ##
+      # Look for an identifier which doesn't collide with the given already-stored identifiers.
+      # It is done by adding a index number as the suffix.
+      # For example, if there's 'image.jpg' and the @deduplication_index is set to 2,
+      # The stored file will be named as 'image(2).jpg'.
+      #
+      # === Parameters
+      #
+      # [current_identifiers (Array[String])] List of identifiers for already-stored files
+      #
+      def deduplicate(current_identifiers)
+        @deduplication_index = nil
+        return unless current_identifiers.include?(identifier)
+
+        (1..current_identifiers.size + 1).each do |i|
+          @deduplication_index = i
+          break unless current_identifiers.include?(identifier)
         end
       end
 
     private
 
       def full_filename(for_file)
-        for_file
+        forcing_extension(for_file)
       end
 
       def storage

data/lib/carrierwave/uploader/url.rb

@@ -15,12 +15,15 @@ module CarrierWave
       # [String] the location where this file is accessible via a url
       #
       def url(options = {})
-        if file.respond_to?(:url) and not (tmp_url = file.url).blank?
-          file.method(:url).arity == 0 ? tmp_url : file.url(options)
-        elsif file.respond_to?(:path)
+        if file.respond_to?(:url)
+          tmp_url = file.method(:url).arity.zero? ? file.url : file.url(options)
+          return tmp_url if tmp_url.present?
+        end
+
+        if file.respond_to?(:path)
           path = encode_path(file.path.sub(File.expand_path(root), ''))
 
-          if host = asset_host
+          if (host = asset_host)
             if host.respond_to? :call
               "#{host.call(file)}#{path}"
             else