carrierwave 2.0.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 85a5c93a317b317dcf6bf2a6f6ae520ddc9a6788df8552aa7339b85e2e86f8ba
-  data.tar.gz: d8eae4edcbbbabda5ad0ae70d5e36a425677a34dc2e1b014ca4f3641ba2914c4
+  metadata.gz: a6e511db9d3eebc43bd42613884cf42ba2ad5f236a438a609cccc67c6ce3d192
+  data.tar.gz: 20cef424394b5a40d27e73e8677161870c6d35f60734fd05cf2d0666f461b834
 SHA512:
-  metadata.gz: 0f6a3f1bbbc1aa7137383756b45d2d337254253932b70f2f1cf68440c7bcb37e2607650e58d38174d6487f31f1d7a0ddce1736971396e6107101193d5e84049a
-  data.tar.gz: b2b6bc7e114fcc5f2194cbff2e03048ea669e9cfea1631f36bcf196566f70580da8d2fcc82c4a92b8497b1841073ae19629a61f8635573ceb32bb0430586bab8
+  metadata.gz: 28aeace46926db2716ac4600a67cb3a318c553f8f04f533fcf19afaddbafc46489bc3df5d523bc878f5b77164d4110c69ddfe346944caeb46b0dd83df39d7ac9
+  data.tar.gz: dc271f6fdfd5a515295185265a53b0b894ecef7e1d72bdcaa062357dacd5c7e9bca54a818ffcd344a95b341628451f5b6e579b62587845148075f9db9de949f7

data/README.md

@@ -3,7 +3,7 @@
 This gem provides a simple and extremely flexible way to upload files from Ruby applications.
 It works well with Rack based web applications, such as Ruby on Rails.
 
-[![Build Status](https://travis-ci.org/carrierwaveuploader/carrierwave.svg?branch=master)](http://travis-ci.org/carrierwaveuploader/carrierwave)
+[![Build Status](https://github.com/carrierwaveuploader/carrierwave/workflows/Test/badge.svg)](https://github.com/carrierwaveuploader/carrierwave/actions)
 [![Code Climate](https://codeclimate.com/github/carrierwaveuploader/carrierwave.svg)](https://codeclimate.com/github/carrierwaveuploader/carrierwave)
 [![SemVer](https://api.dependabot.com/badges/compatibility_score?dependency-name=carrierwave&package-manager=bundler&version-scheme=semver)](https://dependabot.com/compatibility-score.html?dependency-name=carrierwave&package-manager=bundler&version-scheme=semver)
 
@@ -94,7 +94,7 @@ a migration:
 Open your model file and mount the uploader:
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   mount_uploader :avatar, AvatarUploader
 end
 ```
@@ -157,7 +157,7 @@ Open your model file and mount the uploader:
 
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   mount_uploaders :avatars, AvatarUploader
   serialize :avatars, JSON # If you use SQLite, add this line.
 end
@@ -230,7 +230,7 @@ end
 ## Securing uploads
 
 Certain files might be dangerous if uploaded to the wrong location, such as PHP
-files or other script files. CarrierWave allows you to specify a whitelist of
+files or other script files. CarrierWave allows you to specify an allowlist of
 allowed extensions or content types.
 
 If you're mounting the uploader, uploading a file with the wrong extension will
@@ -238,7 +238,7 @@ make the record invalid instead. Otherwise, an error is raised.
 
 ```ruby
 class MyUploader < CarrierWave::Uploader::Base
-  def extension_whitelist
+  def extension_allowlist
     %w(jpg jpeg gif png)
   end
 end
@@ -249,45 +249,45 @@ Let's say we need an uploader that accepts only images. This can be done like th
 
 ```ruby
 class MyUploader < CarrierWave::Uploader::Base
-  def content_type_whitelist
+  def content_type_allowlist
     /image\//
   end
 end
 ```
 
-You can use a blacklist to reject content types.
+You can use a denylist to reject content types.
 Let's say we need an uploader that reject JSON files. This can be done like this
 
 ```ruby
 class NoJsonUploader < CarrierWave::Uploader::Base
-  def content_type_blacklist
+  def content_type_denylist
     ['application/text', 'application/json']
   end
 end
 ```
 
 ### CVE-2016-3714 (ImageTragick)
-This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a content_type_whitelist in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
+This version of CarrierWave has the ability to mitigate CVE-2016-3714. However, you **MUST** set a content_type_allowlist in your uploaders for this protection to be effective, and you **MUST** either disable ImageMagick's default SVG delegate or use the RSVG delegate for SVG processing.
 
 
-A valid whitelist that will restrict your uploader to images only, and mitigate the CVE is:
+A valid allowlist that will restrict your uploader to images only, and mitigate the CVE is:
 
 ```ruby
 class MyUploader < CarrierWave::Uploader::Base
-  def content_type_whitelist
+  def content_type_allowlist
     [/image\//]
   end
 end
 ```
 
-**WARNING**: A `content_type_whitelist` is the only form of whitelist or blacklist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_whitelist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
+**WARNING**: A `content_type_allowlist` is the only form of allowlist or denylist supported by CarrierWave that can effectively mitigate against CVE-2016-3714. Use of `extension_allowlist` will not inspect the file headers, and thus still leaves your application open to the vulnerability.
 
 ### Filenames and unicode chars
 
 Another security issue you should care for is the file names (see
 [Ruby On Rails Security Guide](http://guides.rubyonrails.org/security.html#file-uploads)).
 By default, CarrierWave provides only English letters, arabic numerals and some symbols as
-white-listed characters in the file name. If you want to support local scripts (Cyrillic letters, letters with diacritics and so on), you
+allowlisted characters in the file name. If you want to support local scripts (Cyrillic letters, letters with diacritics and so on), you
 have to override `sanitize_regexp` method. It should return regular expression which would match
 all *non*-allowed symbols.
 
@@ -332,15 +332,13 @@ end
 
 When this uploader is used, an uploaded image would be scaled to be no larger
 than 800 by 800 pixels. The original aspect ratio will be kept.
-A version called thumb is then created, which is scaled
-to exactly 200 by 200 pixels.
 
-If you would like to crop images to a specific height and width you
-can use the alternative option of '''resize_to_fill'''. It will make sure
+A version called `:thumb` is then created, which is scaled
+to exactly 200 by 200 pixels. The thumbnail uses `resize_to_fill` which makes sure
 that the width and height specified are filled, only cropping
 if the aspect ratio requires it.
 
-The uploader could be used like this:
+The above uploader could be used like this:
 
 ```ruby
 uploader = AvatarUploader.new
@@ -353,6 +351,18 @@ uploader.thumb.url # => '/url/to/thumb_my_file.png'   # size: 200x200
 One important thing to remember is that process is called *before* versions are
 created. This can cut down on processing cost.
 
+### Processing Methods: mini_magick
+
+- `convert` - Changes the image encoding format to the given format, eg. jpg
+- `resize_to_limit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. Will only resize the image if it is larger than the specified dimensions. The resulting image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fit` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. The image may be shorter or narrower than specified in the smaller dimension but will not be larger than the specified values.
+- `resize_to_fill` - Resize the image to fit within the specified dimensions while retaining the aspect ratio of the original image. If necessary, crop the image in the larger dimension. Optionally, a "gravity" may be specified, for example "Center", or "NorthEast".
+- `resize_and_pad` - Resize the image to fit within the specified dimensions while retaining the original aspect ratio. If necessary, will pad the remaining area with the given color, which defaults to transparent (for gif and png, white for jpeg). Optionally, a "gravity" may be specified, as above.
+
+See `carrierwave/processing/mini_magick.rb` for details.
+
+### Nested versions
+
 It is possible to nest versions within versions:
 
 ```ruby
@@ -707,6 +717,9 @@ CarrierWave.configure do |config|
   config.fog_directory  = 'name_of_bucket'                                      # required
   config.fog_public     = false                                                 # optional, defaults to true
   config.fog_attributes = { cache_control: "public, max-age=#{365.days.to_i}" } # optional, defaults to {}
+  # For an application which utilizes multiple servers but does not need caches persisted across requests,
+  # uncomment the line :file instead of the default :storage.  Otherwise, it will use AWS as the temp cache store.
+  # config.cache_storage = :file
 end
 ```
 
@@ -787,30 +800,43 @@ end
 That's it! You can still use the `CarrierWave::Uploader#url` method to return
 the url to the file on Rackspace Cloud Files.
 
-## Using Google Storage for Developers
+## Using Google Cloud Storage
 
-[Fog](http://github.com/fog/fog-google) is used to support Google Storage for Developers. Ensure you have it in your Gemfile:
+[Fog](http://github.com/fog/fog-google) is used to support Google Cloud Storage. Ensure you have it in your Gemfile:
 
 ```ruby
 gem "fog-google"
-gem "google-api-client", "> 0.8.5", "< 0.9"
-gem "mime-types"
 ```
 
-You'll need to configure a directory (also known as a bucket), access key id and secret access key in the initializer.
+You'll need to configure a directory (also known as a bucket) and the credentials in the initializer.
 For the sake of performance it is assumed that the directory already exists, so please create it if need be.
 
 Please read the [fog-google README](https://github.com/fog/fog-google/blob/master/README.md) on how to get credentials.
 
+For Google Storage JSON API (recommended):
+```ruby
+CarrierWave.configure do |config|
+    config.fog_provider = 'fog/google'
+    config.fog_credentials = {
+        provider:               'Google',
+        google_project:         'my-project',
+        google_json_key_string: 'xxxxxx'
+        # or use google_json_key_location if using an actual file
+    }
+    config.fog_directory = 'google_cloud_storage_bucket_name'
+end
+```
 
+For Google Storage XML API:
 ```ruby
 CarrierWave.configure do |config|
-  config.fog_credentials = {
-    provider:                         'Google',
-    google_storage_access_key_id:     'xxxxxx',
-    google_storage_secret_access_key: 'yyyyyy'
-  }
-  config.fog_directory = 'name_of_directory'
+    config.fog_provider = 'fog/google'
+    config.fog_credentials = {
+        provider:                         'Google',
+        google_storage_access_key_id:     'xxxxxx',
+        google_storage_secret_access_key: 'yyyyyy'
+    }
+    config.fog_directory = 'google_cloud_storage_bucket_name'
 end
 ```
 
@@ -954,10 +980,10 @@ errors:
     carrierwave_processing_error: failed to be processed
     carrierwave_integrity_error: is not of an allowed file type
     carrierwave_download_error: could not be downloaded
-    extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-    extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-    content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
-    content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
+    extension_allowlist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+    extension_denylist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+    content_type_allowlist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+    content_type_denylist_error: "You are not allowed to upload %{content_type} files"
     rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
     mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
     min_size_error: "File size should be greater than %{min_size}"
@@ -1005,12 +1031,12 @@ end
 Will add these callbacks:
 
 ```ruby
-after_save :store_avatar!
 before_save :write_avatar_identifier
+after_save :store_previous_changes_for_avatar
 after_commit :remove_avatar!, on: :destroy
 after_commit :mark_remove_avatar_false, on: :update
-after_save :store_previous_changes_for_avatar
 after_commit :remove_previously_stored_avatar, on: :update
+after_commit :store_avatar!, on: [:create, :update]
 ```
 
 If you want to skip any of these callbacks (eg. you want to keep the existing

data/lib/carrierwave/downloader/base.rb

@@ -1,4 +1,5 @@
 require 'open-uri'
+require 'ssrf_filter'
 require 'addressable'
 require 'carrierwave/downloader/remote_file'
 
@@ -22,16 +23,26 @@ module CarrierWave
       def download(url, remote_headers = {})
         headers = remote_headers.
           reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
+        uri = process_uri(url.to_s)
         begin
-          file = OpenURI.open_uri(process_uri(url.to_s), headers)
+          if skip_ssrf_protection?(uri)
+            response = OpenURI.open_uri(process_uri(url.to_s), headers)
+          else
+            request = nil
+            response = SsrfFilter.get(uri, headers: headers) do |req|
+              request = req
+            end
+            response.uri = request.uri
+            response.value
+          end
         rescue StandardError => e
           raise CarrierWave::DownloadError, "could not download file: #{e.message}"
         end
-        CarrierWave::Downloader::RemoteFile.new(file)
+        CarrierWave::Downloader::RemoteFile.new(response)
       end
 
       ##
-      # Processes the given URL by parsing and escaping it. Public to allow overriding.
+      # Processes the given URL by parsing it, and escaping if necessary. Public to allow overriding.
       #
       # === Parameters
       #
@@ -40,11 +51,37 @@ module CarrierWave
       def process_uri(uri)
         uri_parts = uri.split('?')
         encoded_uri = Addressable::URI.parse(uri_parts.shift).normalize.to_s
-        encoded_uri << '?' << URI.encode(uri_parts.join('?')) if uri_parts.any?
-        URI.parse(encoded_uri)
+        query = uri_parts.any? ? "?#{uri_parts.join('?')}" : ''
+        begin
+          URI.parse("#{encoded_uri}#{query}")
+        rescue URI::InvalidURIError
+          URI.parse("#{encoded_uri}#{URI::DEFAULT_PARSER.escape(query)}")
+        end
       rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
         raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
       end
+
+      ##
+      # If this returns true, SSRF protection will be bypassed.
+      # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
+      #
+      # === Parameters
+      #
+      # [uri (URI)] The URI where the remote file is stored
+      #
+      # === Examples
+      #
+      #     class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
+      #       def skip_ssrf_protection?(uri)
+      #         uri.hostname == 'localhost' && uri.port == 80
+      #       end
+      #     end
+      #
+      #     my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
+      #
+      def skip_ssrf_protection?(uri)
+        false
+      end
     end
   end
 end

data/lib/carrierwave/downloader/remote_file.rb

@@ -1,15 +1,36 @@
 module CarrierWave
   module Downloader
     class RemoteFile
-      attr_reader :file
+      attr_reader :file, :uri
 
       def initialize(file)
-        @file = file.is_a?(String) ? StringIO.new(file) : file
+        case file
+        when String
+          @file = StringIO.new(file)
+        when Net::HTTPResponse
+          @file = StringIO.new(file.body)
+          @content_type = file.content_type
+          @headers = file
+          @uri = file.uri
+        else
+          @file = file
+          @content_type = file.content_type
+          @headers = file.meta
+          @uri = file.base_uri
+        end
+      end
+
+      def content_type
+        @content_type || 'application/octet-stream'
+      end
+
+      def headers
+        @headers || {}
       end
 
       def original_filename
         filename = filename_from_header || filename_from_uri
-        mime_type = MiniMime.lookup_by_content_type(file.content_type)
+        mime_type = MiniMime.lookup_by_content_type(content_type)
         unless File.extname(filename).present? || mime_type.blank?
           filename = "#{filename}.#{mime_type.extension}"
         end
@@ -23,14 +44,16 @@ module CarrierWave
       private
 
       def filename_from_header
-        if file.meta.include? 'content-disposition'
-          match = file.meta['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
-          match[1].presence || match[2].presence
-        end
+        return nil unless headers['content-disposition']
+
+        match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
+        return nil unless match
+
+        match[1].presence || match[2].presence
       end
 
       def filename_from_uri
-        CGI.unescape(File.basename(file.base_uri.path))
+        CGI.unescape(File.basename(uri.path))
       end
 
       def method_missing(*args, &block)

data/lib/carrierwave/locale/en.yml

@@ -4,11 +4,12 @@ en:
       carrierwave_processing_error: failed to be processed
       carrierwave_integrity_error: is not of an allowed file type
       carrierwave_download_error: could not be downloaded
-      extension_whitelist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
-      extension_blacklist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
-      content_type_whitelist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
-      content_type_blacklist_error: "You are not allowed to upload %{content_type} files"
+      extension_allowlist_error: "You are not allowed to upload %{extension} files, allowed types: %{allowed_types}"
+      extension_denylist_error: "You are not allowed to upload %{extension} files, prohibited types: %{prohibited_types}"
+      content_type_allowlist_error: "You are not allowed to upload %{content_type} files, allowed types: %{allowed_types}"
+      content_type_denylist_error: "You are not allowed to upload %{content_type} files"
       rmagick_processing_error: "Failed to manipulate with rmagick, maybe it is not an image?"
       mini_magick_processing_error: "Failed to manipulate with MiniMagick, maybe it is not an image? Original Error: %{e}"
+      vips_processing_error: "Failed to manipulate with vips, maybe it is not an image? Original Error: %{e}"
       min_size_error: "File size should be greater than %{min_size}"
       max_size_error: "File size should be less than %{max_size}"

data/lib/carrierwave/mounter.rb

@@ -72,9 +72,10 @@ module CarrierWave
     end
 
     def cache_names=(cache_names)
+      cache_names = cache_names.reject(&:blank?)
       return if cache_names.blank?
       clear_unstaged
-      cache_names.map do |cache_name|
+      cache_names.each do |cache_name|
         begin
           uploader = blank_uploader
           uploader.retrieve_from_cache!(cache_name)
@@ -91,7 +92,7 @@ module CarrierWave
       @remote_urls = urls
 
       clear_unstaged
-      urls.zip(remote_request_headers || []).map do |url, header|
+      urls.zip(remote_request_headers || []).each do |url, header|
         handle_error do
           uploader = blank_uploader
           uploader.download!(url, header || {})
@@ -113,7 +114,7 @@ module CarrierWave
     end
 
     def remove?
-      remove.present? && remove !~ /\A0|false$\z/
+      remove.present? && (remove == true || remove !~ /\A0|false$\z/)
     end
 
     def remove!

data/lib/carrierwave/processing.rb

@@ -1,2 +1,3 @@
 require "carrierwave/processing/rmagick"
 require "carrierwave/processing/mini_magick"
+require "carrierwave/processing/vips"

data/lib/carrierwave/processing/mini_magick.rb

@@ -297,7 +297,7 @@ module CarrierWave
 
       # backwards compatibility (we want to eventually move away from MiniMagick::Image)
       if block
-        image  = MiniMagick::Image.new(result.path, result)
+        image  = ::MiniMagick::Image.new(result.path, result)
         image  = block.call(image)
         result = image.instance_variable_get(:@tempfile)
       end

data/lib/carrierwave/processing/rmagick.rb

@@ -228,7 +228,7 @@ module CarrierWave
       height = dimension_from height
       manipulate! do |img|
         img.resize_to_fit!(width, height)
-        new_img = ::Magick::Image.new(width, height) { self.background_color = background == :transparent ? 'rgba(255,255,255,0)' : background.to_s }
+        new_img = ::Magick::Image.new(width, height) { |img| img.background_color = background == :transparent ? 'rgba(255,255,255,0)' : background.to_s }
         if background == :transparent
           filled = new_img.matte_floodfill(1, 1)
         else
@@ -378,9 +378,15 @@ module CarrierWave
 
     def create_info_block(options)
       return nil unless options
-      assignments = options.map { |k, v| "self.#{k} = #{v}" }
-      code = "lambda { |img| " + assignments.join(";") + "}"
-      eval code
+      proc do |img|
+        options.each do |k, v|
+          if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/))
+            ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting."
+            v = matches[1]
+          end
+          img.public_send(:"#{k}=", v)
+        end
+      end
     end
 
     def destroy_image(image)