carrierwave 2.1.0 → 2.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 00606ed46f8982064ac5a4c9a4c84ec913d2844cb27ef3701ab8eef9f3379810
4
- data.tar.gz: 66d28e5ffdb2c7d8c87f408847fa0a845e19fbe85559b01103e211d43e384e2d
3
+ metadata.gz: 84145959d912145a2915ab7adb9ccbd6bf7a971ab00cef83fb7f5092c349c9c5
4
+ data.tar.gz: 9ba122388fb8ff36563001ea9144e4a1d523b7be78433fed2a971a82588de5c8
5
5
  SHA512:
6
- metadata.gz: f1a4033c04815846930764b92e49a1d9c15c3d54acbe8ab2caafc605d7b04dabf9409f97fa66efa9f533ac341ed6062b821997114408d7b963b022fbc1602bdf
7
- data.tar.gz: 281fc8198bef5940ca8638a04888e44c2216688fee3e805da985f00dac7588830e8b50dd570484c5b0bf8a121e526c3aaa32981fcff4fd99b71a9b5bc2a72754
6
+ metadata.gz: 70f718887e9f4223405d8f273cafaf429395725eead688918d454499a50063fdc748cc519440d2010f783cfa1ec3ba19f54b5e07dc644d195cbe6d59f1c5b6b2
7
+ data.tar.gz: 50907c92735e096c691a1ee7d440a2b83de736de3016b78c11796d0c558c283774236e5acf18abb552212816a38905986a6ec3ad0d956736f88c79ae99cd9aa6
@@ -1,4 +1,5 @@
1
1
  require 'open-uri'
2
+ require 'ssrf_filter'
2
3
  require 'addressable'
3
4
  require 'carrierwave/downloader/remote_file'
4
5
 
@@ -22,12 +23,22 @@ module CarrierWave
22
23
  def download(url, remote_headers = {})
23
24
  headers = remote_headers.
24
25
  reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
26
+ uri = process_uri(url.to_s)
25
27
  begin
26
- file = OpenURI.open_uri(process_uri(url.to_s), headers)
28
+ if skip_ssrf_protection?(uri)
29
+ response = OpenURI.open_uri(process_uri(url.to_s), headers)
30
+ else
31
+ request = nil
32
+ response = SsrfFilter.get(uri, headers: headers) do |req|
33
+ request = req
34
+ end
35
+ response.uri = request.uri
36
+ response.value
37
+ end
27
38
  rescue StandardError => e
28
39
  raise CarrierWave::DownloadError, "could not download file: #{e.message}"
29
40
  end
30
- CarrierWave::Downloader::RemoteFile.new(file)
41
+ CarrierWave::Downloader::RemoteFile.new(response)
31
42
  end
32
43
 
33
44
  ##
@@ -45,6 +56,28 @@ module CarrierWave
45
56
  rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
46
57
  raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
47
58
  end
59
+
60
+ ##
61
+ # If this returns true, SSRF protection will be bypassed.
62
+ # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
63
+ #
64
+ # === Parameters
65
+ #
66
+ # [uri (URI)] The URI where the remote file is stored
67
+ #
68
+ # === Examples
69
+ #
70
+ # class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
71
+ # def skip_ssrf_protection?(uri)
72
+ # uri.hostname == 'localhost' && uri.port == 80
73
+ # end
74
+ # end
75
+ #
76
+ # my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
77
+ #
78
+ def skip_ssrf_protection?(uri)
79
+ false
80
+ end
48
81
  end
49
82
  end
50
83
  end
@@ -1,15 +1,36 @@
1
1
  module CarrierWave
2
2
  module Downloader
3
3
  class RemoteFile
4
- attr_reader :file
4
+ attr_reader :file, :uri
5
5
 
6
6
  def initialize(file)
7
- @file = file.is_a?(String) ? StringIO.new(file) : file
7
+ case file
8
+ when String
9
+ @file = StringIO.new(file)
10
+ when Net::HTTPResponse
11
+ @file = StringIO.new(file.body)
12
+ @content_type = file.content_type
13
+ @headers = file
14
+ @uri = file.uri
15
+ else
16
+ @file = file
17
+ @content_type = file.content_type
18
+ @headers = file.meta
19
+ @uri = file.base_uri
20
+ end
21
+ end
22
+
23
+ def content_type
24
+ @content_type || 'application/octet-stream'
25
+ end
26
+
27
+ def headers
28
+ @headers || {}
8
29
  end
9
30
 
10
31
  def original_filename
11
32
  filename = filename_from_header || filename_from_uri
12
- mime_type = MiniMime.lookup_by_content_type(file.content_type)
33
+ mime_type = MiniMime.lookup_by_content_type(content_type)
13
34
  unless File.extname(filename).present? || mime_type.blank?
14
35
  filename = "#{filename}.#{mime_type.extension}"
15
36
  end
@@ -23,16 +44,16 @@ module CarrierWave
23
44
  private
24
45
 
25
46
  def filename_from_header
26
- return nil unless file.meta.include? 'content-disposition'
47
+ return nil unless headers['content-disposition']
27
48
 
28
- match = file.meta['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
49
+ match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
29
50
  return nil unless match
30
51
 
31
52
  match[1].presence || match[2].presence
32
53
  end
33
54
 
34
55
  def filename_from_uri
35
- CGI.unescape(File.basename(file.base_uri.path))
56
+ CGI.unescape(File.basename(uri.path))
36
57
  end
37
58
 
38
59
  def method_missing(*args, &block)
@@ -378,9 +378,15 @@ module CarrierWave
378
378
 
379
379
  def create_info_block(options)
380
380
  return nil unless options
381
- assignments = options.map { |k, v| "self.#{k} = #{v}" }
382
- code = "lambda { |img| " + assignments.join(";") + "}"
383
- eval code
381
+ proc do |img|
382
+ options.each do |k, v|
383
+ if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/))
384
+ ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting."
385
+ v = matches[1]
386
+ end
387
+ img.public_send(:"#{k}=", v)
388
+ end
389
+ end
384
390
  end
385
391
 
386
392
  def destroy_image(image)
@@ -1,3 +1,3 @@
1
1
  module CarrierWave
2
- VERSION = "2.1.0"
2
+ VERSION = "2.1.1"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: carrierwave
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonas Nicklas
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-02-16 00:00:00.000000000 Z
11
+ date: 2021-02-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -94,6 +94,20 @@ dependencies:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
96
  version: '2.6'
97
+ - !ruby/object:Gem::Dependency
98
+ name: ssrf_filter
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: '1.0'
104
+ type: :runtime
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: '1.0'
97
111
  - !ruby/object:Gem::Dependency
98
112
  name: pg
99
113
  requirement: !ruby/object:Gem::Requirement
@@ -347,7 +361,7 @@ homepage: https://github.com/carrierwaveuploader/carrierwave
347
361
  licenses:
348
362
  - MIT
349
363
  metadata: {}
350
- post_install_message:
364
+ post_install_message:
351
365
  rdoc_options:
352
366
  - "--main"
353
367
  require_paths:
@@ -363,8 +377,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
363
377
  - !ruby/object:Gem::Version
364
378
  version: '0'
365
379
  requirements: []
366
- rubygems_version: 3.0.3
367
- signing_key:
380
+ rubygems_version: 3.1.2
381
+ signing_key:
368
382
  specification_version: 4
369
383
  summary: Ruby file upload library
370
384
  test_files: []