carrierwave 2.1.0 → 2.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of carrierwave might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 00606ed46f8982064ac5a4c9a4c84ec913d2844cb27ef3701ab8eef9f3379810
4
- data.tar.gz: 66d28e5ffdb2c7d8c87f408847fa0a845e19fbe85559b01103e211d43e384e2d
3
+ metadata.gz: 84145959d912145a2915ab7adb9ccbd6bf7a971ab00cef83fb7f5092c349c9c5
4
+ data.tar.gz: 9ba122388fb8ff36563001ea9144e4a1d523b7be78433fed2a971a82588de5c8
5
5
  SHA512:
6
- metadata.gz: f1a4033c04815846930764b92e49a1d9c15c3d54acbe8ab2caafc605d7b04dabf9409f97fa66efa9f533ac341ed6062b821997114408d7b963b022fbc1602bdf
7
- data.tar.gz: 281fc8198bef5940ca8638a04888e44c2216688fee3e805da985f00dac7588830e8b50dd570484c5b0bf8a121e526c3aaa32981fcff4fd99b71a9b5bc2a72754
6
+ metadata.gz: 70f718887e9f4223405d8f273cafaf429395725eead688918d454499a50063fdc748cc519440d2010f783cfa1ec3ba19f54b5e07dc644d195cbe6d59f1c5b6b2
7
+ data.tar.gz: 50907c92735e096c691a1ee7d440a2b83de736de3016b78c11796d0c558c283774236e5acf18abb552212816a38905986a6ec3ad0d956736f88c79ae99cd9aa6
@@ -1,4 +1,5 @@
1
1
  require 'open-uri'
2
+ require 'ssrf_filter'
2
3
  require 'addressable'
3
4
  require 'carrierwave/downloader/remote_file'
4
5
 
@@ -22,12 +23,22 @@ module CarrierWave
22
23
  def download(url, remote_headers = {})
23
24
  headers = remote_headers.
24
25
  reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")
26
+ uri = process_uri(url.to_s)
25
27
  begin
26
- file = OpenURI.open_uri(process_uri(url.to_s), headers)
28
+ if skip_ssrf_protection?(uri)
29
+ response = OpenURI.open_uri(process_uri(url.to_s), headers)
30
+ else
31
+ request = nil
32
+ response = SsrfFilter.get(uri, headers: headers) do |req|
33
+ request = req
34
+ end
35
+ response.uri = request.uri
36
+ response.value
37
+ end
27
38
  rescue StandardError => e
28
39
  raise CarrierWave::DownloadError, "could not download file: #{e.message}"
29
40
  end
30
- CarrierWave::Downloader::RemoteFile.new(file)
41
+ CarrierWave::Downloader::RemoteFile.new(response)
31
42
  end
32
43
 
33
44
  ##
@@ -45,6 +56,28 @@ module CarrierWave
45
56
  rescue URI::InvalidURIError, Addressable::URI::InvalidURIError
46
57
  raise CarrierWave::DownloadError, "couldn't parse URL: #{uri}"
47
58
  end
59
+
60
+ ##
61
+ # If this returns true, SSRF protection will be bypassed.
62
+ # You can override this if you want to allow accessing specific local URIs that are not SSRF exploitable.
63
+ #
64
+ # === Parameters
65
+ #
66
+ # [uri (URI)] The URI where the remote file is stored
67
+ #
68
+ # === Examples
69
+ #
70
+ # class CarrierWave::Downloader::CustomDownloader < CarrierWave::Downloader::Base
71
+ # def skip_ssrf_protection?(uri)
72
+ # uri.hostname == 'localhost' && uri.port == 80
73
+ # end
74
+ # end
75
+ #
76
+ # my_uploader.downloader = CarrierWave::Downloader::CustomDownloader
77
+ #
78
+ def skip_ssrf_protection?(uri)
79
+ false
80
+ end
48
81
  end
49
82
  end
50
83
  end
@@ -1,15 +1,36 @@
1
1
  module CarrierWave
2
2
  module Downloader
3
3
  class RemoteFile
4
- attr_reader :file
4
+ attr_reader :file, :uri
5
5
 
6
6
  def initialize(file)
7
- @file = file.is_a?(String) ? StringIO.new(file) : file
7
+ case file
8
+ when String
9
+ @file = StringIO.new(file)
10
+ when Net::HTTPResponse
11
+ @file = StringIO.new(file.body)
12
+ @content_type = file.content_type
13
+ @headers = file
14
+ @uri = file.uri
15
+ else
16
+ @file = file
17
+ @content_type = file.content_type
18
+ @headers = file.meta
19
+ @uri = file.base_uri
20
+ end
21
+ end
22
+
23
+ def content_type
24
+ @content_type || 'application/octet-stream'
25
+ end
26
+
27
+ def headers
28
+ @headers || {}
8
29
  end
9
30
 
10
31
  def original_filename
11
32
  filename = filename_from_header || filename_from_uri
12
- mime_type = MiniMime.lookup_by_content_type(file.content_type)
33
+ mime_type = MiniMime.lookup_by_content_type(content_type)
13
34
  unless File.extname(filename).present? || mime_type.blank?
14
35
  filename = "#{filename}.#{mime_type.extension}"
15
36
  end
@@ -23,16 +44,16 @@ module CarrierWave
23
44
  private
24
45
 
25
46
  def filename_from_header
26
- return nil unless file.meta.include? 'content-disposition'
47
+ return nil unless headers['content-disposition']
27
48
 
28
- match = file.meta['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
49
+ match = headers['content-disposition'].match(/filename=(?:"([^"]+)"|([^";]+))/)
29
50
  return nil unless match
30
51
 
31
52
  match[1].presence || match[2].presence
32
53
  end
33
54
 
34
55
  def filename_from_uri
35
- CGI.unescape(File.basename(file.base_uri.path))
56
+ CGI.unescape(File.basename(uri.path))
36
57
  end
37
58
 
38
59
  def method_missing(*args, &block)
@@ -378,9 +378,15 @@ module CarrierWave
378
378
 
379
379
  def create_info_block(options)
380
380
  return nil unless options
381
- assignments = options.map { |k, v| "self.#{k} = #{v}" }
382
- code = "lambda { |img| " + assignments.join(";") + "}"
383
- eval code
381
+ proc do |img|
382
+ options.each do |k, v|
383
+ if v.is_a?(String) && (matches = v.match(/^["'](.+)["']/))
384
+ ActiveSupport::Deprecation.warn "Passing quoted strings like #{v} to #manipulate! is deprecated, pass them without quoting."
385
+ v = matches[1]
386
+ end
387
+ img.public_send(:"#{k}=", v)
388
+ end
389
+ end
384
390
  end
385
391
 
386
392
  def destroy_image(image)
@@ -1,3 +1,3 @@
1
1
  module CarrierWave
2
- VERSION = "2.1.0"
2
+ VERSION = "2.1.1"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: carrierwave
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jonas Nicklas
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-02-16 00:00:00.000000000 Z
11
+ date: 2021-02-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -94,6 +94,20 @@ dependencies:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
96
  version: '2.6'
97
+ - !ruby/object:Gem::Dependency
98
+ name: ssrf_filter
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: '1.0'
104
+ type: :runtime
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: '1.0'
97
111
  - !ruby/object:Gem::Dependency
98
112
  name: pg
99
113
  requirement: !ruby/object:Gem::Requirement
@@ -347,7 +361,7 @@ homepage: https://github.com/carrierwaveuploader/carrierwave
347
361
  licenses:
348
362
  - MIT
349
363
  metadata: {}
350
- post_install_message:
364
+ post_install_message:
351
365
  rdoc_options:
352
366
  - "--main"
353
367
  require_paths:
@@ -363,8 +377,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
363
377
  - !ruby/object:Gem::Version
364
378
  version: '0'
365
379
  requirements: []
366
- rubygems_version: 3.0.3
367
- signing_key:
380
+ rubygems_version: 3.1.2
381
+ signing_key:
368
382
  specification_version: 4
369
383
  summary: Ruby file upload library
370
384
  test_files: []