dragonfly 1.3.0 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5385c46218c68349adc9f33a89600ed52901b483fc4b8b7ad3bab0ea1e3aa579
-  data.tar.gz: bd4341674548d3526d786be990912b527745000b6d887148e91bfe88e7a9618c
+  metadata.gz: 53b6c0b281a6030e69614429aa17a2f7e86e0037bffa2b7346e37c950444c563
+  data.tar.gz: 101cc564359bef667df565eec4ee6a8e4d00aad2f2f792c8cf0313e939ebfa67
 SHA512:
-  metadata.gz: 28b284e2ca3d15914787357c2035f900a2c0c61c5fdc0b36302b2bcd24b01683b073774b70a9583ef446ba764dbb7019e3e92eab8cd83b042d428236498ccaf4
-  data.tar.gz: 2fc17f0f4587fe85ccf6af91798a0a89aa58086a9518445d2684abcffd16ab9d53c10fdea2e7f0a5cb2f07a24774b3865b80e7ddd293f5a53bfea4f04b0b24bd
+  metadata.gz: 1afbcdd97912f2ec6bf7ba49261f885e0ddf0c4df16b1fd8b76824d6a87e1dca3be024fe666f7eb961269017f5af841aaaebe4bb7c21396f0f15db76fc7791ed
+  data.tar.gz: f26309d103bc2101287cf5e9c5cf9915defe5072275ea36b9b3cc1fa579a34c84723b48244c3ede6d49dbad71915b2267840077401a67bb8a1b585e1cc8edb66

data/.travis.yml

@@ -6,6 +6,7 @@ rvm:
   - "2.5"
   - "2.6"
   - "2.7"
+  - "3.0"
   - "jruby"
 
 env:

data/History.md

@@ -1,3 +1,19 @@
+# 1.4.1 (2025-01-03)
+
+## Fixes
+
+- Added ostruct dependency as Ruby 3.5 will remove it from stdlib
+
+# 1.4.0 (2021-05-19)
+
+## Changes
+
+- Removed `convert` processor and generator (which were quite insecure), in favour of utility commands in `Dragonfly::ImageMagick::Commands`
+
+## Fixes
+
+- Better security for all job steps with parameter validations - addresses CVE-2021-33564
+
 # 1.3.0 (2021-01-09)
 
 ## Changes

data/README.md

@@ -47,7 +47,7 @@ Installation
 
 or in your Gemfile
 ```ruby
-gem 'dragonfly', '~> 1.2.2'
+gem 'dragonfly', '~> 1.4.0'
 ```
 
 Require with
@@ -72,6 +72,10 @@ See [the Add-ons wiki](http://github.com/markevans/dragonfly/wiki/Dragonfly-add-
 
 Please feel free to contribute!!
 
+Security notice!
+=================
+If you have set `verify_urls` to `false` (which is **not** recommended) then you should upgrade to version `1.4.x` for a security fix ([CVE-2021-33564](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564)).
+
 Issues
 ======
 Please use the <a href="http://github.com/markevans/dragonfly/issues">github issue tracker</a> if you have any issues.

data/dev/test.ru

@@ -24,7 +24,7 @@ class App
     end
     [
       200,
-      {'Content-Type' => 'text/html'},
+      {'content-type' => 'text/html'},
       [%(
         <style>
           form, input {

data/dragonfly.gemspec

@@ -25,9 +25,10 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency("rack", ">= 1.3")
   spec.add_runtime_dependency("multi_json", "~> 1.0")
   spec.add_runtime_dependency("addressable", "~> 2.3")
+  spec.add_runtime_dependency("ostruct", "~> 0.6.1")
 
   # Development dependencies
-  spec.add_development_dependency("rspec", "~> 2.5")
+  spec.add_development_dependency("rspec", "~> 3.0")
   spec.add_development_dependency("webmock")
   spec.add_development_dependency("activemodel")
   if RUBY_PLATFORM == "java"

data/lib/dragonfly/content.rb

@@ -1,8 +1,8 @@
-require 'base64'
-require 'forwardable'
-require 'dragonfly/has_filename'
-require 'dragonfly/temp_object'
-require 'dragonfly/utils'
+require "base64"
+require "forwardable"
+require "dragonfly/has_filename"
+require "dragonfly/temp_object"
+require "dragonfly/utils"
 
 module Dragonfly
 
@@ -16,11 +16,10 @@ module Dragonfly
   # It is acted upon in generator, processor, analyser and datastore methods and provides a standard interface for updating content,
   # no matter how that content first got there (whether in the form of a String/Pathname/File/etc.)
   class Content
-
     include HasFilename
     extend Forwardable
 
-    def initialize(app, obj="", meta=nil)
+    def initialize(app, obj = "", meta = nil)
       @app = app
       @meta = {}
       @previous_temp_objects = []
@@ -79,7 +78,7 @@ module Dragonfly
     # @example "image/jpeg"
     # @return [String]
     def mime_type
-      meta['mime_type'] || app.mime_type_for(ext)
+      meta["mime_type"] || app.mime_type_for(ext)
     end
 
     # Set the content using a pre-registered generator
@@ -93,7 +92,7 @@ module Dragonfly
 
     # Update the content using a pre-registered processor
     # @example
-    #   content.process!(:convert, "-resize 300x300")
+    #   content.process!(:thumb, "300x300")
     # @return [Content] self
     def process!(name, *args)
       app.get_processor(name).call(self, *args)
@@ -111,10 +110,10 @@ module Dragonfly
     # @param obj [String, Pathname, Tempfile, File, Content, TempObject] can be any of these types
     # @param meta [Hash] - should be json-like, i.e. contain no types other than String, Number, Boolean
     # @return [Content] self
-    def update(obj, meta=nil)
+    def update(obj, meta = nil)
       meta ||= {}
-      self.temp_object = TempObject.new(obj, meta['name'])
-      self.meta['name'] ||= temp_object.name if temp_object.name
+      self.temp_object = TempObject.new(obj, meta["name"])
+      self.meta["name"] ||= temp_object.name if temp_object.name
       clear_analyser_cache
       add_meta(obj.meta) if obj.respond_to?(:meta)
       add_meta(meta)
@@ -135,7 +134,7 @@ module Dragonfly
     #     "file --mime-type #{path}"
     #   end
     #   # ===> "beach.jpg: image/jpeg"
-    def shell_eval(opts={})
+    def shell_eval(opts = {})
       should_escape = opts[:escape] != false
       command = yield(should_escape ? shell.escape(path) : path)
       run command, :escape => should_escape
@@ -148,7 +147,7 @@ module Dragonfly
     #     "/usr/local/bin/generate_text gumfry -o #{path}"
     #   end
     # @return [Content] self
-    def shell_generate(opts={})
+    def shell_generate(opts = {})
       ext = opts[:ext] || self.ext
       should_escape = opts[:escape] != false
       tempfile = Utils.new_tempfile(ext)
@@ -165,7 +164,7 @@ module Dragonfly
     #     "convert -resize 20x10 #{old_path} #{new_path}"
     #   end
     # @return [Content] self
-    def shell_update(opts={})
+    def shell_update(opts = {})
       ext = opts[:ext] || self.ext
       should_escape = opts[:escape] != false
       tempfile = Utils.new_tempfile(ext)
@@ -176,7 +175,7 @@ module Dragonfly
       update(tempfile)
     end
 
-    def store(opts={})
+    def store(opts = {})
       datastore.write(self, opts)
     end
 
@@ -188,7 +187,7 @@ module Dragonfly
     end
 
     def close
-      previous_temp_objects.each{|temp_object| temp_object.close }
+      previous_temp_objects.each { |temp_object| temp_object.close }
       temp_object.close
     end
 
@@ -199,6 +198,7 @@ module Dragonfly
     private
 
     attr_reader :previous_temp_objects
+
     def temp_object=(temp_object)
       previous_temp_objects.push(@temp_object) if @temp_object
       @temp_object = temp_object
@@ -215,6 +215,5 @@ module Dragonfly
     def run(command, opts)
       shell.run(command, opts)
     end
-
   end
 end

data/lib/dragonfly/image_magick/commands.rb

@@ -0,0 +1,35 @@
+module Dragonfly
+  module ImageMagick
+    module Commands
+      module_function
+
+      def convert(content, args = "", opts = {})
+        convert_command = content.env[:convert_command] || "convert"
+        format = opts["format"]
+
+        input_args = opts["input_args"] if opts["input_args"]
+        delegate_string = "#{opts["delegate"]}:" if opts["delegate"]
+        frame_string = "[#{opts["frame"]}]" if opts["frame"]
+
+        content.shell_update :ext => format do |old_path, new_path|
+          "#{convert_command} #{input_args} #{delegate_string}#{old_path}#{frame_string} #{args} #{new_path}"
+        end
+
+        if format
+          content.meta["format"] = format.to_s
+          content.ext = format
+          content.meta["mime_type"] = nil # don't need it as we have ext now
+        end
+      end
+
+      def generate(content, args, format)
+        format = format.to_s
+        convert_command = content.env[:convert_command] || "convert"
+        content.shell_generate :ext => format do |path|
+          "#{convert_command} #{args} #{path}"
+        end
+        content.add_meta("format" => format)
+      end
+    end
+  end
+end

data/lib/dragonfly/image_magick/generators/plain.rb

@@ -1,25 +1,31 @@
+require "dragonfly/image_magick/commands"
+require "dragonfly/param_validators"
+
 module Dragonfly
   module ImageMagick
     module Generators
       class Plain
+        include ParamValidators
 
-        def call(content, width, height, opts={})
+        def call(content, width, height, opts = {})
+          validate_all!([width, height], &is_number)
+          validate_all_keys!(opts, %w(colour color format), &is_word)
           format = extract_format(opts)
-          colour = opts['colour'] || opts['color'] || 'white'
-          content.generate!(:convert, "-size #{width}x#{height} xc:#{colour}", format)
-          content.add_meta('format' => format, 'name' => "plain.#{format}")
+
+          colour = opts["colour"] || opts["color"] || "white"
+          Commands.generate(content, "-size #{width}x#{height} xc:#{colour}", format)
+          content.add_meta("format" => format, "name" => "plain.#{format}")
         end
 
-        def update_url(url_attributes, width, height, opts={})
+        def update_url(url_attributes, width, height, opts = {})
           url_attributes.name = "plain.#{extract_format(opts)}"
         end
 
         private
 
         def extract_format(opts)
-          opts['format'] || 'png'
+          opts["format"] || "png"
         end
-
       end
     end
   end

data/lib/dragonfly/image_magick/generators/plasma.rb

@@ -1,24 +1,28 @@
+require "dragonfly/image_magick/commands"
+
 module Dragonfly
   module ImageMagick
     module Generators
       class Plasma
+        include ParamValidators
 
-        def call(content, width, height, opts={})
+        def call(content, width, height, opts = {})
+          validate_all!([width, height], &is_number)
+          validate!(opts["format"], &is_word)
           format = extract_format(opts)
-          content.generate!(:convert, "-size #{width}x#{height} plasma:fractal", format)
-          content.add_meta('format' => format, 'name' => "plasma.#{format}")
+          Commands.generate(content, "-size #{width}x#{height} plasma:fractal", format)
+          content.add_meta("format" => format, "name" => "plasma.#{format}")
         end
 
-        def update_url(url_attributes, width, height, opts={})
+        def update_url(url_attributes, width, height, opts = {})
           url_attributes.name = "plasma.#{extract_format(opts)}"
         end
 
         private
 
         def extract_format(opts)
-          opts['format'] || 'png'
+          opts["format"] || "png"
         end
-
       end
     end
   end

data/lib/dragonfly/image_magick/generators/text.rb

@@ -1,100 +1,111 @@
-require 'dragonfly/hash_with_css_style_keys'
+require "dragonfly/hash_with_css_style_keys"
+require "dragonfly/image_magick/commands"
+require "dragonfly/param_validators"
 
 module Dragonfly
   module ImageMagick
     module Generators
       class Text
+        include ParamValidators
 
         FONT_STYLES = {
-          'normal'  => 'normal',
-          'italic'  => 'italic',
-          'oblique' => 'oblique'
+          "normal" => "normal",
+          "italic" => "italic",
+          "oblique" => "oblique",
         }
 
         FONT_STRETCHES = {
-          'normal'          => 'normal',
-          'semi-condensed'  => 'semi-condensed',
-          'condensed'       => 'condensed',
-          'extra-condensed' => 'extra-condensed',
-          'ultra-condensed' => 'ultra-condensed',
-          'semi-expanded'   => 'semi-expanded',
-          'expanded'        => 'expanded',
-          'extra-expanded'  => 'extra-expanded',
-          'ultra-expanded'  => 'ultra-expanded'
+          "normal" => "normal",
+          "semi-condensed" => "semi-condensed",
+          "condensed" => "condensed",
+          "extra-condensed" => "extra-condensed",
+          "ultra-condensed" => "ultra-condensed",
+          "semi-expanded" => "semi-expanded",
+          "expanded" => "expanded",
+          "extra-expanded" => "extra-expanded",
+          "ultra-expanded" => "ultra-expanded",
         }
 
         FONT_WEIGHTS = {
-          'normal'  => 'normal',
-          'bold'    => 'bold',
-          'bolder'  => 'bolder',
-          'lighter' => 'lighter',
-          '100'     => 100,
-          '200'     => 200,
-          '300'     => 300,
-          '400'     => 400,
-          '500'     => 500,
-          '600'     => 600,
-          '700'     => 700,
-          '800'     => 800,
-          '900'     => 900
+          "normal" => "normal",
+          "bold" => "bold",
+          "bolder" => "bolder",
+          "lighter" => "lighter",
+          "100" => 100,
+          "200" => 200,
+          "300" => 300,
+          "400" => 400,
+          "500" => 500,
+          "600" => 600,
+          "700" => 700,
+          "800" => 800,
+          "900" => 900,
         }
 
-        def update_url(url_attributes, string, opts={})
+        IS_COLOUR = ->(param) {
+          /\A(#\w+|rgba?\([\d\.,]+\)|\w+)\z/ === param
+        }
+
+        def update_url(url_attributes, string, opts = {})
           url_attributes.name = "text.#{extract_format(opts)}"
         end
 
-        def call(content, string, opts={})
+        def call(content, string, opts = {})
+          validate_all_keys!(opts, %w(font font_family), &is_words)
+          validate_all_keys!(opts, %w(color background_color stroke_color), &IS_COLOUR)
+          validate!(opts["format"], &is_word)
+
           opts = HashWithCssStyleKeys[opts]
           args = []
           format = extract_format(opts)
-          background = opts['background_color'] || 'none'
-          font_size = (opts['font_size'] || 12).to_i
+          background = opts["background_color"] || "none"
+          font_size = (opts["font_size"] || 12).to_i
+          font_family = opts["font_family"] || opts["font"]
           escaped_string = "\"#{string.gsub(/"/, '\"')}\""
 
           # Settings
           args.push("-gravity NorthWest")
           args.push("-antialias")
           args.push("-pointsize #{font_size}")
-          args.push("-font \"#{opts['font']}\"") if opts['font']
-          args.push("-family '#{opts['font_family']}'") if opts['font_family']
-          args.push("-fill #{opts['color']}") if opts['color']
-          args.push("-stroke #{opts['stroke_color']}") if opts['stroke_color']
-          args.push("-style #{FONT_STYLES[opts['font_style']]}") if opts['font_style']
-          args.push("-stretch #{FONT_STRETCHES[opts['font_stretch']]}") if opts['font_stretch']
-          args.push("-weight #{FONT_WEIGHTS[opts['font_weight']]}") if opts['font_weight']
+          args.push("-family '#{font_family}'") if font_family
+          args.push("-fill #{opts["color"]}") if opts["color"]
+          args.push("-stroke #{opts["stroke_color"]}") if opts["stroke_color"]
+          args.push("-style #{FONT_STYLES[opts["font_style"]]}") if opts["font_style"]
+          args.push("-stretch #{FONT_STRETCHES[opts["font_stretch"]]}") if opts["font_stretch"]
+          args.push("-weight #{FONT_WEIGHTS[opts["font_weight"]]}") if opts["font_weight"]
           args.push("-background #{background}")
           args.push("label:#{escaped_string}")
 
           # Padding
-          pt, pr, pb, pl = parse_padding_string(opts['padding']) if opts['padding']
-          padding_top    = (opts['padding_top']    || pt || 0)
-          padding_right  = (opts['padding_right']  || pr || 0)
-          padding_bottom = (opts['padding_bottom'] || pb || 0)
-          padding_left   = (opts['padding_left']   || pl || 0)
+          pt, pr, pb, pl = parse_padding_string(opts["padding"]) if opts["padding"]
+          padding_top = (opts["padding_top"] || pt).to_i
+          padding_right = (opts["padding_right"] || pr).to_i
+          padding_bottom = (opts["padding_bottom"] || pb).to_i
+          padding_left = (opts["padding_left"] || pl).to_i
 
-          content.generate!(:convert, args.join(' '), format)
+          Commands.generate(content, args.join(" "), format)
 
           if (padding_top || padding_right || padding_bottom || padding_left)
             dimensions = content.analyse(:image_properties)
-            text_width  = dimensions['width']
-            text_height = dimensions['height']
-            width  = padding_left + text_width  + padding_right
-            height = padding_top  + text_height + padding_bottom
+            text_width = dimensions["width"]
+            text_height = dimensions["height"]
+            width = padding_left + text_width + padding_right
+            height = padding_top + text_height + padding_bottom
 
             args = args.slice(0, args.length - 2)
             args.push("-size #{width}x#{height}")
             args.push("xc:#{background}")
             args.push("-annotate 0x0+#{padding_left}+#{padding_top} #{escaped_string}")
-            content.generate!(:convert, args.join(' '), format)
+            Commands.generate(content, args.join(" "), format)
           end
 
-          content.add_meta('format' => format, 'name' => "text.#{format}")
+          content.add_meta("format" => format, "name" => "text.#{format}")
         end
 
         private
 
         def extract_format(opts)
-          opts['format'] || 'png'
+          opts["format"] || "png"
         end
 
         # Use css-style padding declaration, i.e.
@@ -103,25 +114,23 @@ module Dragonfly
         # 10 5 10   (top, left/right, bottom)
         # 10 5 10 5 (top, right, bottom, left)
         def parse_padding_string(str)
-          padding_parts = str.gsub('px','').split(/\s+/).map{|px| px.to_i}
+          padding_parts = str.gsub("px", "").split(/\s+/).map { |px| px.to_i }
           case padding_parts.size
           when 1
             p = padding_parts.first
-            [p,p,p,p]
+            [p, p, p, p]
           when 2
-            p,q = padding_parts
-            [p,q,p,q]
+            p, q = padding_parts
+            [p, q, p, q]
           when 3
-            p,q,r = padding_parts
-            [p,q,r,q]
+            p, q, r = padding_parts
+            [p, q, r, q]
           when 4
             padding_parts
           else raise ArgumentError, "Couldn't parse padding string '#{str}' - should be a css-style string"
           end
         end
       end
-
     end
   end
 end
-

data/lib/dragonfly/image_magick/plugin.rb

@@ -1,11 +1,11 @@
-require 'dragonfly/image_magick/analysers/image_properties'
-require 'dragonfly/image_magick/generators/convert'
-require 'dragonfly/image_magick/generators/plain'
-require 'dragonfly/image_magick/generators/plasma'
-require 'dragonfly/image_magick/generators/text'
-require 'dragonfly/image_magick/processors/convert'
-require 'dragonfly/image_magick/processors/encode'
-require 'dragonfly/image_magick/processors/thumb'
+require "dragonfly/image_magick/analysers/image_properties"
+require "dragonfly/image_magick/generators/plain"
+require "dragonfly/image_magick/generators/plasma"
+require "dragonfly/image_magick/generators/text"
+require "dragonfly/image_magick/processors/encode"
+require "dragonfly/image_magick/processors/thumb"
+require "dragonfly/image_magick/commands"
+require "dragonfly/param_validators"
 
 module Dragonfly
   module ImageMagick
@@ -13,37 +13,36 @@ module Dragonfly
     # The ImageMagick Plugin registers an app with generators, analysers and processors.
     # Look at the source code for #call to see exactly how it configures the app.
     class Plugin
-
-      def call(app, opts={})
+      def call(app, opts = {})
         # ENV
-        app.env[:convert_command] = opts[:convert_command] || 'convert'
-        app.env[:identify_command] = opts[:identify_command] || 'identify'
+        app.env[:convert_command] = opts[:convert_command] || "convert"
+        app.env[:identify_command] = opts[:identify_command] || "identify"
 
         # Analysers
         app.add_analyser :image_properties, ImageMagick::Analysers::ImageProperties.new
         app.add_analyser :width do |content|
-          content.analyse(:image_properties)['width']
+          content.analyse(:image_properties)["width"]
         end
         app.add_analyser :height do |content|
-          content.analyse(:image_properties)['height']
+          content.analyse(:image_properties)["height"]
         end
         app.add_analyser :format do |content|
-          content.analyse(:image_properties)['format']
+          content.analyse(:image_properties)["format"]
         end
         app.add_analyser :aspect_ratio do |content|
           attrs = content.analyse(:image_properties)
-          attrs['width'].to_f / attrs['height']
+          attrs["width"].to_f / attrs["height"]
         end
         app.add_analyser :portrait do |content|
           attrs = content.analyse(:image_properties)
-          attrs['width'] <= attrs['height']
+          attrs["width"] <= attrs["height"]
         end
         app.add_analyser :landscape do |content|
           !content.analyse(:portrait)
         end
         app.add_analyser :image do |content|
           begin
-            content.analyse(:image_properties)['format'] != 'pdf'
+            content.analyse(:image_properties)["format"] != "pdf"
           rescue Shell::CommandFailed
             false
           end
@@ -55,29 +54,31 @@ module Dragonfly
         app.define(:image?) { image }
 
         # Generators
-        app.add_generator :convert, ImageMagick::Generators::Convert.new
         app.add_generator :plain, ImageMagick::Generators::Plain.new
         app.add_generator :plasma, ImageMagick::Generators::Plasma.new
         app.add_generator :text, ImageMagick::Generators::Text.new
+        app.add_generator :convert do
+          raise "The convert generator is deprecated for better security - use Dragonfly::ImageMagick::Commands.generate(content, args, format) instead."
+        end
 
         # Processors
-        app.add_processor :convert, Processors::Convert.new
         app.add_processor :encode, Processors::Encode.new
         app.add_processor :thumb, Processors::Thumb.new
         app.add_processor :rotate do |content, amount|
-          content.process!(:convert, "-rotate #{amount}")
+          ParamValidators.validate!(amount, &ParamValidators.is_number)
+          Commands.convert(content, "-rotate #{amount}")
+        end
+        app.add_processor :convert do
+          raise "The convert processor is deprecated for better security - use Dragonfly::ImageMagick::Commands.convert(content, args, opts) instead."
         end
 
         # Extra methods
-        app.define :identify do |cli_args=nil|
+        app.define :identify do |cli_args = nil|
           shell_eval do |path|
             "#{app.env[:identify_command]} #{cli_args} #{path}"
           end
         end
-
       end
-
     end
   end
 end
-

data/lib/dragonfly/image_magick/processors/encode.rb

@@ -1,18 +1,29 @@
+require "dragonfly/image_magick/commands"
+
 module Dragonfly
   module ImageMagick
     module Processors
       class Encode
+        include ParamValidators
+
+        WHITELISTED_ARGS = %w(quality)
+
+        IS_IN_WHITELISTED_ARGS = ->(args_string) {
+          args_string.scan(/-\w+/).all? { |arg|
+            WHITELISTED_ARGS.include?(arg.sub("-", ""))
+          }
+        }
 
-        def update_url(attrs, format, args="")
+        def update_url(attrs, format, args = "")
           attrs.ext = format.to_s
         end
 
-        def call(content, format, args="")
-          content.process!(:convert, args, 'format' => format)
+        def call(content, format, args = "")
+          validate!(format, &is_word)
+          validate!(args, &IS_IN_WHITELISTED_ARGS)
+          Commands.convert(content, args, "format" => format)
         end
-
       end
     end
   end
 end
-