dragonfly 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5385c46218c68349adc9f33a89600ed52901b483fc4b8b7ad3bab0ea1e3aa579
-  data.tar.gz: bd4341674548d3526d786be990912b527745000b6d887148e91bfe88e7a9618c
+  metadata.gz: 16341445bb67f27ae4dc7492244b038df290440a5f4b64d71cca3c637fd8b4d0
+  data.tar.gz: '0285f83e005198572fb9a52dea16eef2acca80ded36e9fa905b88d66701221fe'
 SHA512:
-  metadata.gz: 28b284e2ca3d15914787357c2035f900a2c0c61c5fdc0b36302b2bcd24b01683b073774b70a9583ef446ba764dbb7019e3e92eab8cd83b042d428236498ccaf4
-  data.tar.gz: 2fc17f0f4587fe85ccf6af91798a0a89aa58086a9518445d2684abcffd16ab9d53c10fdea2e7f0a5cb2f07a24774b3865b80e7ddd293f5a53bfea4f04b0b24bd
+  metadata.gz: ea5f8440e718e3521eaca6824b3dd600817994ed144b5c69a9e609fa24ff8e9583a415a9a2ee9a309e7f622d7d33e0712525ce18ed020942a1585b80ef889cef
+  data.tar.gz: 1c81c3c4ed0bfe6421d3ca6ca69432929a4e8233b468d582586fca5d308758bbc9c6042d830e42bd4421c198452df019e802fcf151c277e3ac7248942cf30af0

data/.travis.yml

@@ -6,6 +6,7 @@ rvm:
   - "2.5"
   - "2.6"
   - "2.7"
+  - "3.0"
   - "jruby"
 
 env:

data/History.md

@@ -1,3 +1,13 @@
+# 1.4.0 (2021-05-19)
+
+## Changes
+
+- Removed `convert` processor and generator (which were quite insecure), in favour of utility commands in `Dragonfly::ImageMagick::Commands`
+
+## Fixes
+
+- Better security for all job steps with parameter validations
+
 # 1.3.0 (2021-01-09)
 
 ## Changes

data/lib/dragonfly/content.rb

@@ -1,8 +1,8 @@
-require 'base64'
-require 'forwardable'
-require 'dragonfly/has_filename'
-require 'dragonfly/temp_object'
-require 'dragonfly/utils'
+require "base64"
+require "forwardable"
+require "dragonfly/has_filename"
+require "dragonfly/temp_object"
+require "dragonfly/utils"
 
 module Dragonfly
 
@@ -16,11 +16,10 @@ module Dragonfly
   # It is acted upon in generator, processor, analyser and datastore methods and provides a standard interface for updating content,
   # no matter how that content first got there (whether in the form of a String/Pathname/File/etc.)
   class Content
-
     include HasFilename
     extend Forwardable
 
-    def initialize(app, obj="", meta=nil)
+    def initialize(app, obj = "", meta = nil)
       @app = app
       @meta = {}
       @previous_temp_objects = []
@@ -79,7 +78,7 @@ module Dragonfly
     # @example "image/jpeg"
     # @return [String]
     def mime_type
-      meta['mime_type'] || app.mime_type_for(ext)
+      meta["mime_type"] || app.mime_type_for(ext)
     end
 
     # Set the content using a pre-registered generator
@@ -93,7 +92,7 @@ module Dragonfly
 
     # Update the content using a pre-registered processor
     # @example
-    #   content.process!(:convert, "-resize 300x300")
+    #   content.process!(:thumb, "300x300")
     # @return [Content] self
     def process!(name, *args)
       app.get_processor(name).call(self, *args)
@@ -111,10 +110,10 @@ module Dragonfly
     # @param obj [String, Pathname, Tempfile, File, Content, TempObject] can be any of these types
     # @param meta [Hash] - should be json-like, i.e. contain no types other than String, Number, Boolean
     # @return [Content] self
-    def update(obj, meta=nil)
+    def update(obj, meta = nil)
       meta ||= {}
-      self.temp_object = TempObject.new(obj, meta['name'])
-      self.meta['name'] ||= temp_object.name if temp_object.name
+      self.temp_object = TempObject.new(obj, meta["name"])
+      self.meta["name"] ||= temp_object.name if temp_object.name
       clear_analyser_cache
       add_meta(obj.meta) if obj.respond_to?(:meta)
       add_meta(meta)
@@ -135,7 +134,7 @@ module Dragonfly
     #     "file --mime-type #{path}"
     #   end
     #   # ===> "beach.jpg: image/jpeg"
-    def shell_eval(opts={})
+    def shell_eval(opts = {})
       should_escape = opts[:escape] != false
       command = yield(should_escape ? shell.escape(path) : path)
       run command, :escape => should_escape
@@ -148,7 +147,7 @@ module Dragonfly
     #     "/usr/local/bin/generate_text gumfry -o #{path}"
     #   end
     # @return [Content] self
-    def shell_generate(opts={})
+    def shell_generate(opts = {})
       ext = opts[:ext] || self.ext
       should_escape = opts[:escape] != false
       tempfile = Utils.new_tempfile(ext)
@@ -165,7 +164,7 @@ module Dragonfly
     #     "convert -resize 20x10 #{old_path} #{new_path}"
     #   end
     # @return [Content] self
-    def shell_update(opts={})
+    def shell_update(opts = {})
       ext = opts[:ext] || self.ext
       should_escape = opts[:escape] != false
       tempfile = Utils.new_tempfile(ext)
@@ -176,7 +175,7 @@ module Dragonfly
       update(tempfile)
     end
 
-    def store(opts={})
+    def store(opts = {})
       datastore.write(self, opts)
     end
 
@@ -188,7 +187,7 @@ module Dragonfly
     end
 
     def close
-      previous_temp_objects.each{|temp_object| temp_object.close }
+      previous_temp_objects.each { |temp_object| temp_object.close }
       temp_object.close
     end
 
@@ -199,6 +198,7 @@ module Dragonfly
     private
 
     attr_reader :previous_temp_objects
+
     def temp_object=(temp_object)
       previous_temp_objects.push(@temp_object) if @temp_object
       @temp_object = temp_object
@@ -215,6 +215,5 @@ module Dragonfly
     def run(command, opts)
       shell.run(command, opts)
     end
-
   end
 end

data/lib/dragonfly/image_magick/commands.rb

@@ -0,0 +1,35 @@
+module Dragonfly
+  module ImageMagick
+    module Commands
+      module_function
+
+      def convert(content, args = "", opts = {})
+        convert_command = content.env[:convert_command] || "convert"
+        format = opts["format"]
+
+        input_args = opts["input_args"] if opts["input_args"]
+        delegate_string = "#{opts["delegate"]}:" if opts["delegate"]
+        frame_string = "[#{opts["frame"]}]" if opts["frame"]
+
+        content.shell_update :ext => format do |old_path, new_path|
+          "#{convert_command} #{input_args} #{delegate_string}#{old_path}#{frame_string} #{args} #{new_path}"
+        end
+
+        if format
+          content.meta["format"] = format.to_s
+          content.ext = format
+          content.meta["mime_type"] = nil # don't need it as we have ext now
+        end
+      end
+
+      def generate(content, args, format)
+        format = format.to_s
+        convert_command = content.env[:convert_command] || "convert"
+        content.shell_generate :ext => format do |path|
+          "#{convert_command} #{args} #{path}"
+        end
+        content.add_meta("format" => format)
+      end
+    end
+  end
+end

data/lib/dragonfly/image_magick/generators/plain.rb

@@ -1,25 +1,31 @@
+require "dragonfly/image_magick/commands"
+require "dragonfly/param_validators"
+
 module Dragonfly
   module ImageMagick
     module Generators
       class Plain
+        include ParamValidators
 
-        def call(content, width, height, opts={})
+        def call(content, width, height, opts = {})
+          validate_all!([width, height], &is_number)
+          validate_all_keys!(opts, %w(colour color format), &is_word)
           format = extract_format(opts)
-          colour = opts['colour'] || opts['color'] || 'white'
-          content.generate!(:convert, "-size #{width}x#{height} xc:#{colour}", format)
-          content.add_meta('format' => format, 'name' => "plain.#{format}")
+
+          colour = opts["colour"] || opts["color"] || "white"
+          Commands.generate(content, "-size #{width}x#{height} xc:#{colour}", format)
+          content.add_meta("format" => format, "name" => "plain.#{format}")
         end
 
-        def update_url(url_attributes, width, height, opts={})
+        def update_url(url_attributes, width, height, opts = {})
           url_attributes.name = "plain.#{extract_format(opts)}"
         end
 
         private
 
         def extract_format(opts)
-          opts['format'] || 'png'
+          opts["format"] || "png"
         end
-
       end
     end
   end

data/lib/dragonfly/image_magick/generators/plasma.rb

@@ -1,24 +1,28 @@
+require "dragonfly/image_magick/commands"
+
 module Dragonfly
   module ImageMagick
     module Generators
       class Plasma
+        include ParamValidators
 
-        def call(content, width, height, opts={})
+        def call(content, width, height, opts = {})
+          validate_all!([width, height], &is_number)
+          validate!(opts["format"], &is_word)
           format = extract_format(opts)
-          content.generate!(:convert, "-size #{width}x#{height} plasma:fractal", format)
-          content.add_meta('format' => format, 'name' => "plasma.#{format}")
+          Commands.generate(content, "-size #{width}x#{height} plasma:fractal", format)
+          content.add_meta("format" => format, "name" => "plasma.#{format}")
         end
 
-        def update_url(url_attributes, width, height, opts={})
+        def update_url(url_attributes, width, height, opts = {})
           url_attributes.name = "plasma.#{extract_format(opts)}"
         end
 
         private
 
         def extract_format(opts)
-          opts['format'] || 'png'
+          opts["format"] || "png"
         end
-
       end
     end
   end

data/lib/dragonfly/image_magick/generators/text.rb

@@ -1,100 +1,111 @@
-require 'dragonfly/hash_with_css_style_keys'
+require "dragonfly/hash_with_css_style_keys"
+require "dragonfly/image_magick/commands"
+require "dragonfly/param_validators"
 
 module Dragonfly
   module ImageMagick
     module Generators
       class Text
+        include ParamValidators
 
         FONT_STYLES = {
-          'normal'  => 'normal',
-          'italic'  => 'italic',
-          'oblique' => 'oblique'
+          "normal" => "normal",
+          "italic" => "italic",
+          "oblique" => "oblique",
         }
 
         FONT_STRETCHES = {
-          'normal'          => 'normal',
-          'semi-condensed'  => 'semi-condensed',
-          'condensed'       => 'condensed',
-          'extra-condensed' => 'extra-condensed',
-          'ultra-condensed' => 'ultra-condensed',
-          'semi-expanded'   => 'semi-expanded',
-          'expanded'        => 'expanded',
-          'extra-expanded'  => 'extra-expanded',
-          'ultra-expanded'  => 'ultra-expanded'
+          "normal" => "normal",
+          "semi-condensed" => "semi-condensed",
+          "condensed" => "condensed",
+          "extra-condensed" => "extra-condensed",
+          "ultra-condensed" => "ultra-condensed",
+          "semi-expanded" => "semi-expanded",
+          "expanded" => "expanded",
+          "extra-expanded" => "extra-expanded",
+          "ultra-expanded" => "ultra-expanded",
         }
 
         FONT_WEIGHTS = {
-          'normal'  => 'normal',
-          'bold'    => 'bold',
-          'bolder'  => 'bolder',
-          'lighter' => 'lighter',
-          '100'     => 100,
-          '200'     => 200,
-          '300'     => 300,
-          '400'     => 400,
-          '500'     => 500,
-          '600'     => 600,
-          '700'     => 700,
-          '800'     => 800,
-          '900'     => 900
+          "normal" => "normal",
+          "bold" => "bold",
+          "bolder" => "bolder",
+          "lighter" => "lighter",
+          "100" => 100,
+          "200" => 200,
+          "300" => 300,
+          "400" => 400,
+          "500" => 500,
+          "600" => 600,
+          "700" => 700,
+          "800" => 800,
+          "900" => 900,
         }
 
-        def update_url(url_attributes, string, opts={})
+        IS_COLOUR = ->(param) {
+          /\A(#\w+|rgba?\([\d\.,]+\)|\w+)\z/ === param
+        }
+
+        def update_url(url_attributes, string, opts = {})
           url_attributes.name = "text.#{extract_format(opts)}"
         end
 
-        def call(content, string, opts={})
+        def call(content, string, opts = {})
+          validate_all_keys!(opts, %w(font font_family), &is_words)
+          validate_all_keys!(opts, %w(color background_color stroke_color), &IS_COLOUR)
+          validate!(opts["format"], &is_word)
+
           opts = HashWithCssStyleKeys[opts]
           args = []
           format = extract_format(opts)
-          background = opts['background_color'] || 'none'
-          font_size = (opts['font_size'] || 12).to_i
+          background = opts["background_color"] || "none"
+          font_size = (opts["font_size"] || 12).to_i
+          font_family = opts["font_family"] || opts["font"]
           escaped_string = "\"#{string.gsub(/"/, '\"')}\""
 
           # Settings
           args.push("-gravity NorthWest")
           args.push("-antialias")
           args.push("-pointsize #{font_size}")
-          args.push("-font \"#{opts['font']}\"") if opts['font']
-          args.push("-family '#{opts['font_family']}'") if opts['font_family']
-          args.push("-fill #{opts['color']}") if opts['color']
-          args.push("-stroke #{opts['stroke_color']}") if opts['stroke_color']
-          args.push("-style #{FONT_STYLES[opts['font_style']]}") if opts['font_style']
-          args.push("-stretch #{FONT_STRETCHES[opts['font_stretch']]}") if opts['font_stretch']
-          args.push("-weight #{FONT_WEIGHTS[opts['font_weight']]}") if opts['font_weight']
+          args.push("-family '#{font_family}'") if font_family
+          args.push("-fill #{opts["color"]}") if opts["color"]
+          args.push("-stroke #{opts["stroke_color"]}") if opts["stroke_color"]
+          args.push("-style #{FONT_STYLES[opts["font_style"]]}") if opts["font_style"]
+          args.push("-stretch #{FONT_STRETCHES[opts["font_stretch"]]}") if opts["font_stretch"]
+          args.push("-weight #{FONT_WEIGHTS[opts["font_weight"]]}") if opts["font_weight"]
           args.push("-background #{background}")
           args.push("label:#{escaped_string}")
 
           # Padding
-          pt, pr, pb, pl = parse_padding_string(opts['padding']) if opts['padding']
-          padding_top    = (opts['padding_top']    || pt || 0)
-          padding_right  = (opts['padding_right']  || pr || 0)
-          padding_bottom = (opts['padding_bottom'] || pb || 0)
-          padding_left   = (opts['padding_left']   || pl || 0)
+          pt, pr, pb, pl = parse_padding_string(opts["padding"]) if opts["padding"]
+          padding_top = (opts["padding_top"] || pt).to_i
+          padding_right = (opts["padding_right"] || pr).to_i
+          padding_bottom = (opts["padding_bottom"] || pb).to_i
+          padding_left = (opts["padding_left"] || pl).to_i
 
-          content.generate!(:convert, args.join(' '), format)
+          Commands.generate(content, args.join(" "), format)
 
           if (padding_top || padding_right || padding_bottom || padding_left)
             dimensions = content.analyse(:image_properties)
-            text_width  = dimensions['width']
-            text_height = dimensions['height']
-            width  = padding_left + text_width  + padding_right
-            height = padding_top  + text_height + padding_bottom
+            text_width = dimensions["width"]
+            text_height = dimensions["height"]
+            width = padding_left + text_width + padding_right
+            height = padding_top + text_height + padding_bottom
 
             args = args.slice(0, args.length - 2)
             args.push("-size #{width}x#{height}")
             args.push("xc:#{background}")
             args.push("-annotate 0x0+#{padding_left}+#{padding_top} #{escaped_string}")
-            content.generate!(:convert, args.join(' '), format)
+            Commands.generate(content, args.join(" "), format)
           end
 
-          content.add_meta('format' => format, 'name' => "text.#{format}")
+          content.add_meta("format" => format, "name" => "text.#{format}")
         end
 
         private
 
         def extract_format(opts)
-          opts['format'] || 'png'
+          opts["format"] || "png"
         end
 
         # Use css-style padding declaration, i.e.
@@ -103,25 +114,23 @@ module Dragonfly
         # 10 5 10   (top, left/right, bottom)
         # 10 5 10 5 (top, right, bottom, left)
         def parse_padding_string(str)
-          padding_parts = str.gsub('px','').split(/\s+/).map{|px| px.to_i}
+          padding_parts = str.gsub("px", "").split(/\s+/).map { |px| px.to_i }
           case padding_parts.size
           when 1
             p = padding_parts.first
-            [p,p,p,p]
+            [p, p, p, p]
           when 2
-            p,q = padding_parts
-            [p,q,p,q]
+            p, q = padding_parts
+            [p, q, p, q]
           when 3
-            p,q,r = padding_parts
-            [p,q,r,q]
+            p, q, r = padding_parts
+            [p, q, r, q]
           when 4
             padding_parts
           else raise ArgumentError, "Couldn't parse padding string '#{str}' - should be a css-style string"
           end
         end
       end
-
     end
   end
 end
-