RubyGems - spree_core - Versions diffs - 5.3.3 → 5.3.5 - Mend

spree_core 5.3.3 → 5.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/app/jobs/spree/images/save_from_url_job.rb +47 -23
data/app/models/spree/gift_card_batch.rb +4 -0
data/app/models/spree/order.rb +2 -2
data/app/models/spree/product/slugs.rb +1 -1
data/app/models/spree/refund.rb +4 -0
data/app/models/spree/store_credit.rb +4 -0
data/app/models/spree/variant.rb +19 -17
data/app/models/spree/webhook_endpoint.rb +17 -0
data/app/services/spree/data_feeds/google/required_attributes.rb +3 -8
data/app/services/spree/data_feeds/google/rss.rb +3 -1
data/app/services/spree/gift_cards/apply.rb +5 -4
data/app/views/spree/addresses/_form.html.erb +1 -2
data/config/locales/en.yml +4 -0
data/lib/spree/core/configuration.rb +1 -0
data/lib/spree/core/version.rb +1 -1
metadata +17 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '08d9b1a3cf8bea4f049c9dd444d3f1977e5752adfec8d31dc1fd91d8ee7ccc00'
-  data.tar.gz: c3653bae9f794377013d94700bee1eaa9da04485737584af25f103f091e662f5
+  metadata.gz: 6ed5afbde4c027a14e708b2f10a4585eab43df462da64c93d409336561bd3e45
+  data.tar.gz: 7f10df74f02a7770d794793e396486adefcc2349c6e2f0232ed5771b6dec83b2
 SHA512:
-  metadata.gz: 987979ba7a79782bd0412b510a3ecf566b61adfc6af241801a547c5b26bd401e3a16475cfdd3712ab29db5c062a5e8dfadea2d7c21634e773b0dd8fbab8f0423
-  data.tar.gz: 73229e1625bafe9ca1c1d8d00d0d1069bdca226aa91ee462abad53e618e4cd546a09cc242d9829a3f7a74ddae11e0ab69f9e4f9bdaf245ae1b4748af95ecb46a
+  metadata.gz: 588d726ccf12398f757ded2e252e1fb90de5a11e2c5863aa06bb27a489dd6ba3e9f1993ef68e6370b4476fa8846f59b85a60046d13953723cec4140b516128ea
+  data.tar.gz: 11a5f3e4298506982cecdf1dea096852e500ed157cce75343659252d3573d3e499a3d39ab82553be8e70fb7c8af414e93e016fcb8204b3c6a9cebe03521fcee7

data/app/jobs/spree/images/save_from_url_job.rb CHANGED Viewed

@@ -1,12 +1,15 @@
 require 'open-uri'
 require 'openssl'
+require 'ssrf_filter'
+require 'tempfile'
 module Spree
   module Images
     class SaveFromUrlJob < ::Spree::BaseJob
       queue_as Spree.queues.images
-      retry_on ActiveRecord::RecordInvalid, OpenURI::HTTPError, wait: :polynomially_longer, attempts: Spree::Config.images_save_from_url_job_attempts.to_i
+      retry_on ActiveRecord::RecordInvalid, wait: :polynomially_longer, attempts: Spree::Config.images_save_from_url_job_attempts.to_i
       discard_on URI::InvalidURIError
+      discard_on SsrfFilter::Error
       def perform(viewable_id, viewable_type, external_url, external_id = nil, position = nil)
         viewable = viewable_type.safe_constantize.find(viewable_id)
@@ -29,34 +32,55 @@ module Spree
         # still trigger save! if position has changed
         image.save! and return if image_already_saved?(image, external_url)
-        uri = URI.parse(external_url)
-        unless %w[http https].include?(uri.scheme)
-          raise URI::InvalidURIError, "Invalid URL scheme: #{uri.scheme}. Only http and https are allowed."
-        end
-        file = uri.open(
-          'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
-          'Accept' => 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
-          'Accept-Language' => 'en-US,en;q=0.9',
-          'Accept-Encoding' => 'gzip, deflate, br',
-          'Cache-Control' => 'no-cache',
-          'Pragma' => 'no-cache',
-          read_timeout: 60,
-          ssl_verify_mode: OpenSSL::SSL::VERIFY_PEER,
-          redirect: true
-        )
-        filename = File.basename(uri.path)
-        image.attachment.attach(io: file, filename: filename)
-        image.external_url = external_url
-        image.external_id = external_id if external_id.present? && image.respond_to?(:external_id)
-        image.save!
+        download_and_attach_image(external_url, image, external_id)
       rescue ActiveStorage::IntegrityError => e
         raise e unless Rails.env.test?
       end
       private
+      def download_and_attach_image(external_url, image, external_id)
+        max_size = Spree::Config.max_image_download_size
+        response = SsrfFilter.get(
+          external_url,
+          headers: {
+            'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
+            'Accept' => 'image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8',
+            'Accept-Language' => 'en-US,en;q=0.9',
+            'Accept-Encoding' => 'gzip, deflate, br',
+            'Cache-Control' => 'no-cache',
+            'Pragma' => 'no-cache'
+          },
+          http_options: {
+            read_timeout: 60,
+            open_timeout: 30
+          }
+        )
+        body = response.body
+        if body.bytesize > max_size
+          raise StandardError, "Image file size exceeds the maximum allowed size of #{max_size} bytes"
+        end
+        uri = URI.parse(external_url)
+        filename = File.basename(uri.path)
+        tempfile = Tempfile.new(['spree_image', File.extname(uri.path)], binmode: true)
+        begin
+          tempfile.write(body)
+          tempfile.rewind
+          image.attachment.attach(io: tempfile, filename: filename)
+          image.external_url = external_url
+          image.external_id = external_id if external_id.present? && image.respond_to?(:external_id)
+          image.save!
+        ensure
+          tempfile.close
+          tempfile.unlink
+        end
+      end
       def image_already_saved?(image, external_url)
         image.persisted? && image.attachment.attached? && image.external_url.present? && external_url == image.external_url
       end

data/app/models/spree/gift_card_batch.rb CHANGED Viewed

@@ -30,6 +30,10 @@ module Spree
     money_methods :amount
+    def amount=(amount)
+      self[:amount] = Spree::LocalizedNumber.parse(amount)
+    end
     self.whitelisted_ransackable_attributes = %w[prefix]
     def generate_gift_cards

data/app/models/spree/order.rb CHANGED Viewed

@@ -275,9 +275,9 @@ module Spree
     # @return [Boolean]
     def order_refunded?
       return false if item_count.zero?
+      return false if refunds_total.zero?
-      (payment_state.in?(%w[void failed]) && refunds_total.positive?) ||
-        refunds_total == total_minus_store_credits - additional_tax_total.abs
+      payment_state.in?(%w[void failed]) || refunds_total == total_minus_store_credits - additional_tax_total.abs
     end
     def refunds_total

data/app/models/spree/product/slugs.rb CHANGED Viewed

@@ -103,7 +103,7 @@ module Spree
         translations.with_deleted.each { |rec| rec.update_columns(slug: new_slug.call(rec)) }
         slugs.with_deleted.each { |rec| rec.update_column(:slug, new_slug.call(rec)) }
-        translations.find_by!(locale: I18n.locale).update_column(:slug, slug) if Spree.use_translations?
+        translations.find_by(locale: I18n.locale)&.update_column(:slug, slug) if Spree.use_translations?
       end
     end
   end

data/app/models/spree/refund.rb CHANGED Viewed

@@ -34,6 +34,10 @@ module Spree
     delegate :order, :currency, to: :payment
+    def amount=(amount)
+      self[:amount] = Spree::LocalizedNumber.parse(amount)
+    end
     def money
       Spree::Money.new(amount, currency: currency)
     end

data/app/models/spree/store_credit.rb CHANGED Viewed

@@ -52,6 +52,10 @@ module Spree
     extend Spree::DisplayMoney
     money_methods :amount, :amount_used, :amount_remaining, :amount_authorized
+    def amount=(amount)
+      self[:amount] = Spree::LocalizedNumber.parse(amount)
+    end
     self.whitelisted_ransackable_attributes = %w[user_id created_by_id amount currency type_id]
     self.whitelisted_ransackable_associations = %w[type user created_by]

data/app/models/spree/variant.rb CHANGED Viewed

@@ -91,36 +91,33 @@ module Spree
     scope :backorderable, -> { left_joins(:stock_items).where(spree_stock_items: { backorderable: true }) }
     scope :in_stock_or_backorderable, -> { in_stock.or(backorderable) }
-    scope :eligible, -> {
-      where(is_master: false).or(
-        where(
-          product_id: Spree::Variant.
-                      select(:product_id).
-                      group(:product_id).
-                      having("COUNT(#{Spree::Variant.table_name}.id) = 1")
+    scope :eligible, lambda {
+      joins(:product).where(
+        arel_table[:is_master].eq(false).or(
+          Spree::Product.arel_table[:variant_count].eq(0)
         )
       )
     }
-    scope :not_discontinued, -> do
+    scope :not_discontinued, lambda {
       where(
         arel_table[:discontinue_on].eq(nil).or(
           arel_table[:discontinue_on].gteq(Time.current)
         )
       )
-    end
+    }
     scope :not_deleted, -> { where("#{Spree::Variant.quoted_table_name}.deleted_at IS NULL") }
-    scope :for_currency_and_available_price_amount, ->(currency = nil) do
+    scope :for_currency_and_available_price_amount, lambda { |currency = nil|
       currency ||= Spree::Store.default.default_currency
       joins(:prices).where("#{Spree::Price.table_name}.currency = ?", currency).where("#{Spree::Price.table_name}.amount IS NOT NULL").distinct
-    end
+    }
-    scope :active, ->(currency = nil) do
+    scope :active, lambda { |currency = nil|
       not_discontinued.not_deleted.
         for_currency_and_available_price_amount(currency)
-    end
+    }
     scope :with_option_value, lambda { |option_name, option_value|
       option_type_ids = OptionType.where(name: option_name).ids
@@ -187,7 +184,8 @@ module Spree
     )
     self.whitelisted_ransackable_associations = %w[option_values product tax_category prices default_price]
-    self.whitelisted_ransackable_attributes = %w[weight depth width height sku discontinue_on is_master cost_price cost_currency track_inventory deleted_at]
+    self.whitelisted_ransackable_attributes = %w[weight depth width height sku discontinue_on is_master cost_price cost_currency track_inventory
+                                                 deleted_at]
     self.whitelisted_ransackable_scopes = %i(product_name_or_sku_cont search_by_product_name_or_sku)
     def self.product_name_or_sku_cont(query)
@@ -258,9 +256,13 @@ module Spree
     # @return [String] the options text of the variant
     def options_text
       @options_text ||= if option_values.loaded?
-                          option_values.sort_by { |ov| ov.option_type.position }.map { |ov| "#{ov.option_type.presentation}: #{ov.presentation}" }.to_sentence(words_connector: ', ', two_words_connector: ', ')
+                          option_values.sort_by do |ov|
+                            ov.option_type.position
+                          end.map { |ov| "#{ov.option_type.presentation}: #{ov.presentation}" }.to_sentence(words_connector: ', ', two_words_connector: ', ')
                         else
-                          option_values.includes(:option_type).joins(:option_type).order("#{Spree::OptionType.table_name}.position").map { |ov| "#{ov.option_type.presentation}: #{ov.presentation}" }.to_sentence(words_connector: ', ', two_words_connector: ', ')
+                          option_values.includes(:option_type).joins(:option_type).order("#{Spree::OptionType.table_name}.position").map do |ov|
+                            "#{ov.option_type.presentation}: #{ov.presentation}"
+                          end.to_sentence(words_connector: ', ', two_words_connector: ', ')
                         end
     end
@@ -273,7 +275,7 @@ module Spree
     # Returns the descriptive name of the variant.
     # @return [String] the descriptive name of the variant
     def descriptive_name
-      is_master? ? name + ' - Master' : name + ' - ' + options_text
+      is_master? ? "#{name} - Master" : "#{name} - #{options_text}"
     end
     # use deleted? rather than checking the attribute directly. this

data/app/models/spree/webhook_endpoint.rb CHANGED Viewed

@@ -1,17 +1,23 @@
 # frozen_string_literal: true
+require 'ssrf_filter'
+require 'resolv'
 module Spree
   class WebhookEndpoint < Spree.base_class
     acts_as_paranoid
     include Spree::SingleStoreResource
+    encrypts :secret_key, deterministic: true if Rails.configuration.active_record.encryption.include?(:primary_key)
     belongs_to :store, class_name: 'Spree::Store'
     has_many :webhook_deliveries, class_name: 'Spree::WebhookDelivery', dependent: :destroy_async
     validates :store, :url, presence: true
     validates :url, format: { with: URI::DEFAULT_PARSER.make_regexp(%w[http https]), message: :invalid_url }
     validates :active, inclusion: { in: [true, false] }
+    validate :url_must_not_resolve_to_private_ip, if: -> { url.present? && url_changed? }
     before_create :generate_secret_key
@@ -49,5 +55,16 @@ module Spree
     def generate_secret_key
       self.secret_key ||= SecureRandom.hex(32)
     end
+    def url_must_not_resolve_to_private_ip
+      uri = URI.parse(url)
+      blacklist = SsrfFilter::IPV4_BLACKLIST + SsrfFilter::IPV6_BLACKLIST
+      addresses = Resolv.getaddresses(uri.host)
+      if addresses.any? { |addr| blacklist.any? { |range| range.include?(IPAddr.new(addr)) } }
+        errors.add(:url, :internal_address_not_allowed)
+      end
+    rescue URI::InvalidURIError, Resolv::ResolvError, IPAddr::InvalidAddressError, ArgumentError
+      # URI format validation handles invalid URLs; DNS failures are not SSRF
+    end
   end
 end

data/app/services/spree/data_feeds/google/required_attributes.rb CHANGED Viewed

@@ -41,15 +41,10 @@ module Spree
         end
         def get_image_link(variant, product)
-          # try getting image from variant
-          img = variant.images.first&.plp_url
+          image = variant.thumbnail || product.thumbnail
+          return if image.nil?
-          # if no image specified for variant try getting product image
-          if img.nil?
-            img = product.images.first&.plp_url
-          end
-          img
+          Rails.application.routes.url_helpers.cdn_image_url(image.attachment.variant(:xlarge))
         end
         def format_price(variant)

data/app/services/spree/data_feeds/google/rss.rb CHANGED Viewed

@@ -18,7 +18,9 @@ module Spree
                 result = products_list.call(store)
                 if result.success?
                   result.value[:products].find_each do |product|
-                    product.variants.active.find_each do |variant|
+                    product.variants_including_master.active.find_each do |variant|
+                      next if variant.is_master? && product.has_variants?
                       add_variant_information_to_xml(xml, product, variant)
                     end
                   end

data/app/services/spree/gift_cards/apply.rb CHANGED Viewed

@@ -25,15 +25,16 @@ module Spree
           return failure(:gift_card_mismatched_customer) if gift_card.user != order.user
         end
-        amount = [gift_card.amount_remaining, order.total].min
         store = order.store
-        return failure(:gift_card_no_amount_remaining) unless amount.positive? || order.total.zero?
         payment_method = ensure_store_credit_payment_method!(store)
-        gift_card.lock!
         order.with_lock do
+          gift_card.lock!
+          amount = [gift_card.amount_remaining, order.total].min
+          return failure(:gift_card_no_amount_remaining) unless amount.positive? || order.total.zero?
           store_credit = gift_card.store_credits.create!(
             store: store,
             user: order.user,

data/app/views/spree/addresses/_form.html.erb CHANGED Viewed

@@ -45,8 +45,7 @@
       </div>
       <%= render "spree/addresses/suggestions_box" %>
     </div>
-    <span class="text-sm space-x-2 items-center hidden alert alert-info mt-2 align-items-center" data-address-autocomplete-target="addressWarning">
-      <%= heroicon "exclamation-circle", variant: :outline if defined?(heroicon) %>
+    <span class="text-sm space-x-2 hidden alert alert-info mt-2 static" data-address-autocomplete-target="addressWarning">
       <%= Spree.t('address_book.add_house_number') %>
     </span>
   </div>

data/config/locales/en.yml CHANGED Viewed

@@ -361,6 +361,10 @@ en:
               cannot_destroy_if_attached_to_line_items: Cannot delete Variants that are added to placed Orders. In such cases, please discontinue them.
               must_supply_price_for_variant_or_master: Must supply price for variant or master price for product.
               no_master_variant_found_to_infer_price: No master variant found to infer price
+        spree/webhook_endpoint:
+          attributes:
+            url:
+              internal_address_not_allowed: must not point to an internal or private network address
         spree/wished_item:
           attributes:
             variant:

data/lib/spree/core/configuration.rb CHANGED Viewed

@@ -47,6 +47,7 @@ module Spree
       preference :expedited_exchanges_days_window, :integer, default: 14 # the amount of days the customer has to return their item after the expedited exchange is shipped in order to avoid being charged
       preference :geocode_addresses, :boolean, default: true
       preference :images_save_from_url_job_attempts, :integer, default: 5
+      preference :max_image_download_size, :integer, default: 20_971_520 # 20 MB in bytes
       # Preprocessed product image variant sizes at 2x retina resolution.
       # These variants are generated on upload to reduce runtime processing.

data/lib/spree/core/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Spree
-  VERSION = '5.3.3'.freeze
+  VERSION = '5.3.5'.freeze
   def self.version
     VERSION

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_core
 version: !ruby/object:Gem::Version
-  version: 5.3.3
+  version: 5.3.5
 platform: ruby
 authors:
 - Sean Schofield
@@ -573,6 +573,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: ssrf_filter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: Spree Models, Helpers, Services and core libraries
 email: hello@spreecommerce.org
 executables: []
@@ -1717,9 +1731,9 @@ licenses:
 - BSD-3-Clause
 metadata:
   bug_tracker_uri: https://github.com/spree/spree/issues
-  changelog_uri: https://github.com/spree/spree/releases/tag/v5.3.3
+  changelog_uri: https://github.com/spree/spree/releases/tag/v5.3.5
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree/tree/v5.3.3
+  source_code_uri: https://github.com/spree/spree/tree/v5.3.5
 rdoc_options: []
 require_paths:
 - lib