Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-activestorage-7.0 for
openSUSE:Factory checked in at 2022-03-10 22:45:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activestorage-7.0 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activestorage-7.0.new.2349 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activestorage-7.0"
Thu Mar 10 22:45:42 2022 rev:2 rq:960805 version:7.0.2.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activestorage-7.0/rubygem-activestorage-7.0.changes
2022-03-07 17:48:01.647101020 +0100
+++
/work/SRC/openSUSE:Factory/.rubygem-activestorage-7.0.new.2349/rubygem-activestorage-7.0.changes
2022-03-11 11:35:12.366192659 +0100
@@ -1,0 +2,12 @@
+Thu Mar 10 13:22:26 UTC 2022 - Manuel Schnitzer <[email protected]>
+
+- updated to version 7.0.2.3
+
+ * Added image transformation validation via configurable allow-list.
+
+ Variant now offers a configurable allow-list for
+ transformation methods in addition to a configurable deny-list for
arguments.
+
+ [CVE-2022-21831]
+
+-------------------------------------------------------------------
Old:
----
activestorage-7.0.2.2.gem
New:
----
activestorage-7.0.2.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activestorage-7.0.spec ++++++
--- /var/tmp/diff_new_pack.q1us7y/_old 2022-03-11 11:35:13.142193569 +0100
+++ /var/tmp/diff_new_pack.q1us7y/_new 2022-03-11 11:35:13.146193574 +0100
@@ -24,7 +24,7 @@
#
Name: rubygem-activestorage-7.0
-Version: 7.0.2.2
+Version: 7.0.2.3
Release: 0
%define mod_name activestorage
%define mod_full_name %{mod_name}-%{version}
++++++ activestorage-7.0.2.2.gem -> activestorage-7.0.2.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2022-02-11 20:43:39.000000000 +0100
+++ new/CHANGELOG.md 2022-03-08 18:50:10.000000000 +0100
@@ -1,3 +1,13 @@
+## Rails 7.0.2.3 (March 08, 2022) ##
+
+* Added image transformation validation via configurable allow-list.
+
+ Variant now offers a configurable allow-list for
+ transformation methods in addition to a configurable deny-list for
arguments.
+
+ [CVE-2022-21831]
+
+
## Rails 7.0.2.2 (February 11, 2022) ##
* No changes.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_storage/engine.rb
new/lib/active_storage/engine.rb
--- old/lib/active_storage/engine.rb 2022-02-11 20:43:39.000000000 +0100
+++ new/lib/active_storage/engine.rb 2022-03-08 18:50:10.000000000 +0100
@@ -80,6 +80,20 @@
application/pdf
)
+ default_unsupported_image_processing_arguments = %w(
+ -debug
+ -display
+ -distribute-cache
+ -help
+ -path
+ -print
+ -set
+ -verbose
+ -version
+ -write
+ -write-mask
+ )
+
config.eager_load_namespaces << ActiveStorage
initializer "active_storage.configs" do
@@ -93,6 +107,9 @@
ActiveStorage.draw_routes =
app.config.active_storage.draw_routes != false
ActiveStorage.resolve_model_to_route =
app.config.active_storage.resolve_model_to_route || :rails_storage_redirect
+ ActiveStorage.supported_image_processing_methods =
app.config.active_storage.supported_image_processing_methods || []
+ ActiveStorage.unsupported_image_processing_arguments =
app.config.active_storage.unsupported_image_processing_arguments ||
default_unsupported_image_processing_arguments
+
ActiveStorage.variable_content_types =
app.config.active_storage.variable_content_types || []
ActiveStorage.web_image_content_types =
app.config.active_storage.web_image_content_types || []
ActiveStorage.content_types_to_serve_as_binary =
app.config.active_storage.content_types_to_serve_as_binary || []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_storage/gem_version.rb
new/lib/active_storage/gem_version.rb
--- old/lib/active_storage/gem_version.rb 2022-02-11 20:43:39.000000000
+0100
+++ new/lib/active_storage/gem_version.rb 2022-03-08 18:50:10.000000000
+0100
@@ -10,7 +10,7 @@
MAJOR = 7
MINOR = 0
TINY = 2
- PRE = "2"
+ PRE = "3"
STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/lib/active_storage/transformers/image_processing_transformer.rb
new/lib/active_storage/transformers/image_processing_transformer.rb
--- old/lib/active_storage/transformers/image_processing_transformer.rb
2022-02-11 20:43:39.000000000 +0100
+++ new/lib/active_storage/transformers/image_processing_transformer.rb
2022-03-08 18:50:10.000000000 +0100
@@ -13,6 +13,300 @@
module Transformers
class ImageProcessingTransformer < Transformer
private
+ class UnsupportedImageProcessingMethod < StandardError; end
+ class UnsupportedImageProcessingArgument < StandardError; end
+ SUPPORTED_IMAGE_PROCESSING_METHODS = [
+ "adaptive_blur",
+ "adaptive_resize",
+ "adaptive_sharpen",
+ "adjoin",
+ "affine",
+ "alpha",
+ "annotate",
+ "antialias",
+ "append",
+ "apply",
+ "attenuate",
+ "authenticate",
+ "auto_gamma",
+ "auto_level",
+ "auto_orient",
+ "auto_threshold",
+ "backdrop",
+ "background",
+ "bench",
+ "bias",
+ "bilateral_blur",
+ "black_point_compensation",
+ "black_threshold",
+ "blend",
+ "blue_primary",
+ "blue_shift",
+ "blur",
+ "border",
+ "bordercolor",
+ "borderwidth",
+ "brightness_contrast",
+ "cache",
+ "canny",
+ "caption",
+ "channel",
+ "channel_fx",
+ "charcoal",
+ "chop",
+ "clahe",
+ "clamp",
+ "clip",
+ "clip_path",
+ "clone",
+ "clut",
+ "coalesce",
+ "colorize",
+ "colormap",
+ "color_matrix",
+ "colors",
+ "colorspace",
+ "colourspace",
+ "color_threshold",
+ "combine",
+ "combine_options",
+ "comment",
+ "compare",
+ "complex",
+ "compose",
+ "composite",
+ "compress",
+ "connected_components",
+ "contrast",
+ "contrast_stretch",
+ "convert",
+ "convolve",
+ "copy",
+ "crop",
+ "cycle",
+ "deconstruct",
+ "define",
+ "delay",
+ "delete",
+ "density",
+ "depth",
+ "descend",
+ "deskew",
+ "despeckle",
+ "direction",
+ "displace",
+ "dispose",
+ "dissimilarity_threshold",
+ "dissolve",
+ "distort",
+ "dither",
+ "draw",
+ "duplicate",
+ "edge",
+ "emboss",
+ "encoding",
+ "endian",
+ "enhance",
+ "equalize",
+ "evaluate",
+ "evaluate_sequence",
+ "extent",
+ "extract",
+ "family",
+ "features",
+ "fft",
+ "fill",
+ "filter",
+ "flatten",
+ "flip",
+ "floodfill",
+ "flop",
+ "font",
+ "foreground",
+ "format",
+ "frame",
+ "function",
+ "fuzz",
+ "fx",
+ "gamma",
+ "gaussian_blur",
+ "geometry",
+ "gravity",
+ "grayscale",
+ "green_primary",
+ "hald_clut",
+ "highlight_color",
+ "hough_lines",
+ "iconGeometry",
+ "iconic",
+ "identify",
+ "ift",
+ "illuminant",
+ "immutable",
+ "implode",
+ "insert",
+ "intensity",
+ "intent",
+ "interlace",
+ "interline_spacing",
+ "interpolate",
+ "interpolative_resize",
+ "interword_spacing",
+ "kerning",
+ "kmeans",
+ "kuwahara",
+ "label",
+ "lat",
+ "layers",
+ "level",
+ "level_colors",
+ "limit",
+ "limits",
+ "linear_stretch",
+ "linewidth",
+ "liquid_rescale",
+ "list",
+ "loader",
+ "log",
+ "loop",
+ "lowlight_color",
+ "magnify",
+ "map",
+ "mattecolor",
+ "median",
+ "mean_shift",
+ "metric",
+ "mode",
+ "modulate",
+ "moments",
+ "monitor",
+ "monochrome",
+ "morph",
+ "morphology",
+ "mosaic",
+ "motion_blur",
+ "name",
+ "negate",
+ "noise",
+ "normalize",
+ "opaque",
+ "ordered_dither",
+ "orient",
+ "page",
+ "paint",
+ "pause",
+ "perceptible",
+ "ping",
+ "pointsize",
+ "polaroid",
+ "poly",
+ "posterize",
+ "precision",
+ "preview",
+ "process",
+ "quality",
+ "quantize",
+ "quiet",
+ "radial_blur",
+ "raise",
+ "random_threshold",
+ "range_threshold",
+ "red_primary",
+ "regard_warnings",
+ "region",
+ "remote",
+ "render",
+ "repage",
+ "resample",
+ "resize",
+ "resize_to_fill",
+ "resize_to_fit",
+ "resize_to_limit",
+ "resize_and_pad",
+ "respect_parentheses",
+ "reverse",
+ "roll",
+ "rotate",
+ "sample",
+ "sampling_factor",
+ "saver",
+ "scale",
+ "scene",
+ "screen",
+ "seed",
+ "segment",
+ "selective_blur",
+ "separate",
+ "sepia_tone",
+ "shade",
+ "shadow",
+ "shared_memory",
+ "sharpen",
+ "shave",
+ "shear",
+ "sigmoidal_contrast",
+ "silent",
+ "similarity_threshold",
+ "size",
+ "sketch",
+ "smush",
+ "snaps",
+ "solarize",
+ "sort_pixels",
+ "sparse_color",
+ "splice",
+ "spread",
+ "statistic",
+ "stegano",
+ "stereo",
+ "storage_type",
+ "stretch",
+ "strip",
+ "stroke",
+ "strokewidth",
+ "style",
+ "subimage_search",
+ "swap",
+ "swirl",
+ "synchronize",
+ "taint",
+ "text_font",
+ "threshold",
+ "thumbnail",
+ "tile_offset",
+ "tint",
+ "title",
+ "transform",
+ "transparent",
+ "transparent_color",
+ "transpose",
+ "transverse",
+ "treedepth",
+ "trim",
+ "type",
+ "undercolor",
+ "unique_colors",
+ "units",
+ "unsharp",
+ "update",
+ "valid_image",
+ "view",
+ "vignette",
+ "virtual_pixel",
+ "visual",
+ "watermark",
+ "wave",
+ "wavelet_denoise",
+ "weight",
+ "white_balance",
+ "white_point",
+ "white_threshold",
+ "window",
+ "window_group"
+ ].concat(ActiveStorage.supported_image_processing_methods)
+
+ UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS =
ActiveStorage.unsupported_image_processing_arguments
+
def process(file, format:)
processor.
source(file).
@@ -28,6 +322,10 @@
def operations
transformations.each_with_object([]) do |(name, argument), list|
+ if ActiveStorage.variant_processor == :mini_magick
+ validate_transformation(name, argument)
+ end
+
if name.to_s == "combine_options"
raise ArgumentError, <<~ERROR.squish
Active Storage's ImageProcessing transformer doesn't support
:combine_options,
@@ -40,6 +338,60 @@
end
end
end
+
+ def validate_transformation(name, argument)
+ method_name = name.to_s.gsub("-","_")
+
+ unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method|
method_name == method }
+ raise UnsupportedImageProcessingMethod, <<~ERROR.squish
+ One or more of the provided transformation methods is not
supported.
+ ERROR
+ end
+
+ if argument.present?
+ if argument.is_a?(String) || argument.is_a?(Symbol)
+ validate_arg_string(argument)
+ elsif argument.is_a?(Array)
+ validate_arg_array(argument)
+ elsif argument.is_a?(Hash)
+ validate_arg_hash(argument)
+ end
+ end
+ end
+
+ def validate_arg_string(argument)
+ if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg|
argument.to_s.downcase.include?(bad_arg) }; raise
UnsupportedImageProcessingArgument end
+ end
+
+ def validate_arg_array(argument)
+ argument.each do |arg|
+ if arg.is_a?(Integer) || arg.is_a?(Float)
+ next
+ elsif arg.is_a?(String) || arg.is_a?(Symbol)
+ validate_arg_string(arg)
+ elsif arg.is_a?(Array)
+ validate_arg_array(arg)
+ elsif arg.is_a?(Hash)
+ validate_arg_hash(arg)
+ end
+ end
+ end
+
+ def validate_arg_hash(argument)
+ argument.each do |key, value|
+ validate_arg_string(key)
+
+ if value.is_a?(Integer) || value.is_a?(Float)
+ next
+ elsif value.is_a?(String) || value.is_a?(Symbol)
+ validate_arg_string(value)
+ elsif value.is_a?(Array)
+ validate_arg_array(value)
+ elsif value.is_a?(Hash)
+ validate_arg_hash(value)
+ end
+ end
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/active_storage.rb new/lib/active_storage.rb
--- old/lib/active_storage.rb 2022-02-11 20:43:39.000000000 +0100
+++ new/lib/active_storage.rb 2022-03-08 18:50:10.000000000 +0100
@@ -59,6 +59,9 @@
mattr_accessor :content_types_to_serve_as_binary, default: []
mattr_accessor :content_types_allowed_inline, default: []
+ mattr_accessor :supported_image_processing_methods, default: []
+ mattr_accessor :unsupported_image_processing_arguments
+
mattr_accessor :service_urls_expire_in, default: 5.minutes
mattr_accessor :urls_expire_in
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-02-11 20:43:39.000000000 +0100
+++ new/metadata 2022-03-08 18:50:10.000000000 +0100
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: activestorage
version: !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
platform: ruby
authors:
- David Heinemeier Hansson
autorequire:
bindir: bin
cert_chain: []
-date: 2022-02-11 00:00:00.000000000 Z
+date: 2022-03-08 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: activesupport
@@ -16,56 +16,56 @@
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
- !ruby/object:Gem::Dependency
name: actionpack
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
- !ruby/object:Gem::Dependency
name: activejob
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
- !ruby/object:Gem::Dependency
name: activerecord
requirement: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '='
- !ruby/object:Gem::Version
- version: 7.0.2.2
+ version: 7.0.2.3
- !ruby/object:Gem::Dependency
name: marcel
requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails/issues
- changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.2/activestorage/CHANGELOG.md
- documentation_uri: https://api.rubyonrails.org/v7.0.2.2/
+ changelog_uri:
https://github.com/rails/rails/blob/v7.0.2.3/activestorage/CHANGELOG.md
+ documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.2/activestorage
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/activestorage
rubygems_mfa_required: 'true'
post_install_message:
rdoc_options: []
@@ -218,7 +218,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.1.6
signing_key:
specification_version: 4
summary: Local and cloud file storage framework.
