From b0b5eaf477c907819ead1808d09bfaae3eb4cc54 Mon Sep 17 00:00:00 2001 From: Zack Date: Tue, 15 Feb 2022 13:41:40 -0500 Subject: [PATCH 1/3] Added image trasnformation validation via configurable allow-list ImageProcessingTransformer now offers a configurable allow-list for transformation methods in addition to a configurable deny-list for arguments. [CVE-2022-21831] --- activestorage/lib/active_storage.rb | 3 + activestorage/lib/active_storage/engine.rb | 17 + .../image_processing_transformer.rb | 352 ++++++++++++++++++ activestorage/test/models/variant_test.rb | 62 +++ .../test/application/configuration_test.rb | 29 ++ 5 files changed, 463 insertions(+) diff --git a/activestorage/lib/active_storage.rb b/activestorage/lib/active_storage.rb index de76819577412..502663fb6b5e4 100644 --- a/activestorage/lib/active_storage.rb +++ b/activestorage/lib/active_storage.rb @@ -58,6 +58,9 @@ module ActiveStorage mattr_accessor :content_types_to_serve_as_binary, default: [] mattr_accessor :content_types_allowed_inline, default: [] + mattr_accessor :supported_image_processing_methods, default: [] + mattr_accessor :unsupported_image_processing_arguments + mattr_accessor :service_urls_expire_in, default: 5.minutes mattr_accessor :routes_prefix, default: "/rails/active_storage" diff --git a/activestorage/lib/active_storage/engine.rb b/activestorage/lib/active_storage/engine.rb index 379f05d56ab6a..1fd4e85dba2dc 100644 --- a/activestorage/lib/active_storage/engine.rb +++ b/activestorage/lib/active_storage/engine.rb @@ -73,6 +73,20 @@ class Engine < Rails::Engine # :nodoc: application/pdf ) + default_unsupported_image_processing_arguments = %w( + -debug + -display + -distribute-cache + -help + -path + -print + -set + -verbose + -version + -write + -write-mask + ) + config.eager_load_namespaces << ActiveStorage initializer "active_storage.configs" do @@ -86,6 +100,9 @@ class Engine < Rails::Engine # :nodoc: ActiveStorage.draw_routes = app.config.active_storage.draw_routes != false ActiveStorage.resolve_model_to_route = app.config.active_storage.resolve_model_to_route || :rails_storage_redirect + ActiveStorage.supported_image_processing_methods = app.config.active_storage.supported_image_processing_methods || [] + ActiveStorage.unsupported_image_processing_arguments = app.config.active_storage.unsupported_image_processing_arguments || default_unsupported_image_processing_arguments + ActiveStorage.variable_content_types = app.config.active_storage.variable_content_types || [] ActiveStorage.web_image_content_types = app.config.active_storage.web_image_content_types || [] ActiveStorage.content_types_to_serve_as_binary = app.config.active_storage.content_types_to_serve_as_binary || [] diff --git a/activestorage/lib/active_storage/transformers/image_processing_transformer.rb b/activestorage/lib/active_storage/transformers/image_processing_transformer.rb index c8639cf37c899..7be8f64484ae6 100644 --- a/activestorage/lib/active_storage/transformers/image_processing_transformer.rb +++ b/activestorage/lib/active_storage/transformers/image_processing_transformer.rb @@ -13,6 +13,300 @@ module ActiveStorage module Transformers class ImageProcessingTransformer < Transformer private + class UnsupportedImageProcessingMethod < StandardError; end + class UnsupportedImageProcessingArgument < StandardError; end + SUPPORTED_IMAGE_PROCESSING_METHODS = [ + "adaptive_blur", + "adaptive_resize", + "adaptive_sharpen", + "adjoin", + "affine", + "alpha", + "annotate", + "antialias", + "append", + "apply", + "attenuate", + "authenticate", + "auto_gamma", + "auto_level", + "auto_orient", + "auto_threshold", + "backdrop", + "background", + "bench", + "bias", + "bilateral_blur", + "black_point_compensation", + "black_threshold", + "blend", + "blue_primary", + "blue_shift", + "blur", + "border", + "bordercolor", + "borderwidth", + "brightness_contrast", + "cache", + "canny", + "caption", + "channel", + "channel_fx", + "charcoal", + "chop", + "clahe", + "clamp", + "clip", + "clip_path", + "clone", + "clut", + "coalesce", + "colorize", + "colormap", + "color_matrix", + "colors", + "colorspace", + "colourspace", + "color_threshold", + "combine", + "combine_options", + "comment", + "compare", + "complex", + "compose", + "composite", + "compress", + "connected_components", + "contrast", + "contrast_stretch", + "convert", + "convolve", + "copy", + "crop", + "cycle", + "deconstruct", + "define", + "delay", + "delete", + "density", + "depth", + "descend", + "deskew", + "despeckle", + "direction", + "displace", + "dispose", + "dissimilarity_threshold", + "dissolve", + "distort", + "dither", + "draw", + "duplicate", + "edge", + "emboss", + "encoding", + "endian", + "enhance", + "equalize", + "evaluate", + "evaluate_sequence", + "extent", + "extract", + "family", + "features", + "fft", + "fill", + "filter", + "flatten", + "flip", + "floodfill", + "flop", + "font", + "foreground", + "format", + "frame", + "function", + "fuzz", + "fx", + "gamma", + "gaussian_blur", + "geometry", + "gravity", + "grayscale", + "green_primary", + "hald_clut", + "highlight_color", + "hough_lines", + "iconGeometry", + "iconic", + "identify", + "ift", + "illuminant", + "immutable", + "implode", + "insert", + "intensity", + "intent", + "interlace", + "interline_spacing", + "interpolate", + "interpolative_resize", + "interword_spacing", + "kerning", + "kmeans", + "kuwahara", + "label", + "lat", + "layers", + "level", + "level_colors", + "limit", + "limits", + "linear_stretch", + "linewidth", + "liquid_rescale", + "list", + "loader", + "log", + "loop", + "lowlight_color", + "magnify", + "map", + "mattecolor", + "median", + "mean_shift", + "metric", + "mode", + "modulate", + "moments", + "monitor", + "monochrome", + "morph", + "morphology", + "mosaic", + "motion_blur", + "name", + "negate", + "noise", + "normalize", + "opaque", + "ordered_dither", + "orient", + "page", + "paint", + "pause", + "perceptible", + "ping", + "pointsize", + "polaroid", + "poly", + "posterize", + "precision", + "preview", + "process", + "quality", + "quantize", + "quiet", + "radial_blur", + "raise", + "random_threshold", + "range_threshold", + "red_primary", + "regard_warnings", + "region", + "remote", + "render", + "repage", + "resample", + "resize", + "resize_to_fill", + "resize_to_fit", + "resize_to_limit", + "resize_and_pad", + "respect_parentheses", + "reverse", + "roll", + "rotate", + "sample", + "sampling_factor", + "saver", + "scale", + "scene", + "screen", + "seed", + "segment", + "selective_blur", + "separate", + "sepia_tone", + "shade", + "shadow", + "shared_memory", + "sharpen", + "shave", + "shear", + "sigmoidal_contrast", + "silent", + "similarity_threshold", + "size", + "sketch", + "smush", + "snaps", + "solarize", + "sort_pixels", + "sparse_color", + "splice", + "spread", + "statistic", + "stegano", + "stereo", + "storage_type", + "stretch", + "strip", + "stroke", + "strokewidth", + "style", + "subimage_search", + "swap", + "swirl", + "synchronize", + "taint", + "text_font", + "threshold", + "thumbnail", + "tile_offset", + "tint", + "title", + "transform", + "transparent", + "transparent_color", + "transpose", + "transverse", + "treedepth", + "trim", + "type", + "undercolor", + "unique_colors", + "units", + "unsharp", + "update", + "valid_image", + "view", + "vignette", + "virtual_pixel", + "visual", + "watermark", + "wave", + "wavelet_denoise", + "weight", + "white_balance", + "white_point", + "white_threshold", + "window", + "window_group" + ].concat(ActiveStorage.supported_image_processing_methods) + + UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS = ActiveStorage.unsupported_image_processing_arguments + def process(file, format:) processor. source(file). @@ -28,6 +322,10 @@ def processor def operations transformations.each_with_object([]) do |(name, argument), list| + if ActiveStorage.variant_processor == :mini_magick + validate_transformation(name, argument) + end + if name.to_s == "combine_options" raise ArgumentError, <<~ERROR.squish Active Storage's ImageProcessing transformer doesn't support :combine_options, @@ -40,6 +338,60 @@ def operations end end end + + def validate_transformation(name, argument) + method_name = name.to_s.gsub("-","_") + + unless SUPPORTED_IMAGE_PROCESSING_METHODS.any? { |method| method_name == method } + raise UnsupportedImageProcessingMethod, <<~ERROR.squish + One or more of the provided transformation methods is not supported. + ERROR + end + + if argument.present? + if argument.is_a?(String) || argument.is_a?(Symbol) + validate_arg_string(argument) + elsif argument.is_a?(Array) + validate_arg_array(argument) + elsif argument.is_a?(Hash) + validate_arg_hash(argument) + end + end + end + + def validate_arg_string(argument) + if UNSUPPORTED_IMAGE_PROCESSING_ARGUMENTS.any? { |bad_arg| argument.to_s.downcase.include?(bad_arg) }; raise UnsupportedImageProcessingArgument end + end + + def validate_arg_array(argument) + argument.each do |arg| + if arg.is_a?(Integer) || arg.is_a?(Float) + next + elsif arg.is_a?(String) || arg.is_a?(Symbol) + validate_arg_string(arg) + elsif arg.is_a?(Array) + validate_arg_array(arg) + elsif arg.is_a?(Hash) + validate_arg_hash(arg) + end + end + end + + def validate_arg_hash(argument) + argument.each do |key, value| + validate_arg_string(key) + + if value.is_a?(Integer) || value.is_a?(Float) + next + elsif value.is_a?(String) || value.is_a?(Symbol) + validate_arg_string(value) + elsif value.is_a?(Array) + validate_arg_array(value) + elsif value.is_a?(Hash) + validate_arg_hash(value) + end + end + end end end end diff --git a/activestorage/test/models/variant_test.rb b/activestorage/test/models/variant_test.rb index fcc14298f73e5..36c1a085a12d2 100644 --- a/activestorage/test/models/variant_test.rb +++ b/activestorage/test/models/variant_test.rb @@ -211,6 +211,68 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase assert_equal :png, blob.send(:default_variant_format) end + test "variations with dangerous argument string raise UnsupportedImageProcessingArgument" do + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(resize: "-PaTh /tmp/file.erb").processed + end + end + end + + test "variations with dangerous argument array raise UnsupportedImageProcessingArgument" do + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(resize: [123, "-write", "/tmp/file.erb"]).processed + end + end + end + + test "variations with dangerous argument in a nested array raise UnsupportedImageProcessingArgument" do + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(resize: [123, ["-write", "/tmp/file.erb"], "/tmp/file.erb"]).processed + end + + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(resize: [123, {"-write /tmp/file.erb": "something"}, "/tmp/file.erb"]).processed + end + end + end + + test "variations with dangerous argument hash raise UnsupportedImageProcessingArgument" do + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(saver: {"-write": "/tmp/file.erb"}).processed + end + end + end + + test "variations with dangerous argument in a nested hash raise UnsupportedImageProcessingArgument" do + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(saver: {"something": {"-write": "/tmp/file.erb"}}).processed + end + + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do + blob.variant(saver: {"something": ["-write", "/tmp/file.erb"]}).processed + end + end + end + + test "variations with unsupported methods raise UnsupportedImageProcessingMethod" do + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingMethod) do + blob.variant(system: "touch /tmp/dangerous").processed + end + end + end + private def process_variants_with(processor) previous_processor, ActiveStorage.variant_processor = ActiveStorage.variant_processor, processor diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 3039091faf426..c3266e97cf875 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -2921,6 +2921,35 @@ class MyLogger < ::Logger assert_equal ActiveStorage.video_preview_arguments, "-y -vframes 1 -ss 00:00:05 -f image2" end + test "ActiveStorage.supported_image_processing_methods can be configured via config.active_storage.supported_image_processing_methods" do + remove_from_config '.*config\.load_defaults.*\n' + + app_file "config/initializers/add_image_processing_methods.rb", <<-RUBY + Rails.application.config.active_storage.supported_image_processing_methods = ["write", "set"] + RUBY + + app "development" + + assert ActiveStorage.supported_image_processing_methods.include?("write") + assert ActiveStorage.supported_image_processing_methods.include?("set") + end + + test "ActiveStorage.unsupported_image_processing_arguments can be configured via config.active_storage.unsupported_image_processing_arguments" do + remove_from_config '.*config\.load_defaults.*\n' + + app_file "config/initializers/add_image_processing_arguments.rb", <<-RUBY + Rails.application.config.active_storage.unsupported_image_processing_arguments = %w( + -write + -danger + ) + RUBY + + app "development" + + assert ActiveStorage.unsupported_image_processing_arguments.include?("-danger") + refute ActiveStorage.unsupported_image_processing_arguments.include?("-set") + end + test "hosts include .localhost in development" do app "development" assert_includes Rails.application.config.hosts, ".localhost" From 1f6642418c9371ea201122b75419e7e0f3c3919e Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 8 Mar 2022 09:39:56 -0800 Subject: [PATCH 2/3] bumping version --- Gemfile.lock | 106 ++++++++++++++++++------------------- RAILS_VERSION | 2 +- actioncable/CHANGELOG.md | 5 ++ actionmailbox/CHANGELOG.md | 5 ++ actionmailer/CHANGELOG.md | 5 ++ actionpack/CHANGELOG.md | 5 ++ actiontext/CHANGELOG.md | 5 ++ actionview/CHANGELOG.md | 5 ++ activejob/CHANGELOG.md | 5 ++ activemodel/CHANGELOG.md | 5 ++ activerecord/CHANGELOG.md | 5 ++ activestorage/CHANGELOG.md | 10 ++++ activesupport/CHANGELOG.md | 5 ++ guides/CHANGELOG.md | 5 ++ railties/CHANGELOG.md | 5 ++ 15 files changed, 124 insertions(+), 54 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ccad24ee355ee..0d04f90f9ad21 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -30,83 +30,83 @@ GIT PATH remote: . specs: - actioncable (6.1.4.6) - actionpack (= 6.1.4.6) - activesupport (= 6.1.4.6) + actioncable (6.1.4.7) + actionpack (= 6.1.4.7) + activesupport (= 6.1.4.7) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.4.6) - actionpack (= 6.1.4.6) - activejob (= 6.1.4.6) - activerecord (= 6.1.4.6) - activestorage (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionmailbox (6.1.4.7) + actionpack (= 6.1.4.7) + activejob (= 6.1.4.7) + activerecord (= 6.1.4.7) + activestorage (= 6.1.4.7) + activesupport (= 6.1.4.7) mail (>= 2.7.1) - actionmailer (6.1.4.6) - actionpack (= 6.1.4.6) - actionview (= 6.1.4.6) - activejob (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionmailer (6.1.4.7) + actionpack (= 6.1.4.7) + actionview (= 6.1.4.7) + activejob (= 6.1.4.7) + activesupport (= 6.1.4.7) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.4.6) - actionview (= 6.1.4.6) - activesupport (= 6.1.4.6) + actionpack (6.1.4.7) + actionview (= 6.1.4.7) + activesupport (= 6.1.4.7) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.1.4.6) - actionpack (= 6.1.4.6) - activerecord (= 6.1.4.6) - activestorage (= 6.1.4.6) - activesupport (= 6.1.4.6) + actiontext (6.1.4.7) + actionpack (= 6.1.4.7) + activerecord (= 6.1.4.7) + activestorage (= 6.1.4.7) + activesupport (= 6.1.4.7) nokogiri (>= 1.8.5) - actionview (6.1.4.6) - activesupport (= 6.1.4.6) + actionview (6.1.4.7) + activesupport (= 6.1.4.7) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (6.1.4.6) - activesupport (= 6.1.4.6) + activejob (6.1.4.7) + activesupport (= 6.1.4.7) globalid (>= 0.3.6) - activemodel (6.1.4.6) - activesupport (= 6.1.4.6) - activerecord (6.1.4.6) - activemodel (= 6.1.4.6) - activesupport (= 6.1.4.6) - activestorage (6.1.4.6) - actionpack (= 6.1.4.6) - activejob (= 6.1.4.6) - activerecord (= 6.1.4.6) - activesupport (= 6.1.4.6) + activemodel (6.1.4.7) + activesupport (= 6.1.4.7) + activerecord (6.1.4.7) + activemodel (= 6.1.4.7) + activesupport (= 6.1.4.7) + activestorage (6.1.4.7) + actionpack (= 6.1.4.7) + activejob (= 6.1.4.7) + activerecord (= 6.1.4.7) + activesupport (= 6.1.4.7) marcel (~> 1.0.0) mini_mime (>= 1.1.0) - activesupport (6.1.4.6) + activesupport (6.1.4.7) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) zeitwerk (~> 2.3) - rails (6.1.4.6) - actioncable (= 6.1.4.6) - actionmailbox (= 6.1.4.6) - actionmailer (= 6.1.4.6) - actionpack (= 6.1.4.6) - actiontext (= 6.1.4.6) - actionview (= 6.1.4.6) - activejob (= 6.1.4.6) - activemodel (= 6.1.4.6) - activerecord (= 6.1.4.6) - activestorage (= 6.1.4.6) - activesupport (= 6.1.4.6) + rails (6.1.4.7) + actioncable (= 6.1.4.7) + actionmailbox (= 6.1.4.7) + actionmailer (= 6.1.4.7) + actionpack (= 6.1.4.7) + actiontext (= 6.1.4.7) + actionview (= 6.1.4.7) + activejob (= 6.1.4.7) + activemodel (= 6.1.4.7) + activerecord (= 6.1.4.7) + activestorage (= 6.1.4.7) + activesupport (= 6.1.4.7) bundler (>= 1.15.0) - railties (= 6.1.4.6) + railties (= 6.1.4.7) sprockets-rails (>= 2.0.0) - railties (6.1.4.6) - actionpack (= 6.1.4.6) - activesupport (= 6.1.4.6) + railties (6.1.4.7) + actionpack (= 6.1.4.7) + activesupport (= 6.1.4.7) method_source rake (>= 0.13) thor (~> 1.0) diff --git a/RAILS_VERSION b/RAILS_VERSION index 471e0b15eb865..67beaee6ce25b 100644 --- a/RAILS_VERSION +++ b/RAILS_VERSION @@ -1 +1 @@ -6.1.4.6 +6.1.4.7 diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md index f89cb3fef75eb..8b98c27d26cf5 100644 --- a/actioncable/CHANGELOG.md +++ b/actioncable/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/actionmailbox/CHANGELOG.md b/actionmailbox/CHANGELOG.md index 28e3657839dbe..195307f563b9f 100644 --- a/actionmailbox/CHANGELOG.md +++ b/actionmailbox/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md index 6d3a38f66444c..b640e54dce131 100644 --- a/actionmailer/CHANGELOG.md +++ b/actionmailer/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index e4f8edb4b8a52..6dea9d95d2cc7 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md index 250f6e5accfe9..cb1daee2b469c 100644 --- a/actiontext/CHANGELOG.md +++ b/actiontext/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index a5b312fe552e9..542c8a10d6de1 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/activejob/CHANGELOG.md b/activejob/CHANGELOG.md index 5935e3f8db538..53d3590c53493 100644 --- a/activejob/CHANGELOG.md +++ b/activejob/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md index 2b7cda85f0292..86161640d2b07 100644 --- a/activemodel/CHANGELOG.md +++ b/activemodel/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md index 183537f5de15e..9696729fbf029 100644 --- a/activerecord/CHANGELOG.md +++ b/activerecord/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md index 40f168a242ed7..3216312dcf8b0 100644 --- a/activestorage/CHANGELOG.md +++ b/activestorage/CHANGELOG.md @@ -1,3 +1,13 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* Added image transformation validation via configurable allow-list. + + Variant now offers a configurable allow-list for + transformation methods in addition to a configurable deny-list for arguments. + + [CVE-2022-21831] + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md index 2161d9c78f259..f70292f59b906 100644 --- a/activesupport/CHANGELOG.md +++ b/activesupport/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * Fix Reloader method signature to work with the new Executor signature diff --git a/guides/CHANGELOG.md b/guides/CHANGELOG.md index b25efc7d39be1..d3954c098ac17 100644 --- a/guides/CHANGELOG.md +++ b/guides/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index af2aa3074d6f2..c37230bb57d3b 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,8 @@ +## Rails 6.1.4.7 (March 08, 2022) ## + +* No changes. + + ## Rails 6.1.4.6 (February 11, 2022) ## * No changes. From 66073335585f04f2ed0f5ef930eb3c8955d50a6a Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Tue, 8 Mar 2022 09:48:25 -0800 Subject: [PATCH 3/3] Preparing for 6.1.4.7 release --- actioncable/lib/action_cable/gem_version.rb | 2 +- actioncable/package.json | 2 +- actionmailbox/lib/action_mailbox/gem_version.rb | 2 +- actionmailer/lib/action_mailer/gem_version.rb | 2 +- actionpack/lib/action_pack/gem_version.rb | 2 +- actiontext/lib/action_text/gem_version.rb | 2 +- actiontext/package.json | 2 +- actionview/lib/action_view/gem_version.rb | 2 +- actionview/package.json | 2 +- activejob/lib/active_job/gem_version.rb | 2 +- activemodel/lib/active_model/gem_version.rb | 2 +- activerecord/lib/active_record/gem_version.rb | 2 +- activestorage/lib/active_storage/gem_version.rb | 2 +- activestorage/package.json | 2 +- activesupport/lib/active_support/gem_version.rb | 2 +- railties/lib/rails/gem_version.rb | 2 +- version.rb | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/actioncable/lib/action_cable/gem_version.rb b/actioncable/lib/action_cable/gem_version.rb index b0da7039b3356..83ceb47fac32d 100644 --- a/actioncable/lib/action_cable/gem_version.rb +++ b/actioncable/lib/action_cable/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/actioncable/package.json b/actioncable/package.json index 2d84e7d8736c9..ac8e64915cb95 100644 --- a/actioncable/package.json +++ b/actioncable/package.json @@ -1,6 +1,6 @@ { "name": "@rails/actioncable", - "version": "6.1.4-6", + "version": "6.1.4-7", "description": "WebSocket framework for Ruby on Rails.", "main": "app/assets/javascripts/action_cable.js", "files": [ diff --git a/actionmailbox/lib/action_mailbox/gem_version.rb b/actionmailbox/lib/action_mailbox/gem_version.rb index 6ac8d3de0864e..46c76968c4b3e 100644 --- a/actionmailbox/lib/action_mailbox/gem_version.rb +++ b/actionmailbox/lib/action_mailbox/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb index d56d6cf845b16..8ecc9e13513dd 100644 --- a/actionmailer/lib/action_mailer/gem_version.rb +++ b/actionmailer/lib/action_mailer/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb index 1003093e56a97..66acc53385b71 100644 --- a/actionpack/lib/action_pack/gem_version.rb +++ b/actionpack/lib/action_pack/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/actiontext/lib/action_text/gem_version.rb b/actiontext/lib/action_text/gem_version.rb index c452993e3aac6..60d0bef45c37a 100644 --- a/actiontext/lib/action_text/gem_version.rb +++ b/actiontext/lib/action_text/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/actiontext/package.json b/actiontext/package.json index ba53a2e13b38c..5d690dfcc2d8f 100644 --- a/actiontext/package.json +++ b/actiontext/package.json @@ -1,6 +1,6 @@ { "name": "@rails/actiontext", - "version": "6.1.4-6", + "version": "6.1.4-7", "description": "Edit and display rich text in Rails applications", "main": "app/javascript/actiontext/index.js", "files": [ diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb index 17fdf653c0f1c..40ae5b587dee9 100644 --- a/actionview/lib/action_view/gem_version.rb +++ b/actionview/lib/action_view/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/actionview/package.json b/actionview/package.json index 512143e4cdd33..ab382da80a623 100644 --- a/actionview/package.json +++ b/actionview/package.json @@ -1,6 +1,6 @@ { "name": "@rails/ujs", - "version": "6.1.4-6", + "version": "6.1.4-7", "description": "Ruby on Rails unobtrusive scripting adapter", "main": "lib/assets/compiled/rails-ujs.js", "files": [ diff --git a/activejob/lib/active_job/gem_version.rb b/activejob/lib/active_job/gem_version.rb index 68c9a58bfddae..a5ced54c67849 100644 --- a/activejob/lib/active_job/gem_version.rb +++ b/activejob/lib/active_job/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/activemodel/lib/active_model/gem_version.rb b/activemodel/lib/active_model/gem_version.rb index 2e24757d30f0a..0d53e031b1e54 100644 --- a/activemodel/lib/active_model/gem_version.rb +++ b/activemodel/lib/active_model/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/activerecord/lib/active_record/gem_version.rb b/activerecord/lib/active_record/gem_version.rb index abfafd846c843..2be33df9bc637 100644 --- a/activerecord/lib/active_record/gem_version.rb +++ b/activerecord/lib/active_record/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/activestorage/lib/active_storage/gem_version.rb b/activestorage/lib/active_storage/gem_version.rb index f3f0318fe10b6..635a9019f07c3 100644 --- a/activestorage/lib/active_storage/gem_version.rb +++ b/activestorage/lib/active_storage/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/activestorage/package.json b/activestorage/package.json index 8c67ca7b6d274..b09a23770d467 100644 --- a/activestorage/package.json +++ b/activestorage/package.json @@ -1,6 +1,6 @@ { "name": "@rails/activestorage", - "version": "6.1.4-6", + "version": "6.1.4-7", "description": "Attach cloud and local files in Rails applications", "main": "app/assets/javascripts/activestorage.js", "files": [ diff --git a/activesupport/lib/active_support/gem_version.rb b/activesupport/lib/active_support/gem_version.rb index 80ef04e944ef0..025468283cc06 100644 --- a/activesupport/lib/active_support/gem_version.rb +++ b/activesupport/lib/active_support/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/railties/lib/rails/gem_version.rb b/railties/lib/rails/gem_version.rb index 3d5f690556e74..c2673143a5d8d 100644 --- a/railties/lib/rails/gem_version.rb +++ b/railties/lib/rails/gem_version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end diff --git a/version.rb b/version.rb index 3d5f690556e74..c2673143a5d8d 100644 --- a/version.rb +++ b/version.rb @@ -10,7 +10,7 @@ module VERSION MAJOR = 6 MINOR = 1 TINY = 4 - PRE = "6" + PRE = "7" STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".") end