🚨 [security] Update carrierwave: 1.3.1 → 1.3.2 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ carrierwave (1.3.1 → 1.3.2) · Repo · Changelog

Security Advisories 🚨

🚨 Server-side request forgery in CarrierWave

Impact

[CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location
has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use
and gather information about the Intranet infrastructure of the platform.

Patches

Upgrade to 2.1.1 or
1.3.2.

Workarounds

Using proper network segmentation and applying the principle of least privilege to outbound connections from application
servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server
without access to any internal network resources or cloud metadata access.

🚨 Code Injection vulnerability in CarrierWave::RMagick

Impact

CarrierWave::RMagick
has a Code Injection vulnerability. Its #manipulate! method inappropriately evals the content of mutation
option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code.
If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).

(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to
DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)

Proof of Concept

class MyUploader < CarrierWave::Uploader::Base
  include CarrierWave::RMagick
end
MyUploader.new.manipulate!({ read: { density: "1 }; p 'Hacked'; {" }}) # => shows "Hacked"

Patches

Upgrade to 2.1.1 or
1.3.2.

Workarounds

Stop supplying untrusted input to #manipulate!'s mutation option.

Release Notes

1.3.2 (from changelog)

Fixed

• Fix Ruby 2.7 deprecations(@aubinlrx #2462)

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya eb9346df, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya 91714add, GHSA-fwcm-636p-68r5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

• Version 1.3.2
• Fix Code Injection vulnerability in CarrierWave::RMagick
• Fix SSRF vulnerability in the remote file download feature
• URI.open does not exist before Ruby 2.5
• URI.encode becomes escape, not unescape
• Merge pull request #2462 from aubinlrx/tweak/deprecation_warning_ruby_27
• Cloud not make JRuby build pass on Xenial, reverting back to Trusty
• Fix build issues with PostgreSQL and ImageMagick
• use URI.open instead of Kernel.open for Ruby 2.7
• Use URI::DEFAULT_PARSER.unescape instead of URI.decode for Ruby 2.7
• Fix kwargs usage for Ruby 2.7
• Merge pull request #2377 from stanhu/sh-pass-openstack-options
• Merge pull request #2375 from QuickBlox/add-azure-rm-authenticated-url
• Merge pull request #2374 from hagarabdelwaha/master
• Travis's ImageMagick is pretty old, lock RMagick to 2.x
• Pass OpenStack options in get_object_https_url
• Add AzureRM to support authenticated_url
• Update README.md
• Merge pull request #2367 from nagatea/refactor_sanitized_file_path
• Fix JRuby builds
• Refactor SanitizedFile#path
• Use gemified version of activerecord-jdbcpostgresql-adapter
• CI against jruby 9.2
• CI against ruby 2.6
• CI against newer jruby 9.1.x
• We're still testing against old rubies that aren't supported by bundler 2.x
• CI against newer rubies

↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog

↗️ minitest (indirect, 5.11.3 → 5.14.3) · Repo · Changelog

Release Notes

5.14.3 (from changelog)

• 1 bug fix:

  • Bumped require_ruby_version to < 4 (trunk = 3.1).

5.14.2 (from changelog)

• 1 bug fix:

  • Bumped ruby version to include 3.0 (trunk).

5.14.0 (from changelog)

• 2 minor enhancements:

  • Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)

  • Changed assert_raises to only catch Assertion since that covers Skip and friends.

• 3 bug fixes:

  • Added example for value wrapper with block to Expectations module. (stomar)

  • Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)

  • Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)

5.13.0 (from changelog)

• 9 minor enhancements:

  • Added Minitest::Guard#osx?

  • Added examples to documentation for assert_raises. (lxxxvi)

  • Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.

  • Added fail_after(year, month, day, msg) to allow time-bombing after a deadline.

  • Added skip_until(year, month, day, msg) to allow deferring until a deadline.

  • Deprecated Minitest::Guard#maglev?

  • Deprecated Minitest::Guard#rubinius?

  • Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)

  • Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)

• 3 bug fixes:

  • Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)

  • Improved documentation for _/value/expect, especially for blocks. (svoop)

  • Support new Proc#to_s format. (ko1)

5.12.2 (from changelog)

• 1 bug fix:

  • After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.

5.12.1 (from changelog)

• 1 minor enhancement:

  • Added documentation for Reporter classes. (sshaw)

• 3 bug fixes:

  • Avoid using 'match?' to support older ruby versions. (y-yagi)

  • Fixed broken link to reference on goodness-of-fit testing. (havenwood)

  • Update requirements in readme and Rakefile/hoe spec.

5.12.0 (from changelog)

• 8 minor enhancements:

  • Added a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)

  • Changed mu_pp_for_diff to make having both n and \n easier to debug.

  • Deprecated $N for specifying number of parallel test runners. Use MT_CPU.

  • Deprecated use of global expectations. To be removed from MT6.

  • Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.

  • Extended Assertions#mu_pp to output encoding and validity if invalid to improve diffs.

  • Extended Assertions#mu_pp_for_diff to make escaped newlines more obvious in diffs.

  • Fail gracefully when expectation used outside of `it`.

• 3 bug fixes:

  • Check `option` klass before match. Fixes 2.6 warning. (y-yagi)

  • Fixed Assertions#diff from recalculating if set to nil

  • Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 66 commits:

• prepped for release
• - Bumped require_ruby_version to < 4 (trunk = 3.1).
• prepped for release
• - Bumped ruby version to include 3.0 (trunk).
• whitespace
• I am an idiot... fixed a last-day-of-month testing bug. I don't think I've done that in 15+ years. :P
• prepped for release
• + Minitest.filter_backtrace returns original backtrace if filter comes back empty.
• Refactored positive spec tests w/ a custom assertion.
• + Return true on a successful refute. (jusleg)
• Updated rake specs for latest assertions.
• - Fixed expectation doco to not use global expectations.
• prepped for release
• Closed temporary IOs when exiting capture_subprocess_io. (doudou)
• - Added example for value wrapper with block to Expectations module. (stomar)
• Added minitest_log to known modules (BurdetteLamar)
• + Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)
• - Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)
• + Changed assert_raises to only catch Assertion since that covers Skip and friends.
• - Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)
• prepped for release
• + Deprecated Minitest::Guard#maglev?
• + Added skip_until(year, month, day, msg) to allow deferring until a deadline.
• Reworked some of metametameta to be more flexible.
• + Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.
• re-sorted assertions after path additions
• + Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)
• + Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)
• - Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)
• + Added examples to documentation for assert_raises. (lxxxvi)
• - Support new Proc#to_s format. (ko1)
• - Improved documentation for _/value/expect, especially for blocks. (svoop)
• prepped for release
• - After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.
• prepped for release
• - Fixed broken link to reference on goodness-of-fit testing. (havenwood)
• Added mini-apivore to readme.
• - Update requirements in readme and Rakefile/hoe spec.
• + Added documentation for Reporter classes. (sshaw)
• Added minitest-global_expectations to readme. (jeremyevans)
• - Avoid using 'match?' to support older ruby versions. (y-yagi)
• Tweaked multithreading section of README. (iHiD)
• prepped for release
• Reworked the \n vs \\n mu_pp_for_diff situation.
• Extended assert_mu_pp and assert_mu_pp_for_diff to auto-quote strings to make tests more grokkable.
• minor editing to comment
• Turn off parallelism on stub and spec meta tests because they hit class methods (globals)
• Added mutant-minitest to readme. (mjb)
• + Add a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)
• - Check `option[:filter]` klass before match. Fixes 2.6 warning. (y-yagi)
• Fixed 2.6 warning in test_refute_match_matcher_object by adding explicit =~ method. (y-yagi)
• Added doco for using Rake::TestTask. (schneems)
• Added minitest-mock_expectations to readme. (bogdanvlviv)
• - Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)
• minor rearrangement of requires
• Added tests for message and using message/lambad w/ assertions.
• + Changed mu_pp_for_diff to make having both \n and \\n easier to debug.
• Overhauled and sorted test_minitest_assertions.rb in prep for new mu_pp_for_diff changes.
• Split tests out into test_minitest_assertions.rb
• - Fixed Assertions#diff from recalculating if set to nil
• + Deprecated $N for specifying number of parallel test runners. Use MT_CPU.
• + Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.
• + Deprecated use of global expectations. To be removed from MT6.
• + Fail gracefully when expectation used outside of `it`.
• Converted all minitest/spec tests over to use _ to avoid deprecation warnings.
• Avoid teardown assertion check if test is skipped

↗️ tzinfo (indirect, 1.2.5 → 1.2.9) · Repo · Changelog

Release Notes

1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 64 commits:

• Preparing v1.2.9.
• Remove JRuby 9.0.5.0.
• Download GlobalSign Root CA - R3 for use with older Ruby versions.
• Add 1.8.7-head, 1.9.2-p330, jruby-9.0.5.0 and ree to allow failures.
• Update to JRuby 9.2.14.0.
• Ignore generated transations that do not change the offset.
• [ci skip] Add issue number reference.
• Preparing v1.2.8.
• Update time zone test fixtures based on tzdata 2020d.
• Support "slim" zoneinfo files produced by default by zic >= 2020b.
• Use up to date Linux distros to test (where possible).
• Remove the deprecated sudo option.
• Switch to travis-ci.com.
• Update to Ruby 2.7.2 and JRuby 9.2.13.0.
• Revert "Add Ruby 2.7 on AppVeyor."
• Add Ruby 2.7 on AppVeyor.
• Stop supporting Rubinius.
• Update to Ruby 2.4.10.
• Improve grammar.
• Preparing v1.2.7.
• Update to Ruby 2.7.1.
• Revert to Ruby 2.4.9 and 2.7.0.
• Update to Ruby 2.4.10, 2.5.8, 2.6.6, 2.7.1 and JRuby 9.2.11.1.
• Use shields.io for badges.
• Update copyright years.
• Add a build status badge for AppVeyor.
• Replace broken links.
• Use https for links where available.
• Update to JRuby 9.2.11.0.
• Merge pull request #112.
• Test for just the non-existence of #untaint.
• Fix comments relating to taint/untaint removal.
• Don't rely on lexicographic version comparisons.
• Fix test failures on Ruby 1.8.7.
• Fix erroneous 'wrong number of arguments' errors on JRuby 9.0.5.0.
• `$VERBOSE = false` won't be worked since `rb_warning` is changed to `rb_warn`
• Update to Ruby 2.7.0.
• Update copyright years.
• Preparing v1.2.6.
• Replace expired gem signing certificate.
• Fix a comment.
• Ruby Enterprise Edition requires older versions of RubyGems and Bundler.
• Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.
• Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."
• Try and fix an incorrect rake version being picked with JRuby 1.7.
• Convert to UNIX line endings.
• Simplify minitest version constraint.
• Update to Ruby v2.7.0-rc2.
• Run CI tests on Windows with AppVeyor.
• Enable verbose test output.
• Update Travis CI Ruby versions.
• Prevent bundler from attempting to use version minitest v5.12.0.
• Allow newer versions of Rake that fix warnings with Ruby 2.7.
• Eliminate a warning when calling File.open with keyword arguments.
• Suppress deprecation warnings due to Object#untaint on Ruby 2.7.
• Fix test failures on Ruby 1.8.7 caused by DateTime issues.
• Remove the unused REQUIRE_PATH constant from RubyDataSource.
• Fix SecurityErrors when loading data in safe mode.
• Test that RUBY_ENGINE is defined.
• Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.
• Update to the latest Ruby, JRuby and Rubinius releases.
• Fix a documentation typo.
• Return the correct seconds since the epoch value for strftime with %s.
• Restrictions on timezones only apply to older (pre-1.9) Ruby releases.

🆕 ssrf_filter (added, 1.0.7)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #215.