Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency carrierwave to v2.2.6 [security] #403

Merged
merged 1 commit into from
Nov 22, 2024
Merged

chore(deps): update dependency carrierwave to v2.2.6 [security] #403

merged 1 commit into from
Nov 22, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 29, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
carrierwave 2.2.2 -> 2.2.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49090

Impact

CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match.
If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

CVE-2024-29034

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @​declared_content_type ||
      if @​file.respond_to?(:content_type) && @​file.content_type
        Marcel::MimeType.for(declared_type: @​file.content_type.to_s.chomp)
      end
  end
end
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @​file.respond_to?(:content_type) && @​file.content_type
      Marcel::MimeType.for(declared_type: @​file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

Release Notes

carrierwaveuploader/carrierwave (carrierwave)

v2.2.6: 2.2.6

Compare Source

Security

v2.2.5: 2.2.5

Compare Source

Security

v2.2.4: 2.2.4

Compare Source

Fixed

v2.2.3: 2.2.3

Compare Source

Fixed

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Nov 29, 2023
@renovate renovate bot changed the title chore(deps): update dependency carrierwave to v2.2.5 [security] chore(deps): update dependency carrierwave to v2.2.5 [security] - autoclosed Feb 24, 2024
@renovate renovate bot closed this Feb 24, 2024
@renovate renovate bot deleted the renovate/rubygems-carrierwave-vulnerability branch February 24, 2024 03:12
@renovate renovate bot changed the title chore(deps): update dependency carrierwave to v2.2.5 [security] - autoclosed chore(deps): update dependency carrierwave to v2.2.5 [security] Feb 24, 2024
@renovate renovate bot restored the renovate/rubygems-carrierwave-vulnerability branch February 24, 2024 08:08
@renovate renovate bot reopened this Feb 24, 2024
@renovate renovate bot force-pushed the renovate/rubygems-carrierwave-vulnerability branch from 9a90c48 to 4638993 Compare February 24, 2024 08:08
@renovate renovate bot changed the title chore(deps): update dependency carrierwave to v2.2.5 [security] chore(deps): update dependency carrierwave to v2.2.6 [security] Mar 25, 2024
@renovate renovate bot force-pushed the renovate/rubygems-carrierwave-vulnerability branch from 4638993 to b146bfc Compare March 25, 2024 20:12
@renovate renovate bot force-pushed the renovate/rubygems-carrierwave-vulnerability branch from b146bfc to a040446 Compare October 25, 2024 14:11
@renovate renovate bot force-pushed the renovate/rubygems-carrierwave-vulnerability branch from a040446 to 6dac8af Compare November 11, 2024 15:09
@codecov Codecov
Copy link

codecov bot commented Nov 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.92%. Comparing base (cfd197a) to head (6a5f71c).
Report is 2 commits behind head on staging.

Additional details and impacted files 
@@           Coverage Diff            @@
##           staging     #403   +/-   ##
========================================
  Coverage    99.92%   99.92%           
========================================
  Files          203      203           
  Lines         2714     2714           
========================================
  Hits          2712     2712           
  Misses           2        2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@renovate renovate bot force-pushed the renovate/rubygems-carrierwave-vulnerability branch from 6dac8af to 6a5f71c Compare November 22, 2024 01:00
@lodewiges lodewiges added this pull request to the merge queue Nov 22, 2024
Merged via the queue into staging with commit fc879bc Nov 22, 2024
5 checks passed
@lodewiges lodewiges deleted the renovate/rubygems-carrierwave-vulnerability branch November 22, 2024 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lodewiges lodewiges lodewiges approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file status:ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lodewiges