Update dependency carrierwave to v2.2.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
carrierwave	2.2.0 -> 2.2.6

GitHub Vulnerability Alerts

CVE-2023-49090

Impact

CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match.
If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

CVE-2024-29034

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @​declared_content_type ||
      if @​file.respond_to?(:content_type) && @​file.content_type
        Marcel::MimeType.for(declared_type: @​file.content_type.to_s.chomp)
      end
  end
end

# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @​file.respond_to?(:content_type) && @​file.content_type
      Marcel::MimeType.for(declared_type: @​file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

---

Release Notes

carrierwaveuploader/carrierwave (carrierwave)

v2.2.6: 2.2.6

Compare Source

Security

• Fix Content-Type allowlist bypass vulnerability remained (@​mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)

v2.2.5: 2.2.5

Compare Source

Security

• Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS (@​mshibuya 39b282d, GHSA-gxhx-g4fq-49hj)

v2.2.4: 2.2.4

Compare Source

Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process (@​SuperTux88 #​2665, #​2636, #​2635)

v2.2.3: 2.2.3

Compare Source

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@​mshibuya c74579d, #​2628)
• Add workaround for the API change in ssrf_filter 1.1 (@​BrianHawley #​2629, #​2625)

v2.2.2: 2.2.2

Compare Source

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@​pjmartorell #​2562, #​2559)

v2.2.1: 2.2.1

Compare Source

Changed

• Replace mimemagic with marcel due to licensing concern (@​pjmartorell #​2551, #​2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@​mshibuya 42c620a1, #​2532)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

[17:43:21.308] INFO (923): Installing tool ruby@2.6.3...
installing v2 tool ruby v2.6.3
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.6.3/ruby-2.6.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.6.3/ruby-2.6.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.6.3/ruby-2.6.3-jammy-x86_64.tar.xz
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.6.3/ruby-2.6.3-jammy-x86_64.tar.xz
[17:43:22.945] INFO (992): Downloading file ...
    url: "https://github.com/containerbase/ruby-prebuild/releases/download/2.6.3/ruby-2.6.3-jammy-x86_64.tar.xz"
    output: "/tmp/renovate/cache/containerbase/a2b7bf179a08cb5071f4ea059d3882dbab163ac3364681e8dbb0684386a1c88d/ruby-2.6.3-jammy-x86_64.tar.xz"
[17:43:23.206] ERROR (992): Response code 404 (Not Found)
[17:43:23.206] FATAL (992): Download failed in 262ms.
[17:43:23.279] ERROR (923): Command failed with exit code 1: /usr/local/containerbase/bin/install-tool.sh ruby 2.6.3
[17:43:23.280] FATAL (923): Install tool ruby failed in 1.9s.