codecov[bot]
commented
2 weeks ago Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 99.92%. Comparing base (
cfd197a) to head (6a5f71c). Report is 2 commits behind head on staging.
Additional details and impacted files
```diff @@ Coverage Diff @@ ## staging #403 +/- ## ======================================== Coverage 99.92% 99.92% ======================================== Files 203 203 Lines 2714 2714 ======================================== Hits 2712 2712 Misses 2 2 ```:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
🚨 Try these New Features:
- Flaky Tests Detection - Detect and resolve failed and flaky tests
This PR contains the following updates:
2.2.2->2.2.6GitHub Vulnerability Alerts
CVE-2023-49090
Impact
CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in
allowlisted_content_type?determines Content-Type permissions by performing a partial match. If thecontent_typeargument ofallowlisted_content_type?is passed a value crafted by the attacker, Content-Types not included in thecontent_type_allowlistwill be allowed.In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.
Patches
Upgrade to 3.0.5 or 2.2.5.
Workarounds
When validating with
allowlisted_content_type?in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set incontent_type_allowlist, preventing unintentional permission oftext/html;image/pngwhen you want to allow onlyimage/pngincontent_type_allowlist.References
OWASP - File Upload Cheat Sheet
CVE-2024-29034
Impact
The vulnerability CVE-2023-49090 wasn't fully addressed.
This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by
content_type_allowlist, by providing multiple values separated by commas.This bypassed value can be used to cause XSS.
Patches
Upgrade to 3.0.7 or 2.2.6.
Workarounds
Use the following monkey patch to let CarrierWave parse the Content-type by using
Marcel::MimeType.for.References
OWASP - File Upload Cheat Sheet
Release Notes
carrierwaveuploader/carrierwave (carrierwave)
### [`v2.2.6`](https://redirect.github.com/carrierwaveuploader/carrierwave/releases/tag/v2.2.6): 2.2.6 [Compare Source](https://redirect.github.com/carrierwaveuploader/carrierwave/compare/v2.2.5...v2.2.6) ##### Security - Fix Content-Type allowlist bypass vulnerability remained ([@mshibuya](https://redirect.github.com/mshibuya) [4317871](https://redirect.github.com/carrierwaveuploader/carrierwave/commit/431787193795dda9b01a0ee748bd93e2ec7101c2), [GHSA-vfmv-jfc5-pjjw](https://redirect.github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw)) ### [`v2.2.5`](https://redirect.github.com/carrierwaveuploader/carrierwave/releases/tag/v2.2.5): 2.2.5 [Compare Source](https://redirect.github.com/carrierwaveuploader/carrierwave/compare/v2.2.4...v2.2.5) ##### Security - Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS ([@mshibuya](https://redirect.github.com/mshibuya) [39b282d](https://redirect.github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5), [GHSA-gxhx-g4fq-49hj](https://redirect.github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj)) ### [`v2.2.4`](https://redirect.github.com/carrierwaveuploader/carrierwave/releases/tag/v2.2.4): 2.2.4 [Compare Source](https://redirect.github.com/carrierwaveuploader/carrierwave/compare/v2.2.3...v2.2.4) ##### Fixed - Fix Ruby 2.7 keyword argument warning in uploader process ([@SuperTux88](https://redirect.github.com/SuperTux88) [#2665](https://redirect.github.com/carrierwaveuploader/carrierwave/pull/2665), [#2636](https://redirect.github.com/carrierwaveuploader/carrierwave/pull/2636), [#2635](https://redirect.github.com/carrierwaveuploader/carrierwave/issues/2635)) ### [`v2.2.3`](https://redirect.github.com/carrierwaveuploader/carrierwave/releases/tag/v2.2.3): 2.2.3 [Compare Source](https://redirect.github.com/carrierwaveuploader/carrierwave/compare/v2.2.2...v2.2.3) ##### Fixed - Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 ([@mshibuya](https://redirect.github.com/mshibuya) [c74579d](https://redirect.github.com/carrierwaveuploader/carrierwave/commit/c74579d382ad124193e80cc5af71824a23de57e6), [#2628](https://redirect.github.com/carrierwaveuploader/carrierwave/issues/2628)) - Add workaround for the API change in ssrf_filter 1.1 ([@BrianHawley](https://redirect.github.com/BrianHawley) [#2629](https://redirect.github.com/carrierwaveuploader/carrierwave/pull/2629), [#2625](https://redirect.github.com/carrierwaveuploader/carrierwave/issues/2625))Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.