🚨 [security] [ruby] Update carrierwave 3.0.6 → 3.0.7 (patch) (!252) · Merge requests · MiRiGaN / Erebor

Depfu Bot requested to merge depfu/update/carrierwave-3.0.7 into main Mar 27, 2024

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ carrierwave (3.0.6 → 3.0.7) · Repo · Changelog

Security Advisories 🚨

🚨 CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

Impact

The vulnerability CVE-2023-49090
wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to
object storage, including Amazon S3, it is possible to set a
Content-Type value that is interpreted by browsers to be different
from what's allowed by content_type_allowlist, by providing
multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the
Content-type by using Marcel::MimeType.for.
# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @declared_content_type ||
      if @file.respond_to?(:content_type) && @file.content_type
        Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
      end
  end
end
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @file.respond_to?(:content_type) && @file.content_type
      Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
    end
  end
end
References

OWASP - File Upload Cheat Sheet

Release Notes

3.0.7

Security

Fix Content-Type allowlist bypass vulnerability remained (@mshibuya 00676e2, GHSA-vfmv-jfc5-pjjw)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase

Rebases against your default branch and redoes this update

@depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@depfu cancel merge

Cancels automatic merging of this PR

@depfu close

Closes this PR and deletes the branch

@depfu reopen

Restores the branch and reopens this PR (if it's closed)

@depfu pause

Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

🚨 [security] [ruby] Update carrierwave 3.0.6 → 3.0.7 (patch)

What changed?

✳️ carrierwave (3.0.6 → 3.0.7) · Repo · Changelog

🚨 CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

Impact

Patches

Workarounds

References

3.0.7

Security

Merge request reports