Update dependency carrierwave to v2.2.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
carrierwave	2.2.5 -> 2.2.6

GitHub Vulnerability Alerts

CVE-2024-29034

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @​declared_content_type ||
      if @​file.respond_to?(:content_type) && @​file.content_type
        Marcel::MimeType.for(declared_type: @​file.content_type.to_s.chomp)
      end
  end
end

# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @​file.respond_to?(:content_type) && @​file.content_type
      Marcel::MimeType.for(declared_type: @​file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

---

Release Notes

carrierwaveuploader/carrierwave (carrierwave)

v2.2.6: 2.2.6

Compare Source

Security

• Fix Content-Type allowlist bypass vulnerability remained (@​mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.