Moderate severityNVD Advisory· Published Jan 14, 2023· Updated Apr 7, 2025
Insecure Storage of Sensitive Information in publify/publify
CVE-2022-2815
Description
Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | < 9.2.10 | 9.2.10 |
Affected products
1- Range: unspecified
Patches
233f897c12b6eStrip EXIF data from resource uploads
4 files changed · +50 −1
app/uploaders/resource_uploader.rb+20 −1 modified@@ -4,7 +4,10 @@ class ResourceUploader < CarrierWave::Uploader::Base include CarrierWave::MiniMagick - before :cache, :check_content_type! + before :process, :check_content_type! + + process :fix_exif_rotation, if: :image? + process :strip, if: :image? def content_type_allowlist [%r{image/}, %r{audio/}, %r{video/}, "text/plain"] @@ -32,6 +35,22 @@ def dynamic_resize_to_fit(size) resize_to_fit(resize_setting, resize_setting) end + def strip + manipulate! do |img| + img.strip + img = yield(img) if block_given? + img + end + end + + def fix_exif_rotation + manipulate! do |img| + img.auto_orient + img = yield(img) if block_given? + img + end + end + def image?(new_file) content_type = new_file.content_type content_type&.include?("image")
lib/publify_core/testing_support/fixtures/testfile.jpg+0 −0 addedManifest.txt+1 −0 modified@@ -421,6 +421,7 @@ lib/publify_core/testing_support/fixtures/exploit.svg lib/publify_core/testing_support/fixtures/fakepng.png lib/publify_core/testing_support/fixtures/just_some.html lib/publify_core/testing_support/fixtures/otherfile.txt +lib/publify_core/testing_support/fixtures/testfile.jpg lib/publify_core/testing_support/fixtures/testfile.png lib/publify_core/testing_support/fixtures/testfile.txt lib/publify_core/testing_support/upload_fixtures.rb
spec/controllers/admin/resources_controller_spec.rb+29 −0 modified@@ -88,6 +88,35 @@ end end + context "when uploading an image file with exif data" do + let(:upload) { file_upload("testfile.jpg", "image/jpeg") } + + it "creates a new Resource" do + expect { post :upload, params: { upload: upload } }. + to change(Resource, :count).by(1) + end + + it "strips EXIF data" do + post :upload, params: { upload: upload } + resource = Resource.last + img = MiniMagick::Image.open resource.upload.file.file + expect(img.exif).to be_empty + end + + it "sets the content type correctly" do + post :upload, params: { upload: upload } + expect(Resource.last.mime).to eq "image/jpeg" + end + + it "sets the flash to success" do + post :upload, params: { upload: upload } + aggregate_failures do + expect(flash[:success]).not_to be_nil + expect(flash[:warning]).to be_nil + end + end + end + context "when attempting to upload a dangerous svg" do let(:upload) { file_upload("exploit.svg", "image/svg") }
af69097d349fStrip EXIF data from resource uploads
4 files changed · +50 −1
publify_core/app/uploaders/resource_uploader.rb+20 −1 modified@@ -4,7 +4,10 @@ class ResourceUploader < CarrierWave::Uploader::Base include CarrierWave::MiniMagick - before :cache, :check_content_type! + before :process, :check_content_type! + + process :fix_exif_rotation, if: :image? + process :strip, if: :image? def content_type_allowlist [%r{image/}, %r{audio/}, %r{video/}, "text/plain"] @@ -32,6 +35,22 @@ def dynamic_resize_to_fit(size) resize_to_fit(resize_setting, resize_setting) end + def strip + manipulate! do |img| + img.strip + img = yield(img) if block_given? + img + end + end + + def fix_exif_rotation + manipulate! do |img| + img.auto_orient + img = yield(img) if block_given? + img + end + end + def image?(new_file) content_type = new_file.content_type content_type&.include?("image")
publify_core/lib/publify_core/testing_support/fixtures/testfile.jpg+0 −0 addedpublify_core/Manifest.txt+1 −0 modified@@ -421,6 +421,7 @@ lib/publify_core/testing_support/fixtures/exploit.svg lib/publify_core/testing_support/fixtures/fakepng.png lib/publify_core/testing_support/fixtures/just_some.html lib/publify_core/testing_support/fixtures/otherfile.txt +lib/publify_core/testing_support/fixtures/testfile.jpg lib/publify_core/testing_support/fixtures/testfile.png lib/publify_core/testing_support/fixtures/testfile.txt lib/publify_core/testing_support/upload_fixtures.rb
publify_core/spec/controllers/admin/resources_controller_spec.rb+29 −0 modified@@ -88,6 +88,35 @@ end end + context "when uploading an image file with exif data" do + let(:upload) { file_upload("testfile.jpg", "image/jpeg") } + + it "creates a new Resource" do + expect { post :upload, params: { upload: upload } }. + to change(Resource, :count).by(1) + end + + it "strips EXIF data" do + post :upload, params: { upload: upload } + resource = Resource.last + img = MiniMagick::Image.open resource.upload.file.file + expect(img.exif).to be_empty + end + + it "sets the content type correctly" do + post :upload, params: { upload: upload } + expect(Resource.last.mime).to eq "image/jpeg" + end + + it "sets the flash to success" do + post :upload, params: { upload: upload } + aggregate_failures do + expect(flash[:success]).not_to be_nil + expect(flash[:warning]).to be_nil + end + end + end + context "when attempting to upload a dangerous svg" do let(:upload) { file_upload("exploit.svg", "image/svg") }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-79wq-g4v9-gfj4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2815ghsaADVISORY
- github.com/publify/publify/commit/af69097d349f4c00f244c51cd3c3e937fd3387cdghsaWEB
- github.com/publify/publify_core/commit/33f897c12b6efdcdfd8cf9df924deba0f878b71eghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-2815.ymlghsaWEB
- huntr.dev/bounties/22fdcc39-8c1a-4e4c-8eae-be3fd764f8b4ghsaWEB
News mentions
0No linked articles in our index yet.