Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
= CarrierWave
http://carrierwave.rubyforge.org
== Summary
This plugin for Merb and Rails provides a simple and extremely flexible way to upload files.
== Description
== Getting Started
Install the latest stable release:
[sudo] gem install carrierwave
In Merb, add it as a dependency to your config/dependencies.rb:
dependency 'carrierwave'
In Rails, add it to your environment.rb:
config.gem "carrierwave"
== Quick Start
Start off by generating an uploader:
merb-gen uploader Avatar
or in Rails:
script/generate uploader Avatar
this should give you a file in:
app/uploaders/avatar_uploader.rb
Check out this file for some hints on how you can customize your uploader. It should look something like this:
class AvatarUploader < CarrierWave::Uploader::Base
storage :file
end
You can use your uploader class to store and retrieve files like this:
uploader = AvatarUploader.new
uploader.store!(my_file)
uploader.retrieve_from_store!('my_file.png')
CarrierWave gives you a +store+ for permanent storage, and a +cache+ for temporary storage. You can use different stores, at the moment a filesystem store, an Amazon S3 store, a Rackspace Cloud Files store, and a store for MongoDB's GridFS are bundled.
Most of the time you are going to want to use CarrierWave together with an ORM. It is quite simple to mount uploaders on columns in your model, so you can simply assign files and get going:
=== ActiveRecord, DataMapper, Sequel, MongoMapper
Make sure you are loading CarrierWave after loading your ORM, otherwise you'll need to require the relevant extension manually, e.g.:
require 'carrierwave/orm/activerecord'
Add a string column to the model you want to mount the uploader on:
add_column :user, :avatar, :string
Open your model file and mount the uploader:
class User
mount_uploader :avatar, AvatarUploader
end
This works the same with all supported ORMs.
Now you can cache files by assigning them to the attribute, they will automatically be stored when the record is saved.
u = User.new
u.avatar = params[:file]
u.avatar = File.open('somewhere')
u.save!
u.avatar.url # => '/url/to/file.png'
u.avatar.current_path # => 'path/to/file.png'
== Changing the storage directory
In order to change where uploaded files are put, just override the +store_dir+ method:
class MyUploader < CarrierWave::Uploader::Base
def store_dir
'public/my/upload/directory'
end
end
This works for the file storage as well as Amazon S3 and Rackspace Cloud Files. Define +store_dir+ as +nil+ if you'd like to store files at the root level.
== Securing uploads
Certain file might be dangerous if uploaded to the wrong location, such as php files or other script files. CarrierWave allows you to specify a white-list of allowed extensions.
If you're mounting the uploader, uploading a file with the wrong extension will make the record invalid instead. Otherwise, an error is raised.
class MyUploader < CarrierWave::Uploader::Base
def extension_white_list
%w(jpg jpeg gif png)
end
end
== Adding versions
Often you'll want to add different versions of the same file. The classic example is image thumbnails. There is built in support for this:
class MyUploader < CarrierWave::Uploader::Base
include CarrierWave::RMagick
process :resize_to_fit => [800, 800]
version :thumb do
process :resize_to_fill => [200,200]
end
end
When this uploader is used, an uploaded image would be scaled to be no larger than 800 by 800 pixels. A version called thumb is then created, which is scaled and cropped to exactly 200 by 200 pixels. The uploader could be used like this:
uploader = AvatarUploader.new
uploader.store!(my_file) # size: 1024x768
uploader.url # => '/url/to/my_file.png' # size: 800x600
uploader.thumb.url # => '/url/to/thumb_my_file.png' # size: 200x200
One important thing to remember is that process is called before versions are created. This can cut down on processing cost.
It is possible to nest versions within versions:
class MyUploader < CarrierWave::Uploader::Base
version :animal do
version :human
version :monkey
version :llama
end
end
== Making uploads work across form redisplays
Often you'll notice that uploaded files disappear when a validation fails. CarrierWave has a feature that makes it easy to remember the uploaded file even in that case. Suppose your +user+ model has an uploader mounted on +avatar+ file, just add a hidden field called +avatar_cache+. In Rails, this would look like this:
<% form_for @user, :html => {:multipart => true} do |f| %>
<p>
<label>My Avatar</label>
<%= f.file_field :avatar %>
<%= f.hidden_field :avatar_cache %>
</p>
<% end %>
It might be a good idea to show the user that a file has been uploaded, in the case of images, a small thumbnail would be a good indicator:
<% form_for @user, :html => {:multipart => true} do |f| %>
<p>
<label>My Avatar</label>
<%= image_tag(@user.avatar_url) if @user.avatar? %>
<%= f.file_field :avatar %>
<%= f.hidden_field :avatar_cache %>
</p>
<% end %>
== Removing uploaded files
If you want to remove a previously uploaded file on a mounted uploader, you can easily add a checkbox to the form which will remove the file when checked.
<% form_for @user, :html => {:multipart => true} do |f| %>
<p>
<label>My Avatar</label>
<%= image_tag(@user.avatar_url) if @user.avatar? %>
<%= f.file_field :avatar %>
</p>
<p>
<label>
<%= f.check_box :remove_avatar %>
Remove avatar
</label>
</p>
<% end %>
If you want to remove the file manually, you can call remove_avatar!
.
== Uploading files from a remote location
Your users may find it convenient to upload a file from a location on the Internet via a URL. CarrierWave makes this simple, just add the appropriate column to your form and you're good to go:
<% form_for @user, :html => {:multipart => true} do |f| %>
<p>
<label>My Avatar URL:</label>
<%= image_tag(@user.avatar_url) if @user.avatar? %>
<%= f.text_field :remote_avatar_url %>
</p>
<% end %>
== Providing a default URL
In many cases, especially when working with images, it might be a good idea to provide a default url, a fallback in case no file has been uploaded. You can do this easily by overriding the +default_url+ method in your uploader:
class MyUploader < CarrierWave::Uploader::Base
def default_url
"/images/fallback/" + [version_name, "default.png"].compact.join('_')
end
end
== Configuring CarrierWave
CarrierWave has a broad range of configuration options, which you can configure, both globally and on a per-uploader basis:
CarrierWave.configure do |config|
config.permissions = 0666
config.storage = :s3
end
Or alternatively:
class AvatarUploader < CarrierWave::Uploader::Base
permissions 0777
end
== Testing CarrierWave
It's a good idea to test you uploaders in isolation. In order to speed up your tests, it's recommended to switch off processing in your tests, and to use the file storage. In Rails you could do that by adding an initializer with:
if Rails.env.test? or Rails.env.cucumber?
CarrierWave.configure do |config|
config.storage = :file
config.enable_processing = false
end
end
If you need to test your processing, you should test it in isolation, and enable processing only for those tests that need it.
CarrierWave comes with some RSpec matchers which you may find useful:
require 'carrierwave/test/matchers'
describe MyUploader do
before do
MyUploader.enable_processing = true
@uploader = MyUploader.new(@user, :avatar)
@uploader.store!(File.open(path_to_file))
end
after do
MyUploader.enable_processing = false
end
context 'the thumb version' do
it "should scale down a landscape image to be exactly 64 by 64 pixels" do
@uploader.thumb.should have_dimensions(64, 64)
end
end
context 'the small version' do
it "should scale down a landscape image to fit within 200 by 200 pixels" do
@uploader.small.should be_no_larger_than(200, 200)
end
end
it "should make the image readable only to the owner and not executable" do
@uploader.should have_permissions(0600)
end
end
== Using Amazon S3
Older versions of CarrierWave used the +aws-s3+ and +right_aws+ libraries. The Aws[http://github.com/appoxy/aws] is now used meaning european buckets are supported out the box. Ensure you have it installed:
gem install aws
You'll need to configure a bucket, access id and secret key like this:
CarrierWave.configure do |config|
config.s3_access_key_id = 'xxxxxx'
config.s3_secret_access_key = 'xxxxxx'
config.s3_bucket = 'name_of_bucket'
end
Do this in an initializer in Rails, and in a +before_app_loads+ block in Merb.
And then in your uploader, set the storage to :s3
class AvatarUploader < CarrierWave::Uploader::Base
storage :s3
end
That's it! You can still use the CarrierWave::Uploader#url
method to return
the url to the file on Amazon S3.
== Using Rackspace Cloud Files
Cloud Files support requires a {Rackspace Cloud}[http://rackspacecloud.com] username and API key. You must also create a container for Carrierwave to use, and mark it public (publish it to the CDN)
CarrierWave.configure do |config|
config.cloud_files_username = 'xxxxxx'
config.cloud_files_api_key = 'xxxxxxxxxxxxxxxxxxxxx'
config.cloud_files_container = 'name_of_bucket'
end
Do this in an initializer in Rails, and in a +before_app_loads+ block in Merb.
And then in your uploader, set the storage to :cloud_files
class AvatarUploader < CarrierWave::Uploader::Base
storage :cloud_files
end
That's it! You can still use the CarrierWave::Uploader#url
method to return
the url to the file on the Cloud Files CDN.
== Using MongoDB's GridFS store
You'll need to configure the database and host to use:
CarrierWave.configure do |config|
config.grid_fs_database = 'my_mongo_database'
config.grid_fs_host = 'mongo.example.com'
end
The defaults are 'carrierwave' and 'localhost'.
And then in your uploader, set the storage to :grid_fs
:
class AvatarUploader < CarrierWave::Uploader::Base
storage :grid_fs
end
Since GridFS doesn't make the files available via HTTP, you'll need to stream them yourself. In Rails for example, you could use the +send_data+ method. You can tell CarrierWave the URL you will serve your images from, allowing it to generate the correct URL, by setting eg:
CarrierWave.configure do |config|
config.grid_fs_access_url = "/image/show"
end
== Using RMagick
If you're uploading images, you'll probably want to manipulate them in some way, you might want to create thumbnail images for example. CarrierWave comes with a small library to make manipulating images with RMagick easier, you'll need to include it in your Uploader:
class AvatarUploader < CarrierWave::Uploader::Base
include CarrierWave::RMagick
end
The RMagick module gives you a few methods, like
CarrierWave::RMagick#resize_to_fill
which manipulate the image file in some
way. You can set a +process+ callback, which will call that method any time a
file is uploaded.
class AvatarUploader < CarrierWave::Uploader::Base
include CarrierWave::RMagick
process :resize_to_fill => [200, 200]
process :convert => 'png'
def filename
super + '.png'
end
end
Check out the manipulate! method, which makes it easy for you to write your own manipulation methods.
== Using ImageScience
ImageScience works the same way as RMagick.
class AvatarUploader < CarrierWave::Uploader::Base
include CarrierWave::ImageScience
process :resize_to_fill => [200, 200]
end
== Using MiniMagick
MiniMagick is similar to RMagick but performs all the operations using the 'mogrify' command which is part of the standard ImageMagick kit. This allows you to have the power of ImageMagick without having to worry about installing all the RMagick libraries.
See the MiniMagick site for more details:
http://github.com/probablycorey/mini_magick
And the ImageMagick command line options for more for whats on offer:
http://www.imagemagick.org/script/command-line-options.php
Currently, the MiniMagick carrierwave processor provides exactly the same methods as for the RMagick processor.
class AvatarUploader < CarrierWave::Uploader::Base
include CarrierWave::MiniMagick
process :resize_to_fill => [200, 200]
end
== Migrating
If you are using Paperclip, you can use the provided compatibility module:
class AvatarUploader < CarrierWave::Uploader::Base
include CarrierWave::Compatibility::Paperclip
end
See the documentation for Paperclip::Compatibility::Paperclip
for more
detaills.
Be sure to use mount_on to specify the correct column:
mount_uploader :avatar, AvatarUploader, :mount_on => :avatar_file_name
Unfortunately AttachmentFoo differs too much in philosophy for there to be a sensible compatibility mode. Patches for migrating from other solutions will be happily accepted.
== i18n
The activerecord validations use the Rails i18n framework. Add these keys to your translations file:
carrierwave:
errors:
integrity: 'Not an image.'
processing: 'Cannot resize image.'
== Contributors
These people have contributed their time and effort to CarrierWave:
== License
Copyright (c) 2008 Jonas Nicklas
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
== Development
If you want to run the tests (and you should) it might be convenient to install the development dependencies, you can do that with:
sudo gem install carrierwave --development
CarrierWave is still young, but most of it is pretty well documented. It is also extensively specced, and there are cucumber features for some common use cases. Just dig in and look at the source for more in-depth explanation of what things are doing.
Issues are reported on GitHub, pull requests are very welcome!
FAQs
Unknown package
We found that carrierwave-rails3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.