CVE-2023-49090 (carrierwave): CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

Ruby Security Advisory

###Impact
[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb)
has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in `allowlisted_content_type?` determines Content-Type
permissions by performing a partial match.
If the `content_type` argument of `allowlisted_content_type?` is passed
a value crafted by the attacker, Content-Types not included in the
`content_type_allowlist` will be allowed.

In addition, by setting the Content-Type configured by the attacker
at the time of file delivery, it is possible to cause XSS on the
user’s browser when the uploaded file is opened.

### Patches
Upgrade to [3.0.5](https://rubygems.org/gems/carrierwave/versions/3.0.5)
or [2.2.5](https://rubygems.org/gems/carrierwave/versions/2.2.5).

### Workarounds
When validating with `allowlisted_content_type?` in
[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb),
forward match(`\A`) the Content-Type set in `content_type_allowlist`,
preventing unintentional permission of `text/html;image/png` when
you want to allow only `image/png` in `content_type_allowlist`.

### References
[OWASP – File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)

READ MORE