Original report: https://hackerone.com/reports/1154034
Rails advisory: https://discuss.rubyonrails.org/t/cve-2022-21831-possible-code-injection-vulnerability-in-rails-active-storage/80199
Blogpost: https://blog.convisoappsec.com/en/cve-2022-21831-overview-of-the-security-issues-we-found-in-railss-image-processing-api/
If the report is eligible for a bounty, please split it equally between me and @rsilva, if possible.
Vulnerable code patterns could allow the attacker to achieve RCE.