Makes sure that byte ranges for blobs don't exceed 100mb by default.
Content ranges that are too big can result in denial of service.

[CVE-2026-33174]
[GHSA-r46p-8f7g-vvvg]

Multi-Range requests can easily be abused DoS the service.

The backend could and should be optimized to handle multi-range
requests better, but ultimately there isn't a whole lot of legitimate
uses for them, and if you are exposing Active Storage to your
users with large files, you should consider not using the default
proxy.

[CVE-2026-33658]
[GHSA-p9fm-f462-ggrg]

BigDecimal support scientific notation, which allow expressing
extremly large numbers with just a few bytes of input.

This could be exploited to DOS a service if somehow user input is
passed to number converter.

[CVE-2026-33176]
[GHSA-2j26-frm8-cmj9]

For direct uploads, metadata is an entirely user controlled blob.
However over time the `metadata` store has been used to record internal
state such as `analyzed` etc.

Hence we shouldn't let users set these keys.

This is a simple fix that is easy to backport, however the cleaner
long term fix should be to stop using the metadata store for internal
state, and instead use proper materialized columns.

[CVE-2026-33173]
[GHSA-qcfx-2mfw-w4cg]

Formatting an unsafe buffer should produce an unsafe buffer.

[CVE-2026-33170]
[GHSA-89vf-4333-qx8v]

[CVE-2026-33169]
[GHSA-cg4j-q9v8-6v38]

When DiskService receives a blob key containing path traversal segments
(e.g. `../../etc/passwd`), the resolved filesystem path can escape the
storage root directory. This allows reading or writing arbitrary files on
the server.

`DiskService#path_for` is the primary filesystem security check for all
disk storage operations. This change adds path traversal protection:

- `DiskService#path_for` now raises an `InvalidKeyError` when passed
  keys with dot segments (".", ".."), or if the resolved path is outside
  the storage root directory.
- `#path_for` also now consistently raises `InvalidKeyError` if the key
  is invalid in any way, for example containing null bytes or having an
  incompatible encoding. Previously, the exception raised may have been
  `ArgumentError` or `Encoding::CompatibilityError`.
- `DiskController` now explicitly rescues `InvalidKeyError` with
  appropriate HTTP status codes.

Document that custom blob keys are trusted strings. These changes are
defense-in-depth measures intended to limit the blast radius of
developer errors, and are not a trust boundary.

[CVE-2026-33195]
[GHSA-9xrj-h377-fr87]

`Blob#delete` calls `DiskService#delete_prefixed` with a string that
includes the blob key. In turn, `DiskService#delete_prefixed` pass
that string to `Dir.glob`.

If a developer is generating custom blob keys (or has mistakenly
allowed untrusted input to be used as a blob key) and that key
contains glob metacharacters, then it may be possible to delete
unintended files. It may also be possible to delete unintended files
if `delete_prefixed` is called directly with a prefix containing glob
metacharacters.

Update `delete_prefixed` to:

- Update `delete_prefixed` to escape glob metacharacters in the
  resolved path before passing to `Dir.glob`
- Extract a private method `escape_glob_metacharacters`.

Note that this change breaks any existing code that is relying on
`delete_prefixed` to expand glob metacharacters. This change presumes
that is unintended behavior (as other storage services do not respect
these metacharacters).

Also note that this is a defense-in-depth measure to limit the blast
radius of malicious keys, and is not a trust boundary.

[CVE-2026-33202]
[GHSA-73f9-jhhh-hr5m]

When a blank string is used as an HTML attribute name in tag helpers,
`xml_name_escape` returns an empty string, producing malformed HTML
that may be susceptible to mXSS attacks.

`tag_options` now skips blank keys in all three iteration paths: the
top-level options loop, and (for consistency) the inner data/aria hash
loops.

[CVE-2026-33168]
[GHSA-v55j-83pf-r9cq]

The exception message was output with `raw` inside a <script> tag. If an
attacker is able to trigger an exception message containing HTML it
would be rendered to the page.

This affects development error page and in most cases is not reachable
in production.

Use default ERB escaping instead of `raw` to ensure the message is
HTML-escaped.

[CVE-2026-33167]
[GHSA-pgm4-439c-5jp6]