rubygem-actionpack/CVE-2024-26143.patch

From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001
From: ooooooo_q <ooooooo-q@users.noreply.github.com>
Date: Fri, 5 Jan 2024 12:00:02 +0900
Subject: [PATCH] fix XSS vulnerability when using translation

[CVE-2024-26143]
---
 actionpack/CHANGELOG.md                       |  4 +++
 .../lib/abstract_controller/translation.rb    | 24 +++++++++++++-
 actionpack/test/abstract/translation_test.rb  | 31 +++++++++++++++++++
 3 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb
index db71c172abd6c..bdd44c6893aa2 100644
--- a/actionpack/lib/abstract_controller/translation.rb
+++ b/actionpack/lib/abstract_controller/translation.rb
@@ -25,7 +25,25 @@ def translate(key, **options)
 
       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      unless i18n_raise
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
@@ -34,5 +52,9 @@ def localize(object, **options)
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end
Fix CVE-2024-26143 and remove unused file 2024-02-28 10:29:35 +08:00			`From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001`
			`From: ooooooo_q <ooooooo-q@users.noreply.github.com>`
			`Date: Fri, 5 Jan 2024 12:00:02 +0900`
			`Subject: [PATCH] fix XSS vulnerability when using translation`

			`[CVE-2024-26143]`
			`---`
			`actionpack/CHANGELOG.md \| 4 +++`
			`.../lib/abstract_controller/translation.rb \| 24 +++++++++++++-`
			`actionpack/test/abstract/translation_test.rb \| 31 +++++++++++++++++++`
			`3 files changed, 58 insertions(+), 1 deletion(-)`

			`diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb`
			`index db71c172abd6c..bdd44c6893aa2 100644`
			`--- a/actionpack/lib/abstract_controller/translation.rb`
			`+++ b/actionpack/lib/abstract_controller/translation.rb`
			`@@ -25,7 +25,25 @@ def translate(key, **options)`

			`i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)`

			`- ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)`
			`+ if options[:default]`
			`+ options[:default] = [options[:default]] unless options[:default].is_a?(Array)`
			`+ options[:default] = options[:default].map do \|value\|`
			`+ value.is_a?(String) ? ERB::Util.html_escape(value) : value`
			`+ end`
			`+ end`
			`+`
			`+ unless i18n_raise`
			`+ options[:default] = [] unless options[:default]`
			`+ options[:default] << MISSING_TRANSLATION`
			`+ end`
			`+`
			`+ result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)`
			`+`
			`+ if result == MISSING_TRANSLATION`
			`+ +"translation missing: #{key}"`
			`+ else`
			`+ result`
			`+ end`
			`end`
			`alias :t :translate`

			`@@ -34,5 +52,9 @@ def localize(object, **options)`
			`I18n.localize(object, **options)`
			`end`
			`alias :l :localize`
			`+`
			`+ private`
			`+ MISSING_TRANSLATION = -(2**60)`
			`+ private_constant :MISSING_TRANSLATION`
			`end`
			`end`