packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!54 [sync] PR-53: Fix CVE-2024-28103

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-06-06 09:02:32 +00:00 committed by Gitee
commit 2d1e5b614b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 114 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
CVE-2024-28103-test.patch Normal file
View File

@ -0,0 +1,62 @@
diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
index 030e37942bd0e..533b59a55094d 100644
--- a/actionpack/test/dispatch/permissions_policy_test.rb
+++ b/actionpack/test/dispatch/permissions_policy_test.rb
@@ -41,6 +41,57 @@ def test_invalid_directive_source
end
end
+class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
+ APP = ->(env) { [200, {}, []] }
+
+ POLICY = ActionDispatch::PermissionsPolicy.new do |p|
+ p.gyroscope :self
+ end
+
+ class PolicyConfigMiddleware
+ def initialize(app)
+ @app = app
+ end
+
+ def call(env)
+ env["action_dispatch.permissions_policy"] = POLICY
+ env["action_dispatch.show_exceptions"] = :none
+
+ @app.call(env)
+ end
+ end
+
+ test "html requests will set a policy" do
+ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
+ # Dummy CONTENT_TYPE to avoid including backport of the following commit in
+ # a security-related patch:
+ # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
+ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+ assert_equal "text/html", response.headers['Content-Type']
+ assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+ end
+
+ test "non-html requests will set a policy" do
+ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
+ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+ assert_equal "application/json", response.headers['Content-Type']
+ assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+ end
+
+ private
+ def build_app(app)
+ PolicyConfigMiddleware.new(
+ Rack::Lint.new(
+ ActionDispatch::PermissionsPolicy::Middleware.new(
+ Rack::Lint.new(app),
+ ),
+ ),
+ )
+ end
+end
+
class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
class PolicyController < ActionController::Base
permissions_policy only: :index do |f|

43
CVE-2024-28103.patch Normal file
View File

@ -0,0 +1,43 @@
From b84cbecacd114102e1884a6169388d7cb7ea325d Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Wed, 28 Feb 2024 16:49:11 -0500
Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
[CVE-2024-28103]
The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.
This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)
---
.../http/permissions_policy.rb | 7 ---
.../test/dispatch/permissions_policy_test.rb | 51 +++++++++++++++++++
2 files changed, 51 insertions(+), 7 deletions(-)
diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
index 5666ad0acb006..6ec9087e37bd9 100644
--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
+++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
@@ -37,7 +37,6 @@ def call(env)
request = ActionDispatch::Request.new(env)
_, headers, _ = response = @app.call(env)
- return response unless html_response?(headers)
return response if policy_present?(headers)
if policy = request.permissions_policy
@@ -52,12 +51,6 @@ def call(env)
end
private
- def html_response?(headers)
- if content_type = headers[CONTENT_TYPE]
- /html/.match?(content_type)
- end
- end
-
def policy_present?(headers)
headers[POLICY]
end

10
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 7.0.7 Version: 7.0.7
Release: 2 Release: 3
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -25,6 +25,9 @@ Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
# https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc # https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
Patch1: CVE-2024-26143.patch Patch1: CVE-2024-26143.patch
Patch2: CVE-2024-26143-test.patch Patch2: CVE-2024-26143-test.patch
# https://github.com/rails/rails/commit/b84cbecacd114102e1884a6169388d7cb7ea325d
Patch3: CVE-2024-28103.patch
Patch4: CVE-2024-28103-test.patch
# Let's keep Requires and BuildRequires sorted alphabeticaly # Let's keep Requires and BuildRequires sorted alphabeticaly
BuildRequires: ruby(release) BuildRequires: ruby(release)
@ -63,10 +66,12 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
%patch1 -p2 %patch1 -p2
%patch3 -p2
pushd %{_builddir} pushd %{_builddir}
%patch0 -p2 %patch0 -p2
%patch2 -p2 %patch2 -p2
%patch4 -p2
popd popd
%build %build
@ -109,6 +114,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3
- Fix CVE-2024-28103
* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2 * Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
- Fix CVE-2024-26143 and remove unused file - Fix CVE-2024-26143 and remove unused file