From 7faec18fccf805333ee2b913ba676c923a73d39c Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 28 Feb 2024 10:29:35 +0800
Subject: [PATCH] Fix CVE-2024-26143 and remove unused file

---
 CVE-2024-26143-test.patch                 |  49 ++++++++++++++++++++
 CVE-2024-26143.patch                      |  53 ++++++++++++++++++++++
 rubygem-actionpack-1692266135.13e51a2.tar | Bin 10240 -> 0 bytes
 rubygem-actionpack.spec                   |  10 +++-
 4 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-26143-test.patch
 create mode 100644 CVE-2024-26143.patch
 delete mode 100644 rubygem-actionpack-1692266135.13e51a2.tar

diff --git a/CVE-2024-26143-test.patch b/CVE-2024-26143-test.patch
new file mode 100644
index 0000000..beb364f
--- /dev/null
+++ b/CVE-2024-26143-test.patch
@@ -0,0 +1,49 @@
+diff --git a/actionpack/test/abstract/translation_test.rb b/actionpack/test/abstract/translation_test.rb
+index 1c0b51c4ed2fc..eca90040c8ca7 100644
+--- a/actionpack/test/abstract/translation_test.rb
++++ b/actionpack/test/abstract/translation_test.rb
+@@ -93,6 +93,22 @@ def test_default_translation
+         end
+       end
+ 
++      def test_default_translation_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t(".twoz", default: ["<tag>"])
++          assert_equal "&lt;tag&gt;", translation
++          assert_equal true, translation.html_safe?
++        end
++      end
++
++      def test_default_translation_with_raise_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
++          assert_equal "&lt;tag&gt;", translation
++          assert_equal true, translation.html_safe?
++        end
++      end
++
+       def test_localize
+         time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
+         I18n.stub :localize, expected do
+@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
+           assert_equal true, translation.html_safe?
+         end
+       end
++
++      def test_translate_marks_translation_with_missing_html_key_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t("<tag>.html")
++          assert_equal "translation missing: <tag>.html", translation
++          assert_equal false, translation.html_safe?
++        end
++      end
++      def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
++        @controller.stub :action_name, :index do
++          translation = @controller.t(".<tag>.html")
++          assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
++          assert_equal false, translation.html_safe?
++        end
++      end
+     end
+   end
+ end
diff --git a/CVE-2024-26143.patch b/CVE-2024-26143.patch
new file mode 100644
index 0000000..9635610
--- /dev/null
+++ b/CVE-2024-26143.patch
@@ -0,0 +1,53 @@
+From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001
+From: ooooooo_q <ooooooo-q@users.noreply.github.com>
+Date: Fri, 5 Jan 2024 12:00:02 +0900
+Subject: [PATCH] fix XSS vulnerability when using translation
+
+[CVE-2024-26143]
+---
+ actionpack/CHANGELOG.md                       |  4 +++
+ .../lib/abstract_controller/translation.rb    | 24 +++++++++++++-
+ actionpack/test/abstract/translation_test.rb  | 31 +++++++++++++++++++
+ 3 files changed, 58 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb
+index db71c172abd6c..bdd44c6893aa2 100644
+--- a/actionpack/lib/abstract_controller/translation.rb
++++ b/actionpack/lib/abstract_controller/translation.rb
+@@ -25,7 +25,25 @@ def translate(key, **options)
+ 
+       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
+ 
+-      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
++      if options[:default]
++        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
++        options[:default] = options[:default].map do |value|
++          value.is_a?(String) ? ERB::Util.html_escape(value) : value
++        end
++      end
++
++      unless i18n_raise
++        options[:default] = [] unless options[:default]
++        options[:default] << MISSING_TRANSLATION
++      end
++
++      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
++
++      if result == MISSING_TRANSLATION
++        +"translation missing: #{key}"
++      else
++        result
++      end
+     end
+     alias :t :translate
+ 
+@@ -34,5 +52,9 @@ def localize(object, **options)
+       I18n.localize(object, **options)
+     end
+     alias :l :localize
++
++    private
++      MISSING_TRANSLATION = -(2**60)
++      private_constant :MISSING_TRANSLATION
+   end
+ end
diff --git a/rubygem-actionpack-1692266135.13e51a2.tar b/rubygem-actionpack-1692266135.13e51a2.tar
deleted file mode 100644
index 5c3ae6d9a8a56dd538dccd03fa411881e15c196b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10240
zcmeIuK?=e!5QX6!B^Rh>l4gR(iKU2$R${vF_SUY%MHRCB-)11gOqj3C$LDFhc6q4h
z>2}Y<r4v1PuPPz#B#cqA-<zhmB`HSpu1mh_`X+s^DQNOO87HdA85^5^{d0JJ)Lg7J
zWt!^N$glo-+Q)HQyXYZ+00IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}
P0tg_000Iag&?xW%+jt%g

diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 8b61d68..456b293 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	7.0.7
-Release: 	1
+Release: 	2
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -22,6 +22,9 @@ Source2: 	rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45370
 Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
+# https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
+Patch1: CVE-2024-26143.patch
+Patch2: CVE-2024-26143-test.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -59,9 +62,11 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
+%patch1 -p2
 
 pushd %{_builddir}
 %patch0 -p2
+%patch2 -p2
 popd
 
 %build
@@ -104,6 +109,9 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
+- Fix CVE-2024-26143 and remove unused file
+
 * Fri Aug 18 2023 chenchen <chen_aka_jan@163.com> - 1:7.0.7-1
 - Upgrade to version 7.0.7