packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-26143 and remove unused file

Browse Source
This commit is contained in:
starlet-dx 2024-02-28 10:29:35 +08:00
parent ba34f3bb3c
commit 7faec18fcc
4 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
CVE-2024-26143-test.patch Normal file
View File

@ -0,0 +1,49 @@
diff --git a/actionpack/test/abstract/translation_test.rb b/actionpack/test/abstract/translation_test.rb
index 1c0b51c4ed2fc..eca90040c8ca7 100644
--- a/actionpack/test/abstract/translation_test.rb
+++ b/actionpack/test/abstract/translation_test.rb
@@ -93,6 +93,22 @@ def test_default_translation
end
end
+ def test_default_translation_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t(".twoz", default: ["<tag>"])
+ assert_equal "&lt;tag&gt;", translation
+ assert_equal true, translation.html_safe?
+ end
+ end
+
+ def test_default_translation_with_raise_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
+ assert_equal "&lt;tag&gt;", translation
+ assert_equal true, translation.html_safe?
+ end
+ end
+
def test_localize
time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
I18n.stub :localize, expected do
@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
assert_equal true, translation.html_safe?
end
end
+
+ def test_translate_marks_translation_with_missing_html_key_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t("<tag>.html")
+ assert_equal "translation missing: <tag>.html", translation
+ assert_equal false, translation.html_safe?
+ end
+ end
+ def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t(".<tag>.html")
+ assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
+ assert_equal false, translation.html_safe?
+ end
+ end
end
end
end

53
CVE-2024-26143.patch Normal file
View File

@ -0,0 +1,53 @@
From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001
From: ooooooo_q <ooooooo-q@users.noreply.github.com>
Date: Fri, 5 Jan 2024 12:00:02 +0900
Subject: [PATCH] fix XSS vulnerability when using translation
[CVE-2024-26143]
---
actionpack/CHANGELOG.md | 4 +++
.../lib/abstract_controller/translation.rb | 24 +++++++++++++-
actionpack/test/abstract/translation_test.rb | 31 +++++++++++++++++++
3 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb
index db71c172abd6c..bdd44c6893aa2 100644
--- a/actionpack/lib/abstract_controller/translation.rb
+++ b/actionpack/lib/abstract_controller/translation.rb
@@ -25,7 +25,25 @@ def translate(key, **options)
i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
- ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+ if options[:default]
+ options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+ options[:default] = options[:default].map do |value|
+ value.is_a?(String) ? ERB::Util.html_escape(value) : value
+ end
+ end
+
+ unless i18n_raise
+ options[:default] = [] unless options[:default]
+ options[:default] << MISSING_TRANSLATION
+ end
+
+ result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+
+ if result == MISSING_TRANSLATION
+ +"translation missing: #{key}"
+ else
+ result
+ end
end
alias :t :translate
@@ -34,5 +52,9 @@ def localize(object, **options)
I18n.localize(object, **options)
end
alias :l :localize
+
+ private
+ MISSING_TRANSLATION = -(2**60)
+ private_constant :MISSING_TRANSLATION
end
end

BIN
rubygem-actionpack-1692266135.13e51a2.tar
View File

Binary file not shown.

10
rubygem-actionpack.spec
View File

@ -4,7 +4,7 @@
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Epoch: 1 Epoch: 1
Version: 7.0.7 Version: 7.0.7
Release: 1 Release: 2
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails) Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT License: MIT
URL: http://rubyonrails.org URL: http://rubyonrails.org
@ -22,6 +22,9 @@ Source2: rails-%{version}-tools.txz
# Fixes for Minitest 5.16+ # Fixes for Minitest 5.16+
# https://github.com/rails/rails/pull/45370 # https://github.com/rails/rails/pull/45370
Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
# https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
Patch1: CVE-2024-26143.patch
Patch2: CVE-2024-26143-test.patch
# Let's keep Requires and BuildRequires sorted alphabeticaly # Let's keep Requires and BuildRequires sorted alphabeticaly
BuildRequires: ruby(release) BuildRequires: ruby(release)
@ -59,9 +62,11 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
%patch1 -p2
pushd %{_builddir} pushd %{_builddir}
%patch0 -p2 %patch0 -p2
%patch2 -p2
popd popd
%build %build
@ -104,6 +109,9 @@ popd
%doc %{gem_instdir}/README.rdoc %doc %{gem_instdir}/README.rdoc
%changelog %changelog
* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
- Fix CVE-2024-26143 and remove unused file
* Fri Aug 18 2023 chenchen <chen_aka_jan@163.com> - 1:7.0.7-1 * Fri Aug 18 2023 chenchen <chen_aka_jan@163.com> - 1:7.0.7-1
- Upgrade to version 7.0.7 - Upgrade to version 7.0.7