packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:7a919cd2916c96f6cafc269aa1c2d71e5e6c6381
Branches Tags
packages:main
..
compare: packages:edb4e55e299dc9623e87c528d99ab527921cb819
Branches Tags
packages:main

No commits in common. "7a919cd2916c96f6cafc269aa1c2d71e5e6c6381" and "edb4e55e299dc9623e87c528d99ab527921cb819" have entirely different histories.
7a919cd291 ... edb4e55e29

14 changed files with 151 additions and 307 deletions
Show Stats Expand all files Collapse all files

32
CVE-2023-22797.patch Normal file
View File

@ -0,0 +1,32 @@
From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
Date: Mon, 5 Dec 2022 12:27:15 +0000
Subject: [PATCH] Fix sec issue with _url_host_allowed?
Disallow certain strings from `_url_host_allowed?` to avoid a redirect
to malicious sites.
[CVE-2023-22797]
---
.../action_controller/metal/redirecting.rb | 6 ++-
actionpack/test/controller/redirect_test.rb | 38 +++++++++++++++++++
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 721d5d3279..0ae6a48748 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
def _url_host_allowed?(url)
host = URI(url.to_s).host
- host == request.host || host.nil? && url.to_s.start_with?("/")
+
+ return true if host == request.host
+ return false unless host.nil?
+ return false unless url.to_s.start_with?("/")
+ return !url.to_s.start_with?("//")
rescue ArgumentError, URI::Error
false
end

38
CVE-2023-28362-test.patch Normal file
View File

@ -0,0 +1,38 @@
diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
index 91a8f8512b..40bd8d68da 100644
--- a/actionpack/test/controller/redirect_test.rb
+++ b/actionpack/test/controller/redirect_test.rb
@@ -104,6 +104,10 @@ def unsafe_redirect_protocol_relative_triple_slash
redirect_to "http:///www.rubyonrails.org/"
end
+ def unsafe_redirect_with_illegal_http_header_value_character
+ redirect_to "javascript:alert(document.domain)\b", allow_other_host: true
+ end
+
def only_path_redirect
redirect_to action: "other_host", only_path: true
end
@@ -556,6 +560,19 @@ def test_unsafe_redirect_with_protocol_relative_triple_slash_url
end
end
+ def test_unsafe_redirect_with_illegal_http_header_value_character
+ with_raise_on_open_redirects do
+ error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
+ get :unsafe_redirect_with_illegal_http_header_value_character
+ end
+
+ msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
+ "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+
+ assert_equal msg, error.message
+ end
+ end
+
def test_only_path_redirect
with_raise_on_open_redirects do
get :only_path_redirect
--
2.39.2

70
CVE-2023-28362.patch Normal file
View File

@ -0,0 +1,70 @@
From 6d3e49f128c2db4cb157e058effe07781b0a66e4 Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Thu, 11 May 2023 16:55:01 -0400
Subject: [PATCH] Added check for illegal HTTP header value in redirect_to
The set of legal characters for an HTTP header value is described
in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.
This commit adds a check to redirect_to that ensures the
provided URL does not contain any of the illegal characters.
Downstream consumers of the resulting Location response header
may remove the header if it does not comply with the RFC.
This can result in a cross site scripting (XSS) vector by
allowing for the redirection page to sit idle waiting
for user interaction with the provided malicious link.
[CVE-2023-28362]
Origin: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
format
---
.../action_controller/metal/redirecting.rb | 19 ++++++++++++++++++-
actionpack/test/controller/redirect_test.rb | 17 +++++++++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
index 0409ba7026..830b94c092 100644
--- a/actionpack/lib/action_controller/metal/redirecting.rb
+++ b/actionpack/lib/action_controller/metal/redirecting.rb
@@ -4,6 +4,8 @@ module ActionController
module Redirecting
extend ActiveSupport::Concern
+ ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
include AbstractController::Logger
include ActionController::UrlFor
@@ -86,7 +88,11 @@ def redirect_to(options = {}, response_options = {})
allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
self.status = _extract_redirect_to_status(options, response_options)
- self.location = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
+
+ redirect_to_location = _compute_redirect_to_location(request, options)
+ _ensure_url_is_http_header_safe(redirect_to_location)
+
+ self.location = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
end
@@ -204,5 +210,16 @@ def _url_host_allowed?(url)
rescue ArgumentError, URI::Error
false
end
+
+ def _ensure_url_is_http_header_safe(url)
+ # Attempt to comply with the set of valid token characters
+ # defined for an HTTP header value in
+ # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+ if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+ msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+ "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+ raise UnsafeRedirectError, msg
+ end
+ end
end
end

49
CVE-2024-26143-test.patch
View File

@ -1,49 +0,0 @@
diff --git a/actionpack/test/abstract/translation_test.rb b/actionpack/test/abstract/translation_test.rb
index 1c0b51c4ed2fc..eca90040c8ca7 100644
--- a/actionpack/test/abstract/translation_test.rb
+++ b/actionpack/test/abstract/translation_test.rb
@@ -93,6 +93,22 @@ def test_default_translation
end
end
+ def test_default_translation_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t(".twoz", default: ["<tag>"])
+ assert_equal "&lt;tag&gt;", translation
+ assert_equal true, translation.html_safe?
+ end
+ end
+
+ def test_default_translation_with_raise_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
+ assert_equal "&lt;tag&gt;", translation
+ assert_equal true, translation.html_safe?
+ end
+ end
+
def test_localize
time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
I18n.stub :localize, expected do
@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
assert_equal true, translation.html_safe?
end
end
+
+ def test_translate_marks_translation_with_missing_html_key_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t("<tag>.html")
+ assert_equal "translation missing: <tag>.html", translation
+ assert_equal false, translation.html_safe?
+ end
+ end
+ def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
+ @controller.stub :action_name, :index do
+ translation = @controller.t(".<tag>.html")
+ assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
+ assert_equal false, translation.html_safe?
+ end
+ end
end
end
end

53
CVE-2024-26143.patch
View File

@ -1,53 +0,0 @@
From 4c83b331092a79d58e4adffe4be5f250fa5782cc Mon Sep 17 00:00:00 2001
From: ooooooo_q <ooooooo-q@users.noreply.github.com>
Date: Fri, 5 Jan 2024 12:00:02 +0900
Subject: [PATCH] fix XSS vulnerability when using translation
[CVE-2024-26143]
---
actionpack/CHANGELOG.md | 4 +++
.../lib/abstract_controller/translation.rb | 24 +++++++++++++-
actionpack/test/abstract/translation_test.rb | 31 +++++++++++++++++++
3 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/abstract_controller/translation.rb b/actionpack/lib/abstract_controller/translation.rb
index db71c172abd6c..bdd44c6893aa2 100644
--- a/actionpack/lib/abstract_controller/translation.rb
+++ b/actionpack/lib/abstract_controller/translation.rb
@@ -25,7 +25,25 @@ def translate(key, **options)
i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
- ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+ if options[:default]
+ options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+ options[:default] = options[:default].map do |value|
+ value.is_a?(String) ? ERB::Util.html_escape(value) : value
+ end
+ end
+
+ unless i18n_raise
+ options[:default] = [] unless options[:default]
+ options[:default] << MISSING_TRANSLATION
+ end
+
+ result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+
+ if result == MISSING_TRANSLATION
+ +"translation missing: #{key}"
+ else
+ result
+ end
end
alias :t :translate
@@ -34,5 +52,9 @@ def localize(object, **options)
I18n.localize(object, **options)
end
alias :l :localize
+
+ private
+ MISSING_TRANSLATION = -(2**60)
+ private_constant :MISSING_TRANSLATION
end
end

62
CVE-2024-28103-test.patch
View File

@ -1,62 +0,0 @@
diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
index 030e37942bd0e..533b59a55094d 100644
--- a/actionpack/test/dispatch/permissions_policy_test.rb
+++ b/actionpack/test/dispatch/permissions_policy_test.rb
@@ -41,6 +41,57 @@ def test_invalid_directive_source
end
end
+class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
+ APP = ->(env) { [200, {}, []] }
+
+ POLICY = ActionDispatch::PermissionsPolicy.new do |p|
+ p.gyroscope :self
+ end
+
+ class PolicyConfigMiddleware
+ def initialize(app)
+ @app = app
+ end
+
+ def call(env)
+ env["action_dispatch.permissions_policy"] = POLICY
+ env["action_dispatch.show_exceptions"] = :none
+
+ @app.call(env)
+ end
+ end
+
+ test "html requests will set a policy" do
+ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
+ # Dummy CONTENT_TYPE to avoid including backport of the following commit in
+ # a security-related patch:
+ # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
+ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+ assert_equal "text/html", response.headers['Content-Type']
+ assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+ end
+
+ test "non-html requests will set a policy" do
+ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
+ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+ assert_equal "application/json", response.headers['Content-Type']
+ assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+ end
+
+ private
+ def build_app(app)
+ PolicyConfigMiddleware.new(
+ Rack::Lint.new(
+ ActionDispatch::PermissionsPolicy::Middleware.new(
+ Rack::Lint.new(app),
+ ),
+ ),
+ )
+ end
+end
+
class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
class PolicyController < ActionController::Base
permissions_policy only: :index do |f|

43
CVE-2024-28103.patch
View File

@ -1,43 +0,0 @@
From b84cbecacd114102e1884a6169388d7cb7ea325d Mon Sep 17 00:00:00 2001
From: Zack Deveau <zack.ref@gmail.com>
Date: Wed, 28 Feb 2024 16:49:11 -0500
Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
[CVE-2024-28103]
The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.
This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)
---
.../http/permissions_policy.rb | 7 ---
.../test/dispatch/permissions_policy_test.rb | 51 +++++++++++++++++++
2 files changed, 51 insertions(+), 7 deletions(-)
diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
index 5666ad0acb006..6ec9087e37bd9 100644
--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
+++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
@@ -37,7 +37,6 @@ def call(env)
request = ActionDispatch::Request.new(env)
_, headers, _ = response = @app.call(env)
- return response unless html_response?(headers)
return response if policy_present?(headers)
if policy = request.permissions_policy
@@ -52,12 +51,6 @@ def call(env)
end
private
- def html_response?(headers)
- if content_type = headers[CONTENT_TYPE]
- /html/.match?(content_type)
- end
- end
-
def policy_present?(headers)
headers[POLICY]
end

BIN
actionpack-7.0.7-tests.txz → actionpack-7.0.4-tests.txz
View File

Binary file not shown.

BIN
actionpack-7.0.4.gem Normal file
View File

Binary file not shown.

BIN
actionpack-7.0.7.gem
View File

Binary file not shown.

38
backport-CVE-2024-41128.patch
View File

@ -1,38 +0,0 @@
From b1241f468d1b32235f438c2e2203386e6efd3891 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:41:33 -0700
Subject: [PATCH] Avoid backtracking in filtered_query_string
Thanks scyoon for the patch
CVE-2024-41128
---
.../lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/actionpack/lib/action_dispatch/http/filter_parameters.rb b/actionpack/lib/action_dispatch/http/filter_parameters.rb
index d053fc0b9f781..0e2e771da104d 100644
--- a/actionpack/lib/action_dispatch/http/filter_parameters.rb
+++ b/actionpack/lib/action_dispatch/http/filter_parameters.rb
@@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc:
ActiveSupport::ParameterFilter.new(filters)
end
- KV_RE = "[^&;=]+"
- PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
def filtered_query_string # :doc:
- query_string.gsub(PAIR_RE) do |_|
- parameter_filter.filter($1 => $2).first.join("=")
+ parts = query_string.split(/([&;])/)
+ filtered_parts = parts.map do |part|
+ if part.include?("=")
+ key, value = part.split("=", 2)
+ parameter_filter.filter(key => value).first.join("=")
+ else
+ part
+ end
end
+ filtered_parts.join("")
end
end
end

26
backport-CVE-2024-47887.patch
View File

@ -1,26 +0,0 @@
From 56b2fc3302836405b496e196a8d5fc0195e55049 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Thu, 10 Oct 2024 20:32:00 -0700
Subject: [PATCH] Avoid backtracking in Token#raw_params
Thanks to scyoon for the patch
[CVE-2024-47887]
---
actionpack/lib/action_controller/metal/http_authentication.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 439ffd5c99490..e42791bbc23d8 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -506,7 +506,8 @@ def rewrite_param_values(array_params)
# pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
# delimiters defined in +AUTHN_PAIR_DELIMITERS+.
def raw_params(auth)
- _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+ _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+ _raw_params.reject!(&:empty?)
if !_raw_params.first&.start_with?(TOKEN_KEY)
_raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

BIN
rails-7.0.7-tools.txz → rails-7.0.4-tools.txz
View File

Binary file not shown.

47
rubygem-actionpack.spec
View File

@ -3,8 +3,8 @@
Name: rubygem-%{gem_name}
Epoch: 1
Version: 7.0.7
Release: 5
Version: 7.0.4
Release: 3
Summary: Web-flow and rendering framework putting the VC in MVC (part of Rails)
License: MIT
URL: http://rubyonrails.org
@ -12,25 +12,19 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
# ActionPack gem doesn't ship with the test suite.
# You may check it out like so
# git clone http://github.com/rails/rails.git
# cd rails/actionpack && git archive -v -o actionpack-7.0.7-tests.txz v7.0.7 test/
# cd rails/actionpack && git archive -v -o actionpack-7.0.4-tests.txz v7.0.4 test/
Source1: %{gem_name}-%{version}-tests.txz
# The tools are needed for the test suite, are however unpackaged in gem file.
# You may get them like so
# git clone http://github.com/rails/rails.git --no-checkout
# cd rails && git archive -v -o rails-7.0.7-tools.txz v7.0.7 tools/
# cd rails && git archive -v -o rails-7.0.4-tools.txz v7.0.4 tools/
Source2: rails-%{version}-tools.txz
# Fixes for Minitest 5.16+
# https://github.com/rails/rails/pull/45370
Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
# https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
Patch1: CVE-2024-26143.patch
Patch2: CVE-2024-26143-test.patch
# https://github.com/rails/rails/commit/b84cbecacd114102e1884a6169388d7cb7ea325d
Patch3: CVE-2024-28103.patch
Patch4: CVE-2024-28103-test.patch
Patch3000: backport-CVE-2024-41128.patch
Patch3001: backport-CVE-2024-47887.patch
Patch1: CVE-2023-22797.patch
Patch2: CVE-2023-28362.patch
Patch3: CVE-2023-28362-test.patch
# Let's keep Requires and BuildRequires sorted alphabeticaly
BuildRequires: ruby(release)
@ -68,16 +62,12 @@ Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
%patch 1 -p2
%patch 3 -p2
%patch 3000 -p2
%patch 3001 -p2
%patch1 -p2
%patch2 -p2
pushd %{_builddir}
%patch 0 -p2
%patch 2 -p2
%patch 4 -p2
%patch0 -p2
%patch3 -p2
popd
%build
@ -120,21 +110,6 @@ popd
%doc %{gem_instdir}/README.rdoc
%changelog
* Mon Nov 04 2024 xuguangmin <xuguangmin@kylinos.cn> - 1:7.0.7-5
- fix: %patchN is deprecated (2 usages found), use %patch N (or %patch -P N)
* Fri Oct 18 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-4
- Fix CVE-2024-41128 and CVE-2024-47887
* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-3
- Fix CVE-2024-28103
* Wed Feb 28 2024 yaoxin <yao_xin001@hoperun.com> - 1:7.0.7-2
- Fix CVE-2024-26143 and remove unused file
* Fri Aug 18 2023 chenchen <chen_aka_jan@163.com> - 1:7.0.7-1
- Upgrade to version 7.0.7
* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:7.0.4-3
- Fix CVE-2023-28362