packages/rubygem-globalid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 1.2.1

Browse Source
This commit is contained in:
wk333 2023-11-14 11:18:19 +08:00
parent 4b771a27ea
commit ade8719830
7 changed files with 6 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
CVE-2023-22799.patch
View File

@ -1,50 +0,0 @@
From 3bc4349422e60f2235876a59dd415e98b072eb2b Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Tue, 17 Jan 2023 13:32:28 -0800
Subject: [PATCH] Fix ReDoS vulnerability in name parsing
Thanks to @ooooooo_q for the patch!
[CVE-2023-22799]
---
lib/global_id/uri/gid.rb | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/lib/global_id/uri/gid.rb b/lib/global_id/uri/gid.rb
index f5d52dc..3fadf4f 100644
--- a/lib/global_id/uri/gid.rb
+++ b/lib/global_id/uri/gid.rb
@@ -127,9 +127,6 @@ def set_params(params)
private
COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
- # Extracts model_name and model_id from the URI path.
- PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
-
def check_host(host)
validate_component(host)
super
@@ -149,11 +146,11 @@ def check_scheme(scheme)
end
def set_model_components(path, validate = false)
- _, model_name, model_id = path.match(PATH_REGEXP).to_a
- model_id = CGI.unescape(model_id) if model_id
-
+ _, model_name, model_id = path.split('/', 3)
validate_component(model_name) && validate_model_id(model_id, model_name) if validate
+ model_id = CGI.unescape(model_id) if model_id
+
@model_name = model_name
@model_id = model_id
end
@@ -166,7 +163,7 @@ def validate_component(component)
end
def validate_model_id(model_id, model_name)
- return model_id unless model_id.blank?
+ return model_id unless model_id.blank? || model_id.include?('/')
raise MissingModelIdError, "Unable to create a Global ID for " \
"#{model_name} without a model id."

BIN
globalid-1.0.0.gem
View File

Binary file not shown.

BIN
globalid-1.2.1.gem Normal file
View File

Binary file not shown.

9
rubygem-globalid.spec
View File

@ -1,14 +1,13 @@
%global gem_name globalid %global gem_name globalid
%{?_with_bootstrap: %global bootstrap 1} %{?_with_bootstrap: %global bootstrap 1}
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 1.0.0 Version: 1.2.1
Release: 2 Release: 1
Summary: Refer to any model with a URI: gid://app/class/id Summary: Refer to any model with a URI: gid://app/class/id
License: MIT License: MIT
URL: https://github.com/rails/%{gem_name} URL: https://github.com/rails/%{gem_name}
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Source1: https://github.com/rails/%{gem_name}/archive/v%{version}.tar.gz Source1: https://github.com/rails/%{gem_name}/archive/v%{version}.tar.gz
Patch0: CVE-2023-22799.patch
BuildRequires: ruby(release) rubygems-devel ruby >= 1.9.3 BuildRequires: ruby(release) rubygems-devel ruby >= 1.9.3
%if ! 0%{?bootstrap} %if ! 0%{?bootstrap}
@ -28,7 +27,6 @@ Documentation for %{name}.
%prep %prep
%setup -q -n %{gem_name}-%{version} -b 1 %setup -q -n %{gem_name}-%{version} -b 1
%patch0 -p1
%build %build
gem build ../%{gem_name}-%{version}.gemspec gem build ../%{gem_name}-%{version}.gemspec
@ -62,6 +60,9 @@ popd
%doc %{gem_instdir}/README.md %doc %{gem_instdir}/README.md
%changelog %changelog
* Tue Nov 14 2023 wangkai <13474090681@163.com> - 1.2.1-1
- Update to 1.2.1
* Tue Feb 07 2023 liyuxiang<liyuxiang@ncti-gba.cn> - 1.0.0-2 * Tue Feb 07 2023 liyuxiang<liyuxiang@ncti-gba.cn> - 1.0.0-2
- fix CVE-2023-22799 - fix CVE-2023-22799

2
rubygem-globalid.yaml
View File

@ -1,4 +1,4 @@
version_control: github version_control: github
src_repo: rails/globalid src_repo: rails/globalid
tag_prefix: "globalid-" tag_prefix: "^v"
separator: "." separator: "."

BIN
v1.0.0.tar.gz
View File

Binary file not shown.

BIN
v1.2.1.tar.gz Normal file
View File

Binary file not shown.