actionpack 5.2.4.1 → 5.2.4.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 17edac04681c0d3a1f49b81fc2f1d6a19ca548cd1907dd84b93bd9bb4eaf7c13
4
- data.tar.gz: c7903d709cebde205a7d7aec99b8f6d5d3ce39d7f1f54e9a829f4180b236c9bc
3
+ metadata.gz: 21ea10678c4ef44aa9d770173426c4288f82f6cfd18e203b50d8e8319d59619d
4
+ data.tar.gz: 8a5dae1aba4a1a314a87fdc507507d626f5c1ac4d3707c8394efca683d0035bb
5
5
  SHA512:
6
- metadata.gz: c0eb2ce0a52c4bde406f914e23ee6ce0785d836c171769bb9da1a5342f2a0b0a2132dee11a9f15f348fb66f5be2b9aaab49e00d951c4ea9fa838a6da36595770
7
- data.tar.gz: 2ab7695a61113cf2c52f0ea1fb33136a3d1e10fbc00c7c5fa06875006a2d8c62544cd20e9bff019f512c61d2bc64d7463359c57dc6a46e39c6267768b1c23d7e
6
+ metadata.gz: b8bff063c8bcf5367ad0f2c30e59676d1dea50f1106c95dcb1b1eaf8560df58fc5a5d59fa8fd65cf908455b8699a2488082649e5a7bde25c596ff1e9d5b4a439
7
+ data.tar.gz: e516a770a086884251847855aad0ffebe1d6d7014d23ccc72c04bfe7773ac618401e75eaef71f69c53fb9c803dd983c4b9557680fe1ba63ca9de7ccc723d0d14
data/CHANGELOG.md CHANGED
@@ -1,3 +1,35 @@
1
+ ## Rails 5.2.4.6 (May 05, 2021) ##
2
+
3
+ * Prevent regex DoS in HTTP token authentication
4
+ CVE-2021-22904
5
+
6
+ * Prevent string polymorphic route arguments.
7
+
8
+ `url_for` supports building polymorphic URLs via an array
9
+ of arguments (usually symbols and records). If a developer passes a
10
+ user input array, strings can result in unwanted route helper calls.
11
+
12
+ CVE-2021-22885
13
+
14
+ *Gannon McGibbon*
15
+
16
+ ## Rails 5.2.4.5 (February 10, 2021) ##
17
+
18
+ * No changes.
19
+
20
+
21
+ ## Rails 5.2.4.4 (September 09, 2020) ##
22
+
23
+ * No changes.
24
+
25
+
26
+ ## Rails 5.2.4.3 (May 18, 2020) ##
27
+
28
+ * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
29
+
30
+ * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
31
+
32
+
1
33
  ## Rails 5.2.4.1 (December 18, 2019) ##
2
34
 
3
35
  * Fix possible information leak / session hijacking vulnerability.
@@ -406,7 +406,7 @@ module ActionController
406
406
  module Token
407
407
  TOKEN_KEY = "token="
408
408
  TOKEN_REGEX = /^(Token|Bearer)\s+/
409
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
409
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
410
410
  extend self
411
411
 
412
412
  module ControllerMethods
@@ -318,13 +318,15 @@ module ActionController #:nodoc:
318
318
  action_path = normalize_action_path(action)
319
319
  per_form_csrf_token(session, action_path, method)
320
320
  else
321
- real_csrf_token(session)
321
+ global_csrf_token(session)
322
322
  end
323
323
 
324
324
  one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
325
325
  encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
326
326
  masked_token = one_time_pad + encrypted_csrf_token
327
- Base64.strict_encode64(masked_token)
327
+ Base64.urlsafe_encode64(masked_token, padding: false)
328
+
329
+ mask_token(raw_token)
328
330
  end
329
331
 
330
332
  # Checks the client's masked token to see if it matches the
@@ -354,7 +356,8 @@ module ActionController #:nodoc:
354
356
  elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
355
357
  csrf_token = unmask_token(masked_token)
356
358
 
357
- compare_with_real_token(csrf_token, session) ||
359
+ compare_with_global_token(csrf_token, session) ||
360
+ compare_with_real_token(csrf_token, session) ||
358
361
  valid_per_form_csrf_token?(csrf_token, session)
359
362
  else
360
363
  false # Token is malformed.
@@ -369,10 +372,21 @@ module ActionController #:nodoc:
369
372
  xor_byte_strings(one_time_pad, encrypted_csrf_token)
370
373
  end
371
374
 
375
+ def mask_token(raw_token) # :doc:
376
+ one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
377
+ encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
378
+ masked_token = one_time_pad + encrypted_csrf_token
379
+ Base64.strict_encode64(masked_token)
380
+ end
381
+
372
382
  def compare_with_real_token(token, session) # :doc:
373
383
  ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
374
384
  end
375
385
 
386
+ def compare_with_global_token(token, session) # :doc:
387
+ ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
388
+ end
389
+
376
390
  def valid_per_form_csrf_token?(token, session) # :doc:
377
391
  if per_form_csrf_tokens
378
392
  correct_token = per_form_csrf_token(
@@ -393,10 +407,21 @@ module ActionController #:nodoc:
393
407
  end
394
408
 
395
409
  def per_form_csrf_token(session, action_path, method) # :doc:
410
+ csrf_token_hmac(session, [action_path, method.downcase].join("#"))
411
+ end
412
+
413
+ GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
414
+ private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
415
+
416
+ def global_csrf_token(session) # :doc:
417
+ csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
418
+ end
419
+
420
+ def csrf_token_hmac(session, identifier) # :doc:
396
421
  OpenSSL::HMAC.digest(
397
422
  OpenSSL::Digest::SHA256.new,
398
423
  real_csrf_token(session),
399
- [action_path, method.downcase].join("#")
424
+ identifier
400
425
  )
401
426
  end
402
427
 
@@ -337,6 +337,8 @@ module ActionController
337
337
  @parameters.each_pair do |key, value|
338
338
  yield [key, convert_hashes_to_parameters(key, value)]
339
339
  end
340
+
341
+ self
340
342
  end
341
343
  alias_method :each, :each_pair
342
344
 
@@ -288,10 +288,12 @@ module ActionDispatch
288
288
 
289
289
  args = []
290
290
 
291
- route = record_list.map { |parent|
291
+ route = record_list.map do |parent|
292
292
  case parent
293
- when Symbol, String
293
+ when Symbol
294
294
  parent.to_s
295
+ when String
296
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
295
297
  when Class
296
298
  args << parent
297
299
  parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
299
301
  args << parent.to_model
300
302
  parent.to_model.model_name.singular_route_key
301
303
  end
302
- }
304
+ end
303
305
 
304
306
  route <<
305
307
  case record
306
- when Symbol, String
308
+ when Symbol
307
309
  record.to_s
310
+ when String
311
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
308
312
  when Class
309
313
  @key_strategy.call record.model_name
310
314
  else
@@ -10,7 +10,7 @@ module ActionPack
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
12
  TINY = 4
13
- PRE = "1"
13
+ PRE = "6"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.4.1
4
+ version: 5.2.4.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-18 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.4.1
19
+ version: 5.2.4.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.4.1
26
+ version: 5.2.4.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.4.1
101
+ version: 5.2.4.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.4.1
108
+ version: 5.2.4.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.4.1
115
+ version: 5.2.4.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.4.1
122
+ version: 5.2.4.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,9 +299,9 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.1/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.4.1/actionpack/CHANGELOG.md
304
- post_install_message:
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.4.6/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.4.6/actionpack/CHANGELOG.md
304
+ post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
307
307
  - lib
@@ -317,8 +317,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.0.3
321
- signing_key:
320
+ rubygems_version: 3.1.2
321
+ signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
324
324
  test_files: []