actionpack 5.2.4.1 → 5.2.4.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +32 -0
- data/lib/action_controller/metal/http_authentication.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +29 -4
- data/lib/action_controller/metal/strong_parameters.rb +2 -0
- data/lib/action_dispatch/routing/polymorphic_routes.rb +8 -4
- data/lib/action_pack/gem_version.rb +1 -1
- metadata +14 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 21ea10678c4ef44aa9d770173426c4288f82f6cfd18e203b50d8e8319d59619d
|
4
|
+
data.tar.gz: 8a5dae1aba4a1a314a87fdc507507d626f5c1ac4d3707c8394efca683d0035bb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b8bff063c8bcf5367ad0f2c30e59676d1dea50f1106c95dcb1b1eaf8560df58fc5a5d59fa8fd65cf908455b8699a2488082649e5a7bde25c596ff1e9d5b4a439
|
7
|
+
data.tar.gz: e516a770a086884251847855aad0ffebe1d6d7014d23ccc72c04bfe7773ac618401e75eaef71f69c53fb9c803dd983c4b9557680fe1ba63ca9de7ccc723d0d14
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,35 @@
|
|
1
|
+
## Rails 5.2.4.6 (May 05, 2021) ##
|
2
|
+
|
3
|
+
* Prevent regex DoS in HTTP token authentication
|
4
|
+
CVE-2021-22904
|
5
|
+
|
6
|
+
* Prevent string polymorphic route arguments.
|
7
|
+
|
8
|
+
`url_for` supports building polymorphic URLs via an array
|
9
|
+
of arguments (usually symbols and records). If a developer passes a
|
10
|
+
user input array, strings can result in unwanted route helper calls.
|
11
|
+
|
12
|
+
CVE-2021-22885
|
13
|
+
|
14
|
+
*Gannon McGibbon*
|
15
|
+
|
16
|
+
## Rails 5.2.4.5 (February 10, 2021) ##
|
17
|
+
|
18
|
+
* No changes.
|
19
|
+
|
20
|
+
|
21
|
+
## Rails 5.2.4.4 (September 09, 2020) ##
|
22
|
+
|
23
|
+
* No changes.
|
24
|
+
|
25
|
+
|
26
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
27
|
+
|
28
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
29
|
+
|
30
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
31
|
+
|
32
|
+
|
1
33
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
2
34
|
|
3
35
|
* Fix possible information leak / session hijacking vulnerability.
|
@@ -318,13 +318,15 @@ module ActionController #:nodoc:
|
|
318
318
|
action_path = normalize_action_path(action)
|
319
319
|
per_form_csrf_token(session, action_path, method)
|
320
320
|
else
|
321
|
-
|
321
|
+
global_csrf_token(session)
|
322
322
|
end
|
323
323
|
|
324
324
|
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
325
325
|
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
326
326
|
masked_token = one_time_pad + encrypted_csrf_token
|
327
|
-
Base64.
|
327
|
+
Base64.urlsafe_encode64(masked_token, padding: false)
|
328
|
+
|
329
|
+
mask_token(raw_token)
|
328
330
|
end
|
329
331
|
|
330
332
|
# Checks the client's masked token to see if it matches the
|
@@ -354,7 +356,8 @@ module ActionController #:nodoc:
|
|
354
356
|
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
|
355
357
|
csrf_token = unmask_token(masked_token)
|
356
358
|
|
357
|
-
|
359
|
+
compare_with_global_token(csrf_token, session) ||
|
360
|
+
compare_with_real_token(csrf_token, session) ||
|
358
361
|
valid_per_form_csrf_token?(csrf_token, session)
|
359
362
|
else
|
360
363
|
false # Token is malformed.
|
@@ -369,10 +372,21 @@ module ActionController #:nodoc:
|
|
369
372
|
xor_byte_strings(one_time_pad, encrypted_csrf_token)
|
370
373
|
end
|
371
374
|
|
375
|
+
def mask_token(raw_token) # :doc:
|
376
|
+
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
377
|
+
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
378
|
+
masked_token = one_time_pad + encrypted_csrf_token
|
379
|
+
Base64.strict_encode64(masked_token)
|
380
|
+
end
|
381
|
+
|
372
382
|
def compare_with_real_token(token, session) # :doc:
|
373
383
|
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
|
374
384
|
end
|
375
385
|
|
386
|
+
def compare_with_global_token(token, session) # :doc:
|
387
|
+
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
|
388
|
+
end
|
389
|
+
|
376
390
|
def valid_per_form_csrf_token?(token, session) # :doc:
|
377
391
|
if per_form_csrf_tokens
|
378
392
|
correct_token = per_form_csrf_token(
|
@@ -393,10 +407,21 @@ module ActionController #:nodoc:
|
|
393
407
|
end
|
394
408
|
|
395
409
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
410
|
+
csrf_token_hmac(session, [action_path, method.downcase].join("#"))
|
411
|
+
end
|
412
|
+
|
413
|
+
GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
|
414
|
+
private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
|
415
|
+
|
416
|
+
def global_csrf_token(session) # :doc:
|
417
|
+
csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
|
418
|
+
end
|
419
|
+
|
420
|
+
def csrf_token_hmac(session, identifier) # :doc:
|
396
421
|
OpenSSL::HMAC.digest(
|
397
422
|
OpenSSL::Digest::SHA256.new,
|
398
423
|
real_csrf_token(session),
|
399
|
-
|
424
|
+
identifier
|
400
425
|
)
|
401
426
|
end
|
402
427
|
|
@@ -288,10 +288,12 @@ module ActionDispatch
|
|
288
288
|
|
289
289
|
args = []
|
290
290
|
|
291
|
-
route = record_list.map
|
291
|
+
route = record_list.map do |parent|
|
292
292
|
case parent
|
293
|
-
when Symbol
|
293
|
+
when Symbol
|
294
294
|
parent.to_s
|
295
|
+
when String
|
296
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
295
297
|
when Class
|
296
298
|
args << parent
|
297
299
|
parent.model_name.singular_route_key
|
@@ -299,12 +301,14 @@ module ActionDispatch
|
|
299
301
|
args << parent.to_model
|
300
302
|
parent.to_model.model_name.singular_route_key
|
301
303
|
end
|
302
|
-
|
304
|
+
end
|
303
305
|
|
304
306
|
route <<
|
305
307
|
case record
|
306
|
-
when Symbol
|
308
|
+
when Symbol
|
307
309
|
record.to_s
|
310
|
+
when String
|
311
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
308
312
|
when Class
|
309
313
|
@key_strategy.call record.model_name
|
310
314
|
else
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.4.
|
4
|
+
version: 5.2.4.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-05-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.4.
|
19
|
+
version: 5.2.4.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.4.
|
26
|
+
version: 5.2.4.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 5.2.4.
|
101
|
+
version: 5.2.4.6
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 5.2.4.
|
108
|
+
version: 5.2.4.6
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 5.2.4.
|
115
|
+
version: 5.2.4.6
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 5.2.4.
|
122
|
+
version: 5.2.4.6
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -299,9 +299,9 @@ homepage: http://rubyonrails.org
|
|
299
299
|
licenses:
|
300
300
|
- MIT
|
301
301
|
metadata:
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.4.
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.4.
|
304
|
-
post_install_message:
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.4.6/actionpack
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.4.6/actionpack/CHANGELOG.md
|
304
|
+
post_install_message:
|
305
305
|
rdoc_options: []
|
306
306
|
require_paths:
|
307
307
|
- lib
|
@@ -317,8 +317,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
317
317
|
version: '0'
|
318
318
|
requirements:
|
319
319
|
- none
|
320
|
-
rubygems_version: 3.
|
321
|
-
signing_key:
|
320
|
+
rubygems_version: 3.1.2
|
321
|
+
signing_key:
|
322
322
|
specification_version: 4
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|
324
324
|
test_files: []
|