actionpack 5.2.4.1 → 5.2.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +78 -0
- data/lib/action_controller/metal/http_authentication.rb +1 -1
- data/lib/action_controller/metal/request_forgery_protection.rb +86 -10
- data/lib/action_controller/metal/strong_parameters.rb +2 -0
- data/lib/action_controller/test_case.rb +2 -2
- data/lib/action_dispatch/request/session.rb +1 -1
- data/lib/action_dispatch/routing/polymorphic_routes.rb +8 -4
- data/lib/action_dispatch/testing/integration.rb +1 -0
- data/lib/action_pack/gem_version.rb +2 -2
- metadata +11 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 63b72a20df1a2ed50dd3c7bc20791c4979eb1a886770734721d7ffca4d9a4cfb
|
4
|
+
data.tar.gz: f9c384ee114ec9e287a157fb5150cdcf86c79256cfaec9611edccc2ba18b7ff2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f33d0e9bb9cfb6a2ede9b0d11fad30752d92c3f81d07efd249cd7621b39430d0b5464e58f244d9cdbfce41e511d8dcc89f8539ee34218b369c6d0660b9d56340
|
7
|
+
data.tar.gz: c964bc901dc5baf4fa6f049005f8a6d164bd705c3c958614c13ec1f3b8cb30a31d12ca10577f72fc3cdf446bfa9b05d95bd186da6b2815426b464ece0dc596ab
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,76 @@
|
|
1
|
+
## Rails 5.2.6 (May 05, 2021) ##
|
2
|
+
|
3
|
+
* Accept base64_urlsafe CSRF tokens to make forward compatible.
|
4
|
+
|
5
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
6
|
+
them difficult to deal with. For example, the common practice of sending
|
7
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
8
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
9
|
+
|
10
|
+
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
|
11
|
+
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
12
|
+
tokens for backwards compatibility.
|
13
|
+
|
14
|
+
How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
|
15
|
+
config.
|
16
|
+
|
17
|
+
In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
|
18
|
+
|
19
|
+
**Atention**: If you already upgraded your application to 5.2.5, set the config
|
20
|
+
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
|
21
|
+
during the deploy of this new version.
|
22
|
+
|
23
|
+
```ruby
|
24
|
+
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
25
|
+
```
|
26
|
+
|
27
|
+
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
|
28
|
+
|
29
|
+
*Scott Blum*, *Étienne Barrié*
|
30
|
+
|
31
|
+
|
32
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
33
|
+
|
34
|
+
* No changes.
|
35
|
+
|
36
|
+
|
37
|
+
## Rails 5.2.4.6 (May 05, 2021) ##
|
38
|
+
|
39
|
+
* Prevent regex DoS in HTTP token authentication
|
40
|
+
CVE-2021-22904
|
41
|
+
|
42
|
+
* Prevent string polymorphic route arguments.
|
43
|
+
|
44
|
+
`url_for` supports building polymorphic URLs via an array
|
45
|
+
of arguments (usually symbols and records). If a developer passes a
|
46
|
+
user input array, strings can result in unwanted route helper calls.
|
47
|
+
|
48
|
+
CVE-2021-22885
|
49
|
+
|
50
|
+
*Gannon McGibbon*
|
51
|
+
|
52
|
+
## Rails 5.2.4.5 (February 10, 2021) ##
|
53
|
+
|
54
|
+
* No changes.
|
55
|
+
|
56
|
+
|
57
|
+
## Rails 5.2.4.4 (September 09, 2020) ##
|
58
|
+
|
59
|
+
* No changes.
|
60
|
+
|
61
|
+
|
62
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
63
|
+
|
64
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
65
|
+
|
66
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
67
|
+
|
68
|
+
|
69
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
70
|
+
|
71
|
+
* No changes.
|
72
|
+
|
73
|
+
|
1
74
|
## Rails 5.2.4.1 (December 18, 2019) ##
|
2
75
|
|
3
76
|
* Fix possible information leak / session hijacking vulnerability.
|
@@ -5,6 +78,11 @@
|
|
5
78
|
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
6
79
|
gem dalli to be updated as well.
|
7
80
|
|
81
|
+
_Breaking changes:_
|
82
|
+
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
83
|
+
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
84
|
+
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
85
|
+
|
8
86
|
CVE-2019-16782.
|
9
87
|
|
10
88
|
|
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
|
|
92
92
|
config_accessor :default_protect_from_forgery
|
93
93
|
self.default_protect_from_forgery = false
|
94
94
|
|
95
|
+
# Controls whether URL-safe CSRF tokens are generated.
|
96
|
+
config_accessor :urlsafe_csrf_tokens, instance_writer: false
|
97
|
+
self.urlsafe_csrf_tokens = false
|
98
|
+
|
95
99
|
helper_method :form_authenticity_token
|
96
100
|
helper_method :protect_against_forgery?
|
97
101
|
end
|
@@ -318,13 +322,10 @@ module ActionController #:nodoc:
|
|
318
322
|
action_path = normalize_action_path(action)
|
319
323
|
per_form_csrf_token(session, action_path, method)
|
320
324
|
else
|
321
|
-
|
325
|
+
global_csrf_token(session)
|
322
326
|
end
|
323
327
|
|
324
|
-
|
325
|
-
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
326
|
-
masked_token = one_time_pad + encrypted_csrf_token
|
327
|
-
Base64.strict_encode64(masked_token)
|
328
|
+
mask_token(raw_token)
|
328
329
|
end
|
329
330
|
|
330
331
|
# Checks the client's masked token to see if it matches the
|
@@ -336,7 +337,7 @@ module ActionController #:nodoc:
|
|
336
337
|
end
|
337
338
|
|
338
339
|
begin
|
339
|
-
masked_token =
|
340
|
+
masked_token = decode_csrf_token(encoded_masked_token)
|
340
341
|
rescue ArgumentError # encoded_masked_token is invalid Base64
|
341
342
|
return false
|
342
343
|
end
|
@@ -354,7 +355,8 @@ module ActionController #:nodoc:
|
|
354
355
|
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
|
355
356
|
csrf_token = unmask_token(masked_token)
|
356
357
|
|
357
|
-
|
358
|
+
compare_with_global_token(csrf_token, session) ||
|
359
|
+
compare_with_real_token(csrf_token, session) ||
|
358
360
|
valid_per_form_csrf_token?(csrf_token, session)
|
359
361
|
else
|
360
362
|
false # Token is malformed.
|
@@ -369,10 +371,21 @@ module ActionController #:nodoc:
|
|
369
371
|
xor_byte_strings(one_time_pad, encrypted_csrf_token)
|
370
372
|
end
|
371
373
|
|
374
|
+
def mask_token(raw_token) # :doc:
|
375
|
+
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
|
376
|
+
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
|
377
|
+
masked_token = one_time_pad + encrypted_csrf_token
|
378
|
+
encode_csrf_token(masked_token)
|
379
|
+
end
|
380
|
+
|
372
381
|
def compare_with_real_token(token, session) # :doc:
|
373
382
|
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
|
374
383
|
end
|
375
384
|
|
385
|
+
def compare_with_global_token(token, session) # :doc:
|
386
|
+
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
|
387
|
+
end
|
388
|
+
|
376
389
|
def valid_per_form_csrf_token?(token, session) # :doc:
|
377
390
|
if per_form_csrf_tokens
|
378
391
|
correct_token = per_form_csrf_token(
|
@@ -388,15 +401,26 @@ module ActionController #:nodoc:
|
|
388
401
|
end
|
389
402
|
|
390
403
|
def real_csrf_token(session) # :doc:
|
391
|
-
session[:_csrf_token] ||=
|
392
|
-
|
404
|
+
session[:_csrf_token] ||= generate_csrf_token
|
405
|
+
decode_csrf_token(session[:_csrf_token])
|
393
406
|
end
|
394
407
|
|
395
408
|
def per_form_csrf_token(session, action_path, method) # :doc:
|
409
|
+
csrf_token_hmac(session, [action_path, method.downcase].join("#"))
|
410
|
+
end
|
411
|
+
|
412
|
+
GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
|
413
|
+
private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
|
414
|
+
|
415
|
+
def global_csrf_token(session) # :doc:
|
416
|
+
csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
|
417
|
+
end
|
418
|
+
|
419
|
+
def csrf_token_hmac(session, identifier) # :doc:
|
396
420
|
OpenSSL::HMAC.digest(
|
397
421
|
OpenSSL::Digest::SHA256.new,
|
398
422
|
real_csrf_token(session),
|
399
|
-
|
423
|
+
identifier
|
400
424
|
)
|
401
425
|
end
|
402
426
|
|
@@ -441,5 +465,57 @@ module ActionController #:nodoc:
|
|
441
465
|
uri = URI.parse(action_path)
|
442
466
|
uri.path.chomp("/")
|
443
467
|
end
|
468
|
+
|
469
|
+
def generate_csrf_token # :nodoc:
|
470
|
+
if urlsafe_csrf_tokens
|
471
|
+
SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
|
472
|
+
else
|
473
|
+
SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
|
474
|
+
end
|
475
|
+
end
|
476
|
+
|
477
|
+
if RUBY_VERSION.start_with?("2.2")
|
478
|
+
# Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
|
479
|
+
using Module.new {
|
480
|
+
refine Base64.singleton_class do
|
481
|
+
def urlsafe_encode64(bin, padding: true)
|
482
|
+
str = strict_encode64(bin).tr("+/", "-_")
|
483
|
+
str = str.delete("=") unless padding
|
484
|
+
str
|
485
|
+
end
|
486
|
+
|
487
|
+
def urlsafe_decode64(str)
|
488
|
+
# NOTE: RFC 4648 does say nothing about unpadded input, but says that
|
489
|
+
# "the excess pad characters MAY also be ignored", so it is inferred that
|
490
|
+
# unpadded input is also acceptable.
|
491
|
+
str = str.tr("-_", "+/")
|
492
|
+
if !str.end_with?("=") && str.length % 4 != 0
|
493
|
+
str = str.ljust((str.length + 3) & ~3, "=")
|
494
|
+
end
|
495
|
+
strict_decode64(str)
|
496
|
+
end
|
497
|
+
end
|
498
|
+
}
|
499
|
+
end
|
500
|
+
|
501
|
+
def encode_csrf_token(csrf_token) # :nodoc:
|
502
|
+
if urlsafe_csrf_tokens
|
503
|
+
Base64.urlsafe_encode64(csrf_token, padding: false)
|
504
|
+
else
|
505
|
+
Base64.strict_encode64(csrf_token)
|
506
|
+
end
|
507
|
+
end
|
508
|
+
|
509
|
+
def decode_csrf_token(encoded_csrf_token) # :nodoc:
|
510
|
+
if urlsafe_csrf_tokens
|
511
|
+
Base64.urlsafe_decode64(encoded_csrf_token)
|
512
|
+
else
|
513
|
+
begin
|
514
|
+
Base64.strict_decode64(encoded_csrf_token)
|
515
|
+
rescue ArgumentError
|
516
|
+
Base64.urlsafe_decode64(encoded_csrf_token)
|
517
|
+
end
|
518
|
+
end
|
519
|
+
end
|
444
520
|
end
|
445
521
|
end
|
@@ -177,12 +177,12 @@ module ActionController
|
|
177
177
|
|
178
178
|
# Methods #destroy and #load! are overridden to avoid calling methods on the
|
179
179
|
# @store object, which does not exist for the TestSession class.
|
180
|
-
class TestSession < Rack::Session::Abstract::
|
180
|
+
class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
|
181
181
|
DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
|
182
182
|
|
183
183
|
def initialize(session = {})
|
184
184
|
super(nil, nil)
|
185
|
-
@id = SecureRandom.hex(16)
|
185
|
+
@id = Rack::Session::SessionId.new(SecureRandom.hex(16))
|
186
186
|
@data = stringify_keys(session)
|
187
187
|
@loaded = true
|
188
188
|
end
|
@@ -288,10 +288,12 @@ module ActionDispatch
|
|
288
288
|
|
289
289
|
args = []
|
290
290
|
|
291
|
-
route = record_list.map
|
291
|
+
route = record_list.map do |parent|
|
292
292
|
case parent
|
293
|
-
when Symbol
|
293
|
+
when Symbol
|
294
294
|
parent.to_s
|
295
|
+
when String
|
296
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
295
297
|
when Class
|
296
298
|
args << parent
|
297
299
|
parent.model_name.singular_route_key
|
@@ -299,12 +301,14 @@ module ActionDispatch
|
|
299
301
|
args << parent.to_model
|
300
302
|
parent.to_model.model_name.singular_route_key
|
301
303
|
end
|
302
|
-
|
304
|
+
end
|
303
305
|
|
304
306
|
route <<
|
305
307
|
case record
|
306
|
-
when Symbol
|
308
|
+
when Symbol
|
307
309
|
record.to_s
|
310
|
+
when String
|
311
|
+
raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
|
308
312
|
when Class
|
309
313
|
@key_strategy.call record.model_name
|
310
314
|
else
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: actionpack
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.2.
|
4
|
+
version: 5.2.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Heinemeier Hansson
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-05-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 5.2.
|
19
|
+
version: 5.2.6
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 5.2.
|
26
|
+
version: 5.2.6
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rack
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -98,28 +98,28 @@ dependencies:
|
|
98
98
|
requirements:
|
99
99
|
- - '='
|
100
100
|
- !ruby/object:Gem::Version
|
101
|
-
version: 5.2.
|
101
|
+
version: 5.2.6
|
102
102
|
type: :runtime
|
103
103
|
prerelease: false
|
104
104
|
version_requirements: !ruby/object:Gem::Requirement
|
105
105
|
requirements:
|
106
106
|
- - '='
|
107
107
|
- !ruby/object:Gem::Version
|
108
|
-
version: 5.2.
|
108
|
+
version: 5.2.6
|
109
109
|
- !ruby/object:Gem::Dependency
|
110
110
|
name: activemodel
|
111
111
|
requirement: !ruby/object:Gem::Requirement
|
112
112
|
requirements:
|
113
113
|
- - '='
|
114
114
|
- !ruby/object:Gem::Version
|
115
|
-
version: 5.2.
|
115
|
+
version: 5.2.6
|
116
116
|
type: :development
|
117
117
|
prerelease: false
|
118
118
|
version_requirements: !ruby/object:Gem::Requirement
|
119
119
|
requirements:
|
120
120
|
- - '='
|
121
121
|
- !ruby/object:Gem::Version
|
122
|
-
version: 5.2.
|
122
|
+
version: 5.2.6
|
123
123
|
description: Web apps on Rails. Simple, battle-tested conventions for building and
|
124
124
|
testing MVC web applications. Works with any Rack-compatible server.
|
125
125
|
email: david@loudthinking.com
|
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
|
|
299
299
|
licenses:
|
300
300
|
- MIT
|
301
301
|
metadata:
|
302
|
-
source_code_uri: https://github.com/rails/rails/tree/v5.2.
|
303
|
-
changelog_uri: https://github.com/rails/rails/blob/v5.2.
|
302
|
+
source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
|
303
|
+
changelog_uri: https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
|
304
304
|
post_install_message:
|
305
305
|
rdoc_options: []
|
306
306
|
require_paths:
|
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
317
317
|
version: '0'
|
318
318
|
requirements:
|
319
319
|
- none
|
320
|
-
rubygems_version: 3.
|
320
|
+
rubygems_version: 3.1.6
|
321
321
|
signing_key:
|
322
322
|
specification_version: 4
|
323
323
|
summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
|