actionpack 5.2.4.5 → 5.2.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8458248b602da029b1e9113db9f0305888fdf99bf83ea4fe679ad0ed49b22175
4
- data.tar.gz: '085825f1ed9d286aa92cf5fa06fb039534331030d5b70da304c237a492f7ded9'
3
+ metadata.gz: 63b72a20df1a2ed50dd3c7bc20791c4979eb1a886770734721d7ffca4d9a4cfb
4
+ data.tar.gz: f9c384ee114ec9e287a157fb5150cdcf86c79256cfaec9611edccc2ba18b7ff2
5
5
  SHA512:
6
- metadata.gz: 7a6b62b3afeeb992a981128fbfab64944e897f20a0e75cbef6fd3d972108321ff440f7344935c8d196c1d1e6d3e08d64f040c6c5aa9ad63f06e9b78875da0c54
7
- data.tar.gz: 27a049710288451664d3672a6fb18fe505003d9bb91826408ab507d9de06fa9f1a877a2dfc6b9a9b91e32c0f122cdfd33b1bcd3802e64966e4388c17dcad08e6
6
+ metadata.gz: f33d0e9bb9cfb6a2ede9b0d11fad30752d92c3f81d07efd249cd7621b39430d0b5464e58f244d9cdbfce41e511d8dcc89f8539ee34218b369c6d0660b9d56340
7
+ data.tar.gz: c964bc901dc5baf4fa6f049005f8a6d164bd705c3c958614c13ec1f3b8cb30a31d12ca10577f72fc3cdf446bfa9b05d95bd186da6b2815426b464ece0dc596ab
data/CHANGELOG.md CHANGED
@@ -1,3 +1,54 @@
1
+ ## Rails 5.2.6 (May 05, 2021) ##
2
+
3
+ * Accept base64_urlsafe CSRF tokens to make forward compatible.
4
+
5
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
6
+ them difficult to deal with. For example, the common practice of sending
7
+ the CSRF token to a browser in a client-readable cookie does not work properly
8
+ out of the box: the value has to be url-encoded and decoded to survive transport.
9
+
10
+ In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
11
+ safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
12
+ tokens for backwards compatibility.
13
+
14
+ How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
15
+ config.
16
+
17
+ In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
18
+
19
+ **Atention**: If you already upgraded your application to 5.2.5, set the config
20
+ `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
21
+ during the deploy of this new version.
22
+
23
+ ```ruby
24
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
25
+ ```
26
+
27
+ If you are upgrading from 5.2.4.x, you don't need to change this configuration.
28
+
29
+ *Scott Blum*, *Étienne Barrié*
30
+
31
+
32
+ ## Rails 5.2.5 (March 26, 2021) ##
33
+
34
+ * No changes.
35
+
36
+
37
+ ## Rails 5.2.4.6 (May 05, 2021) ##
38
+
39
+ * Prevent regex DoS in HTTP token authentication
40
+ CVE-2021-22904
41
+
42
+ * Prevent string polymorphic route arguments.
43
+
44
+ `url_for` supports building polymorphic URLs via an array
45
+ of arguments (usually symbols and records). If a developer passes a
46
+ user input array, strings can result in unwanted route helper calls.
47
+
48
+ CVE-2021-22885
49
+
50
+ *Gannon McGibbon*
51
+
1
52
  ## Rails 5.2.4.5 (February 10, 2021) ##
2
53
 
3
54
  * No changes.
@@ -15,6 +66,11 @@
15
66
  * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
16
67
 
17
68
 
69
+ ## Rails 5.2.4.2 (March 19, 2020) ##
70
+
71
+ * No changes.
72
+
73
+
18
74
  ## Rails 5.2.4.1 (December 18, 2019) ##
19
75
 
20
76
  * Fix possible information leak / session hijacking vulnerability.
@@ -22,6 +78,11 @@
22
78
  The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
23
79
  gem dalli to be updated as well.
24
80
 
81
+ _Breaking changes:_
82
+ * `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
83
+ * Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
84
+ ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
85
+
25
86
  CVE-2019-16782.
26
87
 
27
88
 
@@ -406,7 +406,7 @@ module ActionController
406
406
  module Token
407
407
  TOKEN_KEY = "token="
408
408
  TOKEN_REGEX = /^(Token|Bearer)\s+/
409
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
409
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
410
410
  extend self
411
411
 
412
412
  module ControllerMethods
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
92
92
  config_accessor :default_protect_from_forgery
93
93
  self.default_protect_from_forgery = false
94
94
 
95
+ # Controls whether URL-safe CSRF tokens are generated.
96
+ config_accessor :urlsafe_csrf_tokens, instance_writer: false
97
+ self.urlsafe_csrf_tokens = false
98
+
95
99
  helper_method :form_authenticity_token
96
100
  helper_method :protect_against_forgery?
97
101
  end
@@ -321,11 +325,6 @@ module ActionController #:nodoc:
321
325
  global_csrf_token(session)
322
326
  end
323
327
 
324
- one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
325
- encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
326
- masked_token = one_time_pad + encrypted_csrf_token
327
- Base64.urlsafe_encode64(masked_token, padding: false)
328
-
329
328
  mask_token(raw_token)
330
329
  end
331
330
 
@@ -338,7 +337,7 @@ module ActionController #:nodoc:
338
337
  end
339
338
 
340
339
  begin
341
- masked_token = Base64.strict_decode64(encoded_masked_token)
340
+ masked_token = decode_csrf_token(encoded_masked_token)
342
341
  rescue ArgumentError # encoded_masked_token is invalid Base64
343
342
  return false
344
343
  end
@@ -376,7 +375,7 @@ module ActionController #:nodoc:
376
375
  one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
377
376
  encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
378
377
  masked_token = one_time_pad + encrypted_csrf_token
379
- Base64.strict_encode64(masked_token)
378
+ encode_csrf_token(masked_token)
380
379
  end
381
380
 
382
381
  def compare_with_real_token(token, session) # :doc:
@@ -402,8 +401,8 @@ module ActionController #:nodoc:
402
401
  end
403
402
 
404
403
  def real_csrf_token(session) # :doc:
405
- session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
406
- Base64.strict_decode64(session[:_csrf_token])
404
+ session[:_csrf_token] ||= generate_csrf_token
405
+ decode_csrf_token(session[:_csrf_token])
407
406
  end
408
407
 
409
408
  def per_form_csrf_token(session, action_path, method) # :doc:
@@ -466,5 +465,57 @@ module ActionController #:nodoc:
466
465
  uri = URI.parse(action_path)
467
466
  uri.path.chomp("/")
468
467
  end
468
+
469
+ def generate_csrf_token # :nodoc:
470
+ if urlsafe_csrf_tokens
471
+ SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
472
+ else
473
+ SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
474
+ end
475
+ end
476
+
477
+ if RUBY_VERSION.start_with?("2.2")
478
+ # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
479
+ using Module.new {
480
+ refine Base64.singleton_class do
481
+ def urlsafe_encode64(bin, padding: true)
482
+ str = strict_encode64(bin).tr("+/", "-_")
483
+ str = str.delete("=") unless padding
484
+ str
485
+ end
486
+
487
+ def urlsafe_decode64(str)
488
+ # NOTE: RFC 4648 does say nothing about unpadded input, but says that
489
+ # "the excess pad characters MAY also be ignored", so it is inferred that
490
+ # unpadded input is also acceptable.
491
+ str = str.tr("-_", "+/")
492
+ if !str.end_with?("=") && str.length % 4 != 0
493
+ str = str.ljust((str.length + 3) & ~3, "=")
494
+ end
495
+ strict_decode64(str)
496
+ end
497
+ end
498
+ }
499
+ end
500
+
501
+ def encode_csrf_token(csrf_token) # :nodoc:
502
+ if urlsafe_csrf_tokens
503
+ Base64.urlsafe_encode64(csrf_token, padding: false)
504
+ else
505
+ Base64.strict_encode64(csrf_token)
506
+ end
507
+ end
508
+
509
+ def decode_csrf_token(encoded_csrf_token) # :nodoc:
510
+ if urlsafe_csrf_tokens
511
+ Base64.urlsafe_decode64(encoded_csrf_token)
512
+ else
513
+ begin
514
+ Base64.strict_decode64(encoded_csrf_token)
515
+ rescue ArgumentError
516
+ Base64.urlsafe_decode64(encoded_csrf_token)
517
+ end
518
+ end
519
+ end
469
520
  end
470
521
  end
@@ -177,12 +177,12 @@ module ActionController
177
177
 
178
178
  # Methods #destroy and #load! are overridden to avoid calling methods on the
179
179
  # @store object, which does not exist for the TestSession class.
180
- class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
180
+ class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
181
181
  DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
182
182
 
183
183
  def initialize(session = {})
184
184
  super(nil, nil)
185
- @id = SecureRandom.hex(16)
185
+ @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
186
186
  @data = stringify_keys(session)
187
187
  @loaded = true
188
188
  end
@@ -93,7 +93,7 @@ module ActionDispatch
93
93
  key = key.to_s
94
94
 
95
95
  if key == "session_id"
96
- id&.public_id
96
+ id && id.public_id
97
97
  else
98
98
  @delegate[key]
99
99
  end
@@ -288,10 +288,12 @@ module ActionDispatch
288
288
 
289
289
  args = []
290
290
 
291
- route = record_list.map { |parent|
291
+ route = record_list.map do |parent|
292
292
  case parent
293
- when Symbol, String
293
+ when Symbol
294
294
  parent.to_s
295
+ when String
296
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
295
297
  when Class
296
298
  args << parent
297
299
  parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
299
301
  args << parent.to_model
300
302
  parent.to_model.model_name.singular_route_key
301
303
  end
302
- }
304
+ end
303
305
 
304
306
  route <<
305
307
  case record
306
- when Symbol, String
308
+ when Symbol
307
309
  record.to_s
310
+ when String
311
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
308
312
  when Class
309
313
  @key_strategy.call record.model_name
310
314
  else
@@ -401,6 +401,7 @@ module ActionDispatch
401
401
  super
402
402
  end
403
403
  end
404
+ ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
404
405
  end
405
406
  end
406
407
 
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 4
13
- PRE = "5"
12
+ TINY = 6
13
+ PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.4.5
4
+ version: 5.2.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-10 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.4.5
19
+ version: 5.2.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.4.5
26
+ version: 5.2.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.4.5
101
+ version: 5.2.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.4.5
108
+ version: 5.2.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.4.5
115
+ version: 5.2.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.4.5
122
+ version: 5.2.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.4.5/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.4.5/actionpack/CHANGELOG.md
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
304
304
  post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.0.3
320
+ rubygems_version: 3.1.6
321
321
  signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).