actionpack 6.0.3.6 → 6.0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fab060574d42079154040a9edaf49c8b6667dfd510196c1f6224237b1ba89059
-  data.tar.gz: e2ec4deaeba7ec71e39ef196eeef0aaf14b6b54ff906d587903eb1e7dabeca9a
+  metadata.gz: d0922e2737ef8018658defe59245777e028d0e51257716db1ba1586c166756df
+  data.tar.gz: 92c40c67a4914dc5e87aad14434ac3cff2a2a73782459b55a8984b8708a577b7
 SHA512:
-  metadata.gz: 9795ff64ab0308ba97f6be07db499d681c13d363bb15515a704a84a7251c8873334319b411106e1d3901a975a9554394c66aa4f9a99ac311da2768e27080734a
-  data.tar.gz: 05b9e7e3acbc4ea5b38e378c0b09bdbc458c3f6d273d369205baf6c5bfc038721a1ab0ed48150ae07ff17adee5830b012302d064fda7a0cb349e6a0d9f3514a2
+  metadata.gz: 536f840999ed225ce831364206e19708fb49ad653181d8719d0c27cb349ccf8a7afc0028363d68f3a367b6ce953a799aa0c00e0f8e7250da6fa32e6b0da9ebb7
+  data.tar.gz: 4896b9e8f50500b8b20c05bedd95cf5b51850c37ef6b9d7d815b408c8ac803f493b2bc6e8b30dceae5864165aea678f0b4b0c974b2fa83859761039bdf844ab6

data/CHANGELOG.md

@@ -1,3 +1,61 @@
+## Rails 6.0.4.2 (December 14, 2021) ##
+
+*   Fix X_FORWARDED_HOST protection.  [CVE-2021-44528]
+
+## Rails 6.1.4.1 (August 19, 2021) ##
+
+*   [CVE-2021-22942] Fix possible open redirect in Host Authorization middleware.
+
+    Specially crafted "X-Forwarded-Host" headers in combination with certain
+    "allowed host" formats can cause the Host Authorization middleware in Action
+    Pack to redirect users to a malicious website.
+
+## Rails 6.0.4 (June 15, 2021) ##
+
+*   Accept base64_urlsafe CSRF tokens to make forward compatible.
+
+    Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
+    them difficult to deal with. For example, the common practice of sending
+    the CSRF token to a browser in a client-readable cookie does not work properly
+    out of the box: the value has to be url-encoded and decoded to survive transport.
+
+    In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
+    safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
+    tokens for backwards compatibility.
+
+    In Rails 5.2.5, the CSRF token format is accidentally changed to urlsafe-encoded.
+    If you upgrade apps from 5.2.5, set the config `urlsafe_csrf_tokens = true`.
+
+    ```ruby
+    Rails.application.config.action_controller.urlsafe_csrf_tokens = true
+    ```
+
+    *Scott Blum*, *Étienne Barrié*
+
+*   Signed and encrypted cookies can now store `false` as their value when
+    `action_dispatch.use_cookies_with_metadata` is enabled.
+
+    *Rolandas Barysas*
+
+
+## Rails 6.0.3.7 (May 05, 2021) ##
+
+*   Prevent catastrophic backtracking during mime parsing
+    CVE-2021-22902
+
+*   Prevent regex DoS in HTTP token authentication
+    CVE-2021-22904
+
+*   Prevent string polymorphic route arguments.
+
+    `url_for` supports building polymorphic URLs via an array
+    of arguments (usually symbols and records). If a developer passes a
+    user input array, strings can result in unwanted route helper calls.
+
+    CVE-2021-22885
+
+    *Gannon McGibbon*
+
 ## Rails 6.0.3.6 (March 26, 2021) ##
 
 *   No changes.
@@ -35,6 +93,7 @@
 
 *   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
 
+
 ## Rails 6.0.3 (May 06, 2020) ##
 
 *   Include child session assertion count in ActionDispatch::IntegrationTest

data/README.rdoc

@@ -33,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/master/actionpack
+* https://github.com/rails/rails/tree/main/actionpack
 
 
 == License

data/lib/action_controller/metal/http_authentication.rb

@@ -405,7 +405,7 @@ module ActionController
     module Token
       TOKEN_KEY = "token="
       TOKEN_REGEX = /^(Token|Bearer)\s+/
-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
+      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
       extend self
 
       module ControllerMethods

data/lib/action_controller/metal/params_wrapper.rb

@@ -275,7 +275,10 @@ module ActionController
         return false unless request.has_content_type?
 
         ref = request.content_mime_type.ref
+
         _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        false
       end
 
       def _perform_parameter_wrapping
@@ -289,8 +292,6 @@ module ActionController
 
         # This will display the wrapped hash in the log file.
         request.filtered_parameters.merge! wrapped_filtered_hash
-      rescue ActionDispatch::Http::Parameters::ParseError
-        # swallow parse error exception
       end
   end
 end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -32,29 +32,21 @@ module ActionController #:nodoc:
   # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
   # Ajax) requests are allowed to make requests for JavaScript responses.
   #
-  # It's important to remember that XML or JSON requests are also checked by default. If
-  # you're building an API or an SPA you could change forgery protection method in
-  # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
+  # Subclasses of <tt>ActionController::Base</tt> are protected by default with the
+  # <tt>:exception</tt> strategy, which raises an
+  # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
+  #
+  # APIs may want to disable this behavior since they are typically designed to be
+  # state-less: that is, the request API client handles the session instead of Rails.
+  # One way to achieve this is to use the <tt>:null_session</tt> strategy instead,
+  # which allows unverified requests to be handled, but with an empty session:
   #
   #   class ApplicationController < ActionController::Base
-  #     protect_from_forgery unless: -> { request.format.json? }
+  #     protect_from_forgery with: :null_session
   #   end
   #
-  # It is generally safe to exclude XHR requests from CSRF protection
-  # (like the code snippet above does), because XHR requests can only be made from
-  # the same origin. Note however that any cross-origin third party domain
-  # allowed via {CORS}[https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]
-  # will also be able to create XHR requests. Be sure to check your
-  # CORS configuration before disabling forgery protection for XHR.
-  #
-  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
-  # By default <tt>protect_from_forgery</tt> protects your session with
-  # <tt>:null_session</tt> method, which provides an empty session
-  # during request.
-  #
-  # We may want to disable CSRF protection for APIs since they are typically
-  # designed to be state-less. That is, the request API client will handle
-  # the session for you instead of Rails.
+  # Note that API only applications don't include this module or a session middleware
+  # by default, and so don't require CSRF protection to be configured.
   #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
@@ -98,6 +90,10 @@ module ActionController #:nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
+      # Controls whether URL-safe CSRF tokens are generated.
+      config_accessor :urlsafe_csrf_tokens, instance_writer: false
+      self.urlsafe_csrf_tokens = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -337,7 +333,7 @@ module ActionController #:nodoc:
         end
 
         begin
-          masked_token = Base64.strict_decode64(encoded_masked_token)
+          masked_token = decode_csrf_token(encoded_masked_token)
         rescue ArgumentError # encoded_masked_token is invalid Base64
           return false
         end
@@ -375,7 +371,7 @@ module ActionController #:nodoc:
         one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
         encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
         masked_token = one_time_pad + encrypted_csrf_token
-        Base64.strict_encode64(masked_token)
+        encode_csrf_token(masked_token)
       end
 
       def compare_with_real_token(token, session) # :doc:
@@ -401,8 +397,8 @@ module ActionController #:nodoc:
       end
 
       def real_csrf_token(session) # :doc:
-        session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
-        Base64.strict_decode64(session[:_csrf_token])
+        session[:_csrf_token] ||= generate_csrf_token
+        decode_csrf_token(session[:_csrf_token])
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
@@ -470,5 +466,33 @@ module ActionController #:nodoc:
         uri = URI.parse(action_path)
         uri.path.chomp("/")
       end
+
+      def generate_csrf_token # :nodoc:
+        if urlsafe_csrf_tokens
+          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
+        else
+          SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+        end
+      end
+
+      def encode_csrf_token(csrf_token) # :nodoc:
+        if urlsafe_csrf_tokens
+          Base64.urlsafe_encode64(csrf_token, padding: false)
+        else
+          Base64.strict_encode64(csrf_token)
+        end
+      end
+
+      def decode_csrf_token(encoded_csrf_token) # :nodoc:
+        if urlsafe_csrf_tokens
+          Base64.urlsafe_decode64(encoded_csrf_token)
+        else
+          begin
+            Base64.strict_decode64(encoded_csrf_token)
+          rescue ArgumentError
+            Base64.urlsafe_decode64(encoded_csrf_token)
+          end
+        end
+      end
   end
 end

data/lib/action_dispatch/http/content_disposition.rb

@@ -14,13 +14,13 @@ module ActionDispatch
         @filename = filename
       end
 
-      TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!#$+.^_`|~-]/
+      TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!\#$+.^_`|~-]/
 
       def ascii_filename
         'filename="' + percent_escape(I18n.transliterate(filename), TRADITIONAL_ESCAPED_CHAR) + '"'
       end
 
-      RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!#$&+.^_`|~-]/
+      RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!\#$&+.^_`|~-]/
 
       def utf8_filename
         "filename*=UTF-8''" + percent_escape(filename, RFC_5987_ESCAPED_CHAR)

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -7,6 +7,8 @@ module ActionDispatch
     module MimeNegotiation
       extend ActiveSupport::Concern
 
+      class InvalidType < ::Mime::Type::InvalidMimeType; end
+
       RESCUABLE_MIME_FORMAT_ERRORS = [
         ActionController::BadRequest,
         ActionDispatch::Http::Parameters::ParseError,
@@ -25,6 +27,8 @@ module ActionDispatch
             nil
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -47,6 +51,8 @@ module ActionDispatch
             Mime::Type.parse(header)
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 

data/lib/action_dispatch/http/mime_type.rb

@@ -226,7 +226,7 @@ module Mime
     MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
     MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
     MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
 
     class InvalidMimeType < StandardError; end
 

data/lib/action_dispatch/http/parameters.rb

@@ -89,7 +89,7 @@ module ActionDispatch
           return params unless controller && controller.valid_encoding?
 
           if binary_params_for?(controller, action)
-            ActionDispatch::Request::Utils.each_param_value(params) do |param|
+            ActionDispatch::Request::Utils.each_param_value(params.except(:controller, :action)) do |param|
               param.force_encoding ::Encoding::ASCII_8BIT
             end
           end

data/lib/action_dispatch/http/request.rb

@@ -133,6 +133,8 @@ module ActionDispatch
       HTTP_METHOD_LOOKUP[method] = method.underscore.to_sym
     }
 
+    alias raw_request_method request_method # :nodoc:
+
     # Returns the HTTP \method that the application should see.
     # In the case where the \method was overridden by a middleware
     # (for instance, if a HEAD request was converted to a GET,

data/lib/action_dispatch/middleware/actionable_exceptions.rb

@@ -33,7 +33,7 @@ module ActionDispatch
         if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
           body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
         else
-          return [400, {"Content-Type" => "text/plain"}, ["Invalid redirection URI"]]
+          return [400, { "Content-Type" => "text/plain" }, ["Invalid redirection URI"]]
         end
 
         [302, {

data/lib/action_dispatch/middleware/cookies.rb

@@ -458,7 +458,13 @@ module ActionDispatch
 
       def [](name)
         if data = @parent_jar[name.to_s]
-          parse(name, data, purpose: "cookie.#{name}") || parse(name, data)
+          result = parse(name, data, purpose: "cookie.#{name}")
+
+          if result.nil?
+            parse(name, data)
+          else
+            result
+          end
         end
       end
 

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -63,8 +63,8 @@ module ActionDispatch
         if request.get_header("action_dispatch.show_detailed_exceptions")
           begin
             content_type = request.formats.first
-          rescue Mime::Type::InvalidMimeType
-            render_for_api_request(Mime[:text], wrapper)
+          rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+            content_type = Mime[:text]
           end
 
           if api_request?(content_type)

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -12,7 +12,7 @@ module ActionDispatch
       "ActionController::UnknownHttpMethod"          => :method_not_allowed,
       "ActionController::NotImplemented"             => :not_implemented,
       "ActionController::UnknownFormat"              => :not_acceptable,
-      "Mime::Type::InvalidMimeType"                  => :not_acceptable,
+      "ActionDispatch::Http::MimeNegotiation::InvalidType" => :not_acceptable,
       "ActionController::MissingExactTemplate"       => :not_acceptable,
       "ActionController::InvalidAuthenticityToken"   => :unprocessable_entity,
       "ActionController::InvalidCrossOriginRequest"  => :unprocessable_entity,

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -46,9 +46,9 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
+            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            host
+            /\A#{Regexp.escape host}\z/i
           end
         end
     end
@@ -87,20 +87,10 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        valid_host = /
-          \A
-          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
-          (:\d+)?
-          \z
-        /x
-
-        origin_host = valid_host.match(
-          request.get_header("HTTP_HOST").to_s.downcase)
-        forwarded_host = valid_host.match(
-          request.x_forwarded_host.to_s.split(/,\s?/).last)
-
-        origin_host && @permissions.allows?(origin_host[:host]) && (
-          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
+        origin_host = request.get_header("HTTP_HOST")
+        forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+
+        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
       end
 
       def mark_as_authorized(request)

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -23,7 +23,7 @@ module ActionDispatch
       status       = request.path_info[1..-1].to_i
       begin
         content_type = request.formats.first
-      rescue Mime::Type::InvalidMimeType
+      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
         content_type = Mime[:text]
       end
       body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -6,6 +6,7 @@
 <%= @exception.message %>
 <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
 To resolve this issue run: rails active_storage:install
+<% end %>
 <% if defined?(ActionMailbox) && @exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
 To resolve this issue run: rails action_mailbox:install
 <% end %>

data/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -286,10 +286,12 @@ module ActionDispatch
 
             args = []
 
-            route = record_list.map { |parent|
+            route = record_list.map do |parent|
               case parent
-              when Symbol, String
+              when Symbol
                 parent.to_s
+              when String
+                raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
               when Class
                 args << parent
                 parent.model_name.singular_route_key
@@ -297,12 +299,14 @@ module ActionDispatch
                 args << parent.to_model
                 parent.to_model.model_name.singular_route_key
               end
-            }
+            end
 
             route <<
             case record
-            when Symbol, String
+            when Symbol
               record.to_s
+            when String
+              raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
             when Class
               @key_strategy.call record.model_name
             else

data/lib/action_dispatch/routing/url_for.rb

@@ -107,6 +107,7 @@ module ActionDispatch
         @_routes = nil
         super
       end
+      ruby2_keywords(:initialize) if respond_to?(:ruby2_keywords, true)
 
       # Hook overridden in controller to add request information
       # with +default_url_options+. Application logic should not

data/lib/action_dispatch/system_testing/browser.rb

@@ -64,14 +64,14 @@ module ActionDispatch
 
       private
         def headless_chrome_browser_options
-          capabilities.args << "--headless"
-          capabilities.args << "--disable-gpu" if Gem.win_platform?
+          capabilities.add_argument("--headless")
+          capabilities.add_argument("--disable-gpu") if Gem.win_platform?
 
           capabilities
         end
 
         def headless_firefox_browser_options
-          capabilities.args << "-headless"
+          capabilities.add_argument("-headless")
 
           capabilities
         end

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 6
     MINOR = 0
-    TINY  = 3
-    PRE   = "6"
+    TINY  = 4
+    PRE   = "2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 6.0.3.6
+  version: 6.0.4.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-26 00:00:00.000000000 Z
+date: 2021-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.6
+        version: 6.0.4.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.6
+        version: 6.0.4.2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.6
+        version: 6.0.4.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.6
+        version: 6.0.4.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.6
+        version: 6.0.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.6
+        version: 6.0.4.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,11 +310,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v6.0.3.6/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v6.0.3.6/
+  changelog_uri: https://github.com/rails/rails/blob/v6.0.4.2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v6.0.4.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v6.0.3.6/actionpack
-post_install_message: 
+  source_code_uri: https://github.com/rails/rails/tree/v6.0.4.2/actionpack
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -330,8 +330,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.2.15
+signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []