actionpack 6.1.1 → 6.1.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3813bd7e46eeb386962cafd48601aace5759055c9311cc47e79706458e4d8723
4
- data.tar.gz: 9b1c73e829be328eff697fb0472c2917516a7956db547e6f364c1fa194a49cd1
3
+ metadata.gz: 9cfba18fd1e2c6507de318e22c9cab8f878c22b9cbce70065f9c2ff9053f1d96
4
+ data.tar.gz: 178c4347f79392aaa6d452c3eeb406cbecf66a9b3ece0d244f98d7a4fa15b6ab
5
5
  SHA512:
6
- metadata.gz: 271e0b7f7ce9cb659ffe7684f03677ea6699f065e1b2c1e8ce20cf992f3525c6ea2947702308b764fd21407498ac0e916dbd3390934615bf0c5d73450a938927
7
- data.tar.gz: 9344404abd36b7fcc6bdf73a5186bc6bfc6665565b0fce4bf143aea6d149b61eefed5ec56787bebcbf0a9307bf464bbe4d822f726965f834fc3afaa13dde786d
6
+ metadata.gz: 6479340989a0677d3e64e0723a67c0cc64ea4dc9d5fcfe6bfad6538703582f3b95bc2426b68c56c2dda3a1b66842e7ed890b70fefbf136c8a198d23336525447
7
+ data.tar.gz: 9021e02a953bf859d984e3722561745d0b562292b3fe3566ee1d362a9eb8c06af868f2d17db7dd5558e31871f626a39d8d9a7bb9b34697c5d26b8b58a533db4f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,59 @@
1
+ ## Rails 6.1.3.2 (May 05, 2021) ##
2
+
3
+ * Prevent open redirects by correctly escaping the host allow list
4
+ CVE-2021-22903
5
+
6
+ * Prevent catastrophic backtracking during mime parsing
7
+ CVE-2021-22902
8
+
9
+ * Prevent regex DoS in HTTP token authentication
10
+ CVE-2021-22904
11
+
12
+ * Prevent string polymorphic route arguments.
13
+
14
+ `url_for` supports building polymorphic URLs via an array
15
+ of arguments (usually symbols and records). If a developer passes a
16
+ user input array, strings can result in unwanted route helper calls.
17
+
18
+ CVE-2021-22885
19
+
20
+ *Gannon McGibbon*
21
+
22
+ ## Rails 6.1.3.1 (March 26, 2021) ##
23
+
24
+ * No changes.
25
+
26
+
27
+ ## Rails 6.1.3 (February 17, 2021) ##
28
+
29
+ * Re-define routes when not set correctly via inheritance.
30
+
31
+ *John Hawthorn*
32
+
33
+
34
+ ## Rails 6.1.2.1 (February 10, 2021) ##
35
+
36
+ * Prevent open redirect when allowed host starts with a dot
37
+
38
+ [CVE-2021-22881]
39
+
40
+ Thanks to @tktech (https://hackerone.com/tktech) for reporting this
41
+ issue and the patch!
42
+
43
+ *Aaron Patterson*
44
+
45
+
46
+ ## Rails 6.1.2 (February 09, 2021) ##
47
+
48
+ * Fix error in `ActionController::LogSubscriber` that would happen when throwing inside a controller action.
49
+
50
+ *Janko Marohnić*
51
+
52
+ * Fix `fixture_file_upload` deprecation when `file_fixture_path` is a relative path.
53
+
54
+ *Eugene Kenny*
55
+
56
+
1
57
  ## Rails 6.1.1 (January 07, 2021) ##
2
58
 
3
59
  * Fix nil translation key lookup in controllers/
data/README.rdoc CHANGED
@@ -33,7 +33,7 @@ The latest version of Action Pack can be installed with RubyGems:
33
33
 
34
34
  Source code can be downloaded as part of the Rails project on GitHub:
35
35
 
36
- * https://github.com/rails/rails/tree/master/actionpack
36
+ * https://github.com/rails/rails/tree/main/actionpack
37
37
 
38
38
 
39
39
  == License
@@ -7,11 +7,27 @@ module AbstractController
7
7
  Module.new do
8
8
  define_method(:inherited) do |klass|
9
9
  super(klass)
10
- if namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
10
+
11
+ namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_routes_url_helpers) }
12
+ actual_routes = namespace ? namespace.railtie_routes_url_helpers._routes : routes
13
+
14
+ if namespace
11
15
  klass.include(namespace.railtie_routes_url_helpers(include_path_helpers))
12
16
  else
13
17
  klass.include(routes.url_helpers(include_path_helpers))
14
18
  end
19
+
20
+ # In the case that we have ex.
21
+ # class A::Foo < ApplicationController
22
+ # class Bar < A::Foo
23
+ # We will need to redefine _routes because it will not be correct
24
+ # via inheritance.
25
+ unless klass._routes.equal?(actual_routes)
26
+ klass.redefine_singleton_method(:_routes) { actual_routes }
27
+ klass.include(Module.new do
28
+ define_method(:_routes) { @_routes || actual_routes }
29
+ end)
30
+ end
15
31
  end
16
32
  end
17
33
  end
@@ -23,7 +23,7 @@ module ActionController
23
23
  additions = ActionController::Base.log_process_action(payload)
24
24
  status = payload[:status]
25
25
 
26
- if status.nil? && (exception_class_name = payload[:exception].first)
26
+ if status.nil? && (exception_class_name = payload[:exception]&.first)
27
27
  status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
28
28
  end
29
29
 
@@ -407,7 +407,7 @@ module ActionController
407
407
  module Token
408
408
  TOKEN_KEY = "token="
409
409
  TOKEN_REGEX = /^(Token|Bearer)\s+/
410
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
410
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
411
411
  extend self
412
412
 
413
413
  module ControllerMethods
@@ -484,7 +484,7 @@ module ActionController
484
484
  def raw_params(auth)
485
485
  _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
486
486
 
487
- if !_raw_params.first.start_with?(TOKEN_KEY)
487
+ if !_raw_params.first&.start_with?(TOKEN_KEY)
488
488
  _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
489
489
  end
490
490
 
@@ -84,7 +84,7 @@ module ActionController
84
84
  #
85
85
  # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
86
86
  #
87
- # If an object responding to `render_in` is passed, `render_in` is called on the object,
87
+ # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
88
88
  # passing in the current view context.
89
89
  #
90
90
  # Otherwise, a partial is rendered using the second parameter as the locals hash.
@@ -229,7 +229,7 @@ module Mime
229
229
  MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
230
230
  MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
231
231
  MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
232
- MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
232
+ MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
233
233
 
234
234
  class InvalidMimeType < StandardError; end
235
235
 
@@ -330,7 +330,7 @@ module Mime
330
330
  end
331
331
 
332
332
  # ALL isn't a real MIME type, so we don't register it for lookup with the
333
- # other concrete types. It's a wildcard match that we use for `respond_to`
333
+ # other concrete types. It's a wildcard match that we use for +respond_to+
334
334
  # negotiation internals.
335
335
  ALL = AllType.instance
336
336
 
@@ -13,7 +13,7 @@ module ActionDispatch
13
13
  #
14
14
  # When a request comes to an unauthorized host, the +response_app+
15
15
  # application will be executed and rendered. If no +response_app+ is given, a
16
- # default one will run, which responds with +403 Forbidden+.
16
+ # default one will run, which responds with <tt>403 Forbidden</tt>.
17
17
  class HostAuthorization
18
18
  class Permissions # :nodoc:
19
19
  def initialize(hosts)
@@ -53,7 +53,7 @@ module ActionDispatch
53
53
  if host.start_with?(".")
54
54
  /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
55
55
  else
56
- /\A#{host}\z/i
56
+ /\A#{Regexp.escape host}\z/i
57
57
  end
58
58
  end
59
59
  end
@@ -103,11 +103,20 @@ module ActionDispatch
103
103
 
104
104
  private
105
105
  def authorized?(request)
106
- origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
107
- forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
108
-
109
- @permissions.allows?(origin_host) &&
110
- (forwarded_host.blank? || @permissions.allows?(forwarded_host))
106
+ valid_host = /
107
+ \A
108
+ (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
109
+ (:\d+)?
110
+ \z
111
+ /x
112
+
113
+ origin_host = valid_host.match(
114
+ request.get_header("HTTP_HOST").to_s.downcase)
115
+ forwarded_host = valid_host.match(
116
+ request.x_forwarded_host.to_s.split(/,\s?/).last)
117
+
118
+ origin_host && @permissions.allows?(origin_host[:host]) && (
119
+ forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
111
120
  end
112
121
 
113
122
  def excluded?(request)
@@ -43,7 +43,7 @@ module ActionDispatch
43
43
  end
44
44
 
45
45
  # This class is used to instrument the execution of a single middleware.
46
- # It proxies the `call` method transparently and instruments the method
46
+ # It proxies the +call+ method transparently and instruments the method
47
47
  # call.
48
48
  class InstrumentationProxy
49
49
  EVENT_NAME = "process_middleware.action_dispatch"
@@ -32,12 +32,12 @@ module ActionDispatch
32
32
  #
33
33
  # Precompressed versions of these files are checked first. Brotli (.br)
34
34
  # and gzip (.gz) files are supported. If +path+.br exists, this
35
- # endpoint returns that file with a +Content-Encoding: br+ header.
35
+ # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
36
36
  #
37
37
  # If no matching file is found, this endpoint responds 404 Not Found.
38
38
  #
39
39
  # Pass the +root+ directory to search for matching files, an optional
40
- # +index: "index"+ to change the default +path+/index.html, and optional
40
+ # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
41
41
  # additional response headers.
42
42
  class FileHandler
43
43
  # Accept-Encoding value -> file extension
@@ -287,10 +287,12 @@ module ActionDispatch
287
287
 
288
288
  args = []
289
289
 
290
- route = record_list.map { |parent|
290
+ route = record_list.map do |parent|
291
291
  case parent
292
- when Symbol, String
292
+ when Symbol
293
293
  parent.to_s
294
+ when String
295
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
294
296
  when Class
295
297
  args << parent
296
298
  parent.model_name.singular_route_key
@@ -298,12 +300,14 @@ module ActionDispatch
298
300
  args << parent.to_model
299
301
  parent.to_model.model_name.singular_route_key
300
302
  end
301
- }
303
+ end
302
304
 
303
305
  route <<
304
306
  case record
305
- when Symbol, String
307
+ when Symbol
306
308
  record.to_s
309
+ when String
310
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
307
311
  when Class
308
312
  @key_strategy.call record.model_name
309
313
  else
@@ -164,7 +164,7 @@ module ActionDispatch
164
164
  # "http://#{request.host_with_port}/#{path}"
165
165
  # }
166
166
  #
167
- # Note that the +do end+ syntax for the redirect block wouldn't work, as Ruby would pass
167
+ # Note that the <tt>do end</tt> syntax for the redirect block wouldn't work, as Ruby would pass
168
168
  # the block to +get+ instead of +redirect+. Use <tt>{ ... }</tt> instead.
169
169
  #
170
170
  # The options version of redirect allows you to supply only the parts of the URL which need
@@ -199,11 +199,11 @@ module ActionDispatch
199
199
  # merged into the Rack env hash.
200
200
  # - +env+: Additional env to pass, as a Hash. The headers will be
201
201
  # merged into the Rack env hash.
202
- # - +xhr+: Set to `true` if you want to make and Ajax request.
202
+ # - +xhr+: Set to +true+ if you want to make and Ajax request.
203
203
  # Adds request headers characteristic of XMLHttpRequest e.g. HTTP_X_REQUESTED_WITH.
204
204
  # The headers will be merged into the Rack env hash.
205
205
  # - +as+: Used for encoding the request with different content type.
206
- # Supports `:json` by default and will set the appropriate request headers.
206
+ # Supports +:json+ by default and will set the appropriate request headers.
207
207
  # The headers will be merged into the Rack env hash.
208
208
  #
209
209
  # This method is rarely used directly. Use +#get+, +#post+, or other standard
@@ -29,7 +29,7 @@ module ActionDispatch
29
29
  haven't set yet. Set `file_fixture_path` to discard this warning.
30
30
  EOM
31
31
  elsif path.exist?
32
- non_deprecated_path = path.relative_path_from(Pathname(self.class.file_fixture_path))
32
+ non_deprecated_path = Pathname(File.absolute_path(path)).relative_path_from(Pathname(File.absolute_path(self.class.file_fixture_path)))
33
33
  ActiveSupport::Deprecation.warn(<<~EOM)
34
34
  Passing a path to `fixture_file_upload` relative to `fixture_path` is deprecated.
35
35
  In Rails 6.2, the path needs to be relative to `file_fixture_path`.
@@ -9,8 +9,8 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 6
11
11
  MINOR = 1
12
- TINY = 1
13
- PRE = nil
12
+ TINY = 3
13
+ PRE = "2"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.1
4
+ version: 6.1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-07 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 6.1.1
19
+ version: 6.1.3.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 6.1.1
26
+ version: 6.1.3.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 6.1.1
101
+ version: 6.1.3.2
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 6.1.1
108
+ version: 6.1.3.2
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 6.1.1
115
+ version: 6.1.3.2
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 6.1.1
122
+ version: 6.1.3.2
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -309,10 +309,10 @@ licenses:
309
309
  - MIT
310
310
  metadata:
311
311
  bug_tracker_uri: https://github.com/rails/rails/issues
312
- changelog_uri: https://github.com/rails/rails/blob/v6.1.1/actionpack/CHANGELOG.md
313
- documentation_uri: https://api.rubyonrails.org/v6.1.1/
312
+ changelog_uri: https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md
313
+ documentation_uri: https://api.rubyonrails.org/v6.1.3.2/
314
314
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
315
- source_code_uri: https://github.com/rails/rails/tree/v6.1.1/actionpack
315
+ source_code_uri: https://github.com/rails/rails/tree/v6.1.3.2/actionpack
316
316
  post_install_message:
317
317
  rdoc_options: []
318
318
  require_paths:
@@ -329,7 +329,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
329
329
  version: '0'
330
330
  requirements:
331
331
  - none
332
- rubygems_version: 3.2.3
332
+ rubygems_version: 3.1.2
333
333
  signing_key:
334
334
  specification_version: 4
335
335
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).