actionpack 7.0.3.1 → 7.0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57e1640af30905c2b4053161ccf2ac7f772a028c8a731ea8e073c1a1f7b6befb
-  data.tar.gz: 4b0a7301c52d04a348f59f5db06b3aa17407748c52a0a904581c3f5a37c42d2b
+  metadata.gz: 5f31d845cb672a69a48bf5a99d24da4cc0a1911dd90592b7f569954a08040d32
+  data.tar.gz: 4f82a27ee5dba8c642621ab247ef345b7daff0e9e4fe25c3ba81163a2a31b8d5
 SHA512:
-  metadata.gz: 91557785e0f785dd9c9c2e1157997c433e0ab6296d13de9dfc1c6e278baeb82e5d980534851158d8a8b99b6d4068d923e856a7877293e839670fb55e99253afd
-  data.tar.gz: b8681d6f414cddd1be9ef4d57ff4a2d9a8a1fdaabff89e2c47e4420a0e2f65d8157c364df278b080a26f9646d16a78d0ea9bd9fd95ae9c78dd5cb7aa19816005
+  metadata.gz: 7094329330497de30fa9dbae232a2563a3699129681dbba34092db10f3e07d97b9905abe2d4339f50c39b8f45c6e9765a77523c379dbe53f3ff96cb544586483
+  data.tar.gz: db8c045d237562750468b511cd54990c2fe0069fe7942e663f013f6cdfa30e7211b8f9874cdc7187dc0b16f1238cb331dde86bbd38f796688935e541b0fcac25

data/CHANGELOG.md

@@ -1,3 +1,31 @@
+## Rails 7.0.4.1 (January 17, 2023) ##
+
+*   Fix sec issue with _url_host_allowed?
+
+    Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+    to malicious sites.
+
+    [CVE-2023-22797]
+
+*   Avoid regex backtracking on If-None-Match header
+
+    [CVE-2023-22795]
+
+*   Use string#split instead of regex for domain parts
+
+    [CVE-2023-22792]
+
+
+## Rails 7.0.4 (September 09, 2022) ##
+
+*   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
+
+    Previously, if another middleware down the chain set `Server-Timing` header,
+    it would overwritten by `ActionDispatch::ServerTiming`.
+
+    *Jakub Malinowski*
+
+
 ## Rails 7.0.3.1 (July 12, 2022) ##
 
 *   No changes.

data/lib/abstract_controller/helpers.rb

@@ -110,7 +110,7 @@ module AbstractController
       # The last two assume that <tt>"foo".camelize</tt> returns "Foo".
       #
       # When strings or symbols are passed, the method finds the actual module
-      # object using +String#constantize+. Therefore, if the module has not been
+      # object using String#constantize. Therefore, if the module has not been
       # yet loaded, it has to be autoloadable, which is normally the case.
       #
       # Namespaces are supported. The following calls include +Foo::BarHelper+:

data/lib/action_controller/metal/redirecting.rb

@@ -117,7 +117,7 @@ module ActionController
     # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
     # All other options that can be passed to #redirect_to are accepted as
-    # options and the behavior is identical.
+    # options, and the behavior is identical.
     def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
       if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
         redirect_to request.referer, allow_other_host: allow_other_host, **options
@@ -195,7 +195,12 @@ module ActionController
       end
 
       def _url_host_allowed?(url)
-        [request.host, nil].include?(URI(url.to_s).host)
+        host = URI(url.to_s).host
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        return !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end

data/lib/action_controller/metal/rendering.rb

@@ -78,8 +78,8 @@ module ActionController
       end
 
       def _set_vary_header
-        if self.headers["Vary"].blank? && request.should_apply_vary_header?
-          self.headers["Vary"] = "Accept"
+        if response.headers["Vary"].blank? && request.should_apply_vary_header?
+          response.headers["Vary"] = "Accept"
         end
       end
 

data/lib/action_controller/metal/strong_parameters.rb

@@ -279,10 +279,15 @@ module ActionController
         @parameters == other
       end
     end
-    alias eql? ==
+
+    def eql?(other)
+      self.class == other.class &&
+        permitted? == other.permitted? &&
+        parameters.eql?(other.parameters)
+    end
 
     def hash
-      [@parameters.hash, @permitted].hash
+      [self.class, @parameters, @permitted].hash
     end
 
     # Returns a safe <tt>ActiveSupport::HashWithIndifferentAccess</tt>

data/lib/action_dispatch/http/cache.rb

@@ -18,7 +18,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)

data/lib/action_dispatch/http/response.rb

@@ -21,9 +21,8 @@ module ActionDispatch # :nodoc:
   # Nevertheless, integration tests may want to inspect controller responses in
   # more detail, and that's when \Response can be useful for application
   # developers. Integration test methods such as
-  # ActionDispatch::Integration::Session#get and
-  # ActionDispatch::Integration::Session#post return objects of type
-  # TestResponse (which are of course also of type \Response).
+  # Integration::RequestHelpers#get and Integration::RequestHelpers#post return
+  # objects of type TestResponse (which are of course also of type \Response).
   #
   # For example, the following demo integration test prints the body of the
   # controller response to the console:

data/lib/action_dispatch/middleware/cookies.rb

@@ -92,7 +92,7 @@ module ActionDispatch
     include RequestCookieMethods
   end
 
-  # Read and write data to cookies through ActionController#cookies.
+  # Read and write data to cookies through ActionController::Base#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
   # When writing cookie data, the data is sent out in the HTTP response header, Set-Cookie.
@@ -178,8 +178,7 @@ module ActionDispatch
   #   only HTTP. Defaults to +false+.
   # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
   #   determines how this cookie should be restricted in cross-site contexts.
-  #   Possible values are +nil+, +:none+, +:lax+, and +:strict+. Defaults to
-  #   +:lax+.
+  #   Possible values are +:none+, +:lax+, and +:strict+. Defaults to +:lax+.
   class Cookies
     HTTP_HEADER   = "Set-Cookie"
     GENERATOR_KEY = "action_dispatch.key_generator"
@@ -291,20 +290,6 @@ module ActionDispatch
     class CookieJar # :nodoc:
       include Enumerable, ChainedCookieJars
 
-      # This regular expression is used to split the levels of a domain.
-      # The top level domain can be any string without a period or
-      # **.**, ***.** style TLDs like co.uk or com.au
-      #
-      # www.example.co.uk gives:
-      # $& => example.co.uk
-      #
-      # example.com gives:
-      # $& => example.com
-      #
-      # lots.of.subdomains.example.local gives:
-      # $& => example.local
-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
-
       def self.build(req, cookies)
         jar = new(req)
         jar.update(cookies)
@@ -457,13 +442,35 @@ module ActionDispatch
           options[:same_site] ||= cookies_same_site_protection.call(request)
 
           if options[:domain] == :all || options[:domain] == "all"
-            # If there is a provided tld length then we use it otherwise default domain regexp.
-            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
+            cookie_domain = ""
+            dot_splitted_host = request.host.split('.', -1)
+
+            # Case where request.host is not an IP address or it's an invalid domain
+            # (ip confirms to the domain structure we expect so we explicitly check for ip)
+            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
+              options[:domain] = nil
+              return
+            end
+
+            # If there is a provided tld length then we use it otherwise default domain.
+            if options[:tld_length].present? 
+              # Case where the tld_length provided is valid
+              if dot_splitted_host.length >= options[:tld_length]
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+              end
+            # Case where tld_length is not provided
+            else
+              # Regular TLDs
+              if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
+                cookie_domain = dot_splitted_host.last(2).join('.')
+              # **.**, ***.** style TLDs like co.uk and com.au
+              else
+                cookie_domain = dot_splitted_host.last(3).join('.')
+              end
+            end
 
-            # If host is not ip and matches domain regexp.
-            # (ip confirms to domain regexp so we explicitly check for ip)
-            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
-              ".#{$&}"
+            options[:domain] = if cookie_domain.present?
+              ".#{cookie_domain}"
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.

data/lib/action_dispatch/middleware/server_timing.rb

@@ -6,28 +6,71 @@ module ActionDispatch
   class ServerTiming
     SERVER_TIMING_HEADER = "Server-Timing"
 
+    class Subscriber # :nodoc:
+      include Singleton
+      KEY = :action_dispatch_server_timing_events
+
+      def initialize
+        @mutex = Mutex.new
+      end
+
+      def call(event)
+        if events = ActiveSupport::IsolatedExecutionState[KEY]
+          events << event
+        end
+      end
+
+      def collect_events
+        events = []
+        ActiveSupport::IsolatedExecutionState[KEY] = events
+        yield
+        events
+      ensure
+        ActiveSupport::IsolatedExecutionState.delete(KEY)
+      end
+
+      def ensure_subscribed
+        @mutex.synchronize do
+          # Subscribe to all events, except those beginning with "!"
+          # Ideally we would be more selective of what is being measured
+          @subscriber ||= ActiveSupport::Notifications.subscribe(/\A[^!]/, self)
+        end
+      end
+
+      def unsubscribe
+        @mutex.synchronize do
+          ActiveSupport::Notifications.unsubscribe @subscriber
+          @subscriber = nil
+        end
+      end
+    end
+
+    def self.unsubscribe # :nodoc:
+      Subscriber.instance.unsubscribe
+    end
+
     def initialize(app)
       @app = app
+      @subscriber = Subscriber.instance
+      @subscriber.ensure_subscribed
     end
 
     def call(env)
-      events = []
-      subscriber = ActiveSupport::Notifications.subscribe(/.*/) do |*args|
-        events << ActiveSupport::Notifications::Event.new(*args)
+      response = nil
+      events = @subscriber.collect_events do
+        response = @app.call(env)
       end
 
-      status, headers, body = begin
-        @app.call(env)
-      ensure
-        ActiveSupport::Notifications.unsubscribe(subscriber)
-      end
+      headers = response[1]
 
       header_info = events.group_by(&:name).map do |event_name, events_collection|
-        "#{event_name};dur=#{events_collection.sum(&:duration)}"
+        "%s;dur=%.2f" % [event_name, events_collection.sum(&:duration)]
       end
+
+      header_info.prepend(headers[SERVER_TIMING_HEADER]) if headers[SERVER_TIMING_HEADER].present?
       headers[SERVER_TIMING_HEADER] = header_info.join(", ")
 
-      [ status, headers, body ]
+      response
     end
   end
 end

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -9,14 +9,14 @@ module ActionDispatch
     # This cookie-based session store is the Rails default. It is
     # dramatically faster than the alternatives.
     #
-    # Sessions typically contain at most a user_id and flash message; both fit
-    # within the 4096 bytes cookie size limit. A CookieOverflow exception is raised if
+    # Sessions typically contain at most a user ID and flash message; both fit
+    # within the 4096 bytes cookie size limit. A +CookieOverflow+ exception is raised if
     # you attempt to store more than 4096 bytes of data.
     #
     # The cookie jar used for storage is automatically configured to be the
     # best possible option given your application's configuration.
     #
-    # Your cookies will be encrypted using your apps secret_key_base. This
+    # Your cookies will be encrypted using your application's +secret_key_base+. This
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
@@ -24,20 +24,20 @@ module ActionDispatch
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # In the development and test environments your application's secret key base is
+    # In the development and test environments your application's +secret_key_base+ is
     # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
     # In all other environments, it is stored encrypted in the
     # <tt>config/credentials.yml.enc</tt> file.
     #
-    # If your application was not updated to Rails 5.2 defaults, the secret_key_base
+    # If your application was not updated to Rails 5.2 defaults, the +secret_key_base+
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
-    # Note that changing your secret_key_base will invalidate all existing session.
+    # Note that changing your +secret_key_base+ will invalidate all existing session.
     # Additionally, you should take care to make sure you are not relying on the
     # ability to decode signed cookies generated by your app in external
     # applications or JavaScript before changing it.
     #
-    # Because CookieStore extends Rack::Session::Abstract::Persisted, many of the
+    # Because CookieStore extends +Rack::Session::Abstract::Persisted+, many of the
     # options described there can be used to customize the session cookie that
     # is generated. For example:
     #

data/lib/action_dispatch/routing/mapper.rb

@@ -609,7 +609,7 @@ module ActionDispatch
           target_as       = name_for_action(options[:as], path)
           options[:via] ||= :all
 
-          match(path, options.merge(to: app, anchor: false, format: false))
+          match(path, { to: app, anchor: false, format: false }.merge(options))
 
           define_generate_prefix(app, target_as) if rails_app
           self

data/lib/action_dispatch/testing/test_response.rb

@@ -3,8 +3,8 @@
 require "action_dispatch/testing/request_encoder"
 
 module ActionDispatch
-  # Integration test methods such as ActionDispatch::Integration::Session#get
-  # and ActionDispatch::Integration::Session#post return objects of class
+  # Integration test methods such as Integration::RequestHelpers#get
+  # and Integration::RequestHelpers#post return objects of class
   # TestResponse, which represent the HTTP response results of the requested
   # controller actions.
   #
@@ -14,6 +14,24 @@ module ActionDispatch
       new response.status, response.headers, response.body
     end
 
+    # Returns a parsed body depending on the response MIME type. When a parser
+    # corresponding to the MIME type is not found, it returns the raw body.
+    #
+    # ==== Examples
+    #   get "/posts"
+    #   response.content_type      # => "text/html; charset=utf-8"
+    #   response.parsed_body.class # => String
+    #   response.parsed_body       # => "<!DOCTYPE html>\n<html>\n..."
+    #
+    #   get "/posts.json"
+    #   response.content_type      # => "application/json; charset=utf-8"
+    #   response.parsed_body.class # => Array
+    #   response.parsed_body       # => [{"id"=>42, "title"=>"Title"},...
+    #
+    #   get "/posts/42.json"
+    #   response.content_type      # => "application/json; charset=utf-8"
+    #   response.parsed_body.class # => Hash
+    #   response.parsed_body       # => {"id"=>42, "title"=>"Title"}
     def parsed_body
       @parsed_body ||= response_parser.call(body)
     end

data/lib/action_pack/gem_version.rb

@@ -9,7 +9,7 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 0
-    TINY  = 3
+    TINY  = 4
     PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.0.3.1
+  version: 7.0.4.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-07-12 00:00:00.000000000 Z
+date: 2023-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3.1
+        version: 7.0.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3.1
+        version: 7.0.4.1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3.1
+        version: 7.0.4.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3.1
+        version: 7.0.4.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3.1
+        version: 7.0.4.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.3.1
+        version: 7.0.4.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.4.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.4.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.4.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.3.3
+rubygems_version: 3.4.3
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).