actionpack 7.1.4.1 → 7.1.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d6c0075e31a2470da87034e8352742903c176696808a902d17a33b8db79c0cd
-  data.tar.gz: a6c9e27f6650d1356b68de05dd835f7aa663d131410d188034d25c5f745f3a5e
+  metadata.gz: e2aff0dde19af40e507e288105ed67055af0847d0c37ad34de7cc6b3a630df02
+  data.tar.gz: 6718ca936b16397966ca7fbf39d6f9586313074d4255804532615d04f9c86a6d
 SHA512:
-  metadata.gz: e26080c351f2d9d2218a77a7a4583473eb6ecbec52f8eb5fd2879393f4037459acfaed714c0db8ead7905aa8234b48480d1ab313eb281eda1e9a7c8bb5f2cefe
-  data.tar.gz: bd2fa076443257da863689d42f1ca5e076a91282f374c8389452ec8604fe5e528830cdb5cd7763c79bd4194e1c3345221f2a409e80ae24dc625bba4d08a2d0d1
+  metadata.gz: 0a7c6df6a5e8d50ea2d2d18aea80e255c270ffb51163a6291ca72e05740cbbaae83621b6c054939cfaf3042f281a7760dcc7bb717c2da525557a87c05205f6ed
+  data.tar.gz: 830503286b4ec58e7b1dc45e7d51c7cfa81c5b92d6d13f7021320991870abeb353888084c2d4140019c07c3c40060a4ce3cee82548ac9f3e08abe7faaaeb20e4

data/CHANGELOG.md

@@ -1,13 +1,37 @@
+## Rails 7.1.5.1 (December 10, 2024) ##
+
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+
+    [CVE-2024-54133]
+
+    *Gannon McGibbon*
+
+
+## Rails 7.1.5 (October 30, 2024) ##
+
+*   No changes.
+
+
+## Rails 7.1.4.2 (October 23, 2024) ##
+
+*   No changes.
+
+
 ## Rails 7.1.4.1 (October 15, 2024) ##
 
 *   Avoid regex backtracking in HTTP Token authentication
 
     [CVE-2024-47887]
 
+    *John Hawthorn*
+
 *   Avoid regex backtracking in query parameter filtering
 
     [CVE-2024-41128]
 
+    *John Hawthorn*
+
 ## Rails 7.1.4 (August 22, 2024) ##
 
 *   Resolve deprecation warning in latest `selenium-webdriver`.

data/lib/action_controller/metal/http_authentication.rb

@@ -207,7 +207,7 @@ module ActionController
         end
       end
 
-      # Returns false on a valid response, true otherwise.
+      # Returns true on a valid response, false otherwise.
       def authenticate(request, realm, &password_procedure)
         request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
@@ -425,7 +425,7 @@ module ActionController
       module ControllerMethods
         # Authenticate using an HTTP Bearer token, or otherwise render an HTTP
         # header requesting the client to send a Bearer token. For the authentication
-        # to be considered successful, +login_procedure+ should return a non-nil
+        # to be considered successful, +login_procedure+ must not return a false
         # value. Typically, the authenticated user is returned.
         #
         # See ActionController::HttpAuthentication::Token for example usage.

data/lib/action_dispatch/http/content_security_policy.rb

@@ -24,6 +24,9 @@ module ActionDispatch # :nodoc:
   #     policy.report_uri "/csp-violation-report-endpoint"
   #   end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
+
     class Middleware
       def initialize(app)
         @app = app
@@ -317,9 +320,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -329,8 +332,22 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+
+        validate(directive, resolved_sources)
       end
 
       def resolve_source(source, context)

data/lib/action_dispatch/routing/inspector.rb

@@ -99,7 +99,7 @@ module ActionDispatch
             { controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
           elsif filter[:grep]
             grep_pattern = Regexp.new(filter[:grep])
-            path = URI::DEFAULT_PARSER.escape(filter[:grep])
+            path = RFC2396_PARSER.escape(filter[:grep])
             normalized_path = ("/" + path).squeeze("/")
 
             {

data/lib/action_dispatch/routing/mapper.rb

@@ -2026,7 +2026,7 @@ module ActionDispatch
               name_for_action(options.delete(:as), action)
             end
 
-            path = Mapping.normalize_path URI::DEFAULT_PARSER.escape(path), formatted
+            path = Mapping.normalize_path RFC2396_PARSER.escape(path), formatted
             ast = Journey::Parser.parse path
 
             mapping = Mapping.build(@scope, @set, ast, controller, default_action, to, via, formatted, options_constraints, anchor, options)

data/lib/action_dispatch/routing/route_set.rb

@@ -903,7 +903,7 @@ module ActionDispatch
           params.each do |key, value|
             if value.is_a?(String)
               value = value.dup.force_encoding(Encoding::BINARY)
-              params[key] = URI::DEFAULT_PARSER.unescape(value)
+              params[key] = RFC2396_PARSER.unescape(value)
             end
           end
           req.path_parameters = params

data/lib/action_dispatch.rb

@@ -29,6 +29,7 @@ require "active_support/core_ext/module/attribute_accessors"
 
 require "action_pack"
 require "rack"
+require "uri"
 require "action_dispatch/deprecator"
 
 module Rack # :nodoc:
@@ -53,6 +54,9 @@ module ActionDispatch
     message: "ActionDispatch::IllegalStateError is deprecated without replacement.",
     deprecator: ActionDispatch.deprecator
 
+  RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
+  private_constant :RFC2396_PARSER
+
   class MissingController < NameError
   end
 

data/lib/action_pack/gem_version.rb

@@ -9,7 +9,7 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 1
-    TINY  = 4
+    TINY  = 5
     PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.4.1
+  version: 7.1.5.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-10-15 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4.1
+        version: 7.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4.1
+        version: 7.1.5.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4.1
+        version: 7.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4.1
+        version: 7.1.5.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4.1
+        version: 7.1.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.4.1
+        version: 7.1.5.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.4.1/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.4.1/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.5.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.5.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.4.1/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.5.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).