actionpack 7.2.1.2 → 7.2.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d8587fb38c365e101c7ccedbc8f327e93c2a2bb6ed68d8b3eee91e25c7cc4cc3
4
- data.tar.gz: 12752d536fdccb865158f457758dd09c945934fc81ad1c831ba2fa93a90bf264
3
+ metadata.gz: e2f850764c42d33756dafc52b3a241cd1264cf780ef17f52b9b3b0a8b1c3d98e
4
+ data.tar.gz: 7febf80d5ab5a57de20b9658daaa10fb21216b30590837e66ceb43cb6cdfe38f
5
5
  SHA512:
6
- metadata.gz: 8f3cce17e7ddf0925224aab95355f0dcc88862090c07bfdfcf4e56b527df43032c6491112287ecc78b4b4966eaadeceb43f4b7ceb2ef1ec88ce7626f358bd51e
7
- data.tar.gz: 1243e708a9570acbdac7defd4345d78575869f0397140ca4ba8c8b422465b56bdcfd0359e9332ac52c54836d8d056611315c81c24ff3e8a163ecf613cdafa14a
6
+ metadata.gz: 6cd119f952b01a8fdf78c1a3c364bf5e681b6b0de52758a1830b935362bc7c0c9950d371bd6b6667e49dc49e8b9f98d0f60b06781a155bcf752be705e19c875f
7
+ data.tar.gz: 15339819a72191cd86e77924f9a108ec6c9f7bcc7f3169ba2127bc1ccdefc2a7fdb98609689a7271faf467664df7841f163610445294dbe8eed08c48c431aa01
data/CHANGELOG.md CHANGED
@@ -1,3 +1,20 @@
1
+ ## Rails 7.2.2.1 (December 10, 2024) ##
2
+
3
+ * Add validation to content security policies to disallow spaces and semicolons.
4
+ Developers should use multiple arguments, and different directive methods instead.
5
+
6
+ [CVE-2024-54133]
7
+
8
+ *Gannon McGibbon*
9
+
10
+
11
+ ## Rails 7.2.2 (October 30, 2024) ##
12
+
13
+ * Fix non-GET requests not updating cookies in `ActionController::TestCase`.
14
+
15
+ *Jon Moss*, *Hartley McGuire*
16
+
17
+
1
18
  ## Rails 7.2.1.2 (October 23, 2024) ##
2
19
 
3
20
  * No changes.
@@ -9,10 +26,15 @@
9
26
 
10
27
  [CVE-2024-47887]
11
28
 
29
+ *John Hawthorn*
30
+
12
31
  * Avoid regex backtracking in query parameter filtering
13
32
 
14
33
  [CVE-2024-41128]
15
34
 
35
+ *John Hawthorn*
36
+
37
+
16
38
  ## Rails 7.2.1 (August 22, 2024) ##
17
39
 
18
40
  * Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
@@ -104,6 +104,7 @@ module AbstractController
104
104
  # Declare a controller method as a helper. For example, the following
105
105
  # makes the `current_user` and `logged_in?` controller methods available
106
106
  # to the view:
107
+ #
107
108
  # class ApplicationController < ActionController::Base
108
109
  # helper_method :current_user, :logged_in?
109
110
  #
@@ -118,6 +119,7 @@ module AbstractController
118
119
  # end
119
120
  #
120
121
  # In a view:
122
+ #
121
123
  # <% if logged_in? -%>Welcome, <%= current_user.name %><% end -%>
122
124
  #
123
125
  # #### Parameters
@@ -123,6 +123,7 @@ module ActionController
123
123
  BasicImplicitRender,
124
124
  StrongParameters,
125
125
  RateLimiting,
126
+ Caching,
126
127
 
127
128
  DataStreaming,
128
129
  DefaultHeaders,
@@ -60,7 +60,7 @@ module ActionController # :nodoc:
60
60
  end
61
61
  end
62
62
 
63
- class BrowserBlocker
63
+ class BrowserBlocker # :nodoc:
64
64
  SETS = {
65
65
  modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
66
66
  }
@@ -76,8 +76,7 @@ module ActionController
76
76
  # `:cache_control`
77
77
  # : When given, will overwrite an existing `Cache-Control` header. For a list
78
78
  # of `Cache-Control` directives, see the [article on
79
- # MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Contr
80
- # ol).
79
+ # MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control).
81
80
  #
82
81
  # `:template`
83
82
  # : By default, the template digest for the current controller/action is
@@ -211,7 +211,7 @@ module ActionController
211
211
  end
212
212
  end
213
213
 
214
- # Returns false on a valid response, true otherwise.
214
+ # Returns true on a valid response, false otherwise.
215
215
  def authenticate(request, realm, &password_procedure)
216
216
  request.authorization && validate_digest_response(request, realm, &password_procedure)
217
217
  end
@@ -431,7 +431,7 @@ module ActionController
431
431
  module ControllerMethods
432
432
  # Authenticate using an HTTP Bearer token, or otherwise render an HTTP header
433
433
  # requesting the client to send a Bearer token. For the authentication to be
434
- # considered successful, `login_procedure` should return a non-nil value.
434
+ # considered successful, `login_procedure` must not return a false value.
435
435
  # Typically, the authenticated user is returned.
436
436
  #
437
437
  # See ActionController::HttpAuthentication::Token for example usage.
@@ -77,12 +77,15 @@ module ActionController
77
77
  # Writing an object will convert it into standard SSE format with whatever
78
78
  # options you have configured. You may choose to set the following options:
79
79
  #
80
- # 1) Event. If specified, an event with this name will be dispatched on
81
- # the browser.
82
- # 2) Retry. The reconnection time in milliseconds used when attempting
83
- # to send the event.
84
- # 3) Id. If the connection dies while sending an SSE to the browser, then
85
- # the server will receive a +Last-Event-ID+ header with value equal to +id+.
80
+ # `:event`
81
+ # : If specified, an event with this name will be dispatched on the browser.
82
+ #
83
+ # `:retry`
84
+ # : The reconnection time in milliseconds used when attempting to send the event.
85
+ #
86
+ # `:id`
87
+ # : If the connection dies while sending an SSE to the browser, then the
88
+ # server will receive a `Last-Event-ID` header with value equal to `id`.
86
89
  #
87
90
  # After setting an option in the constructor of the SSE object, all future SSEs
88
91
  # sent across the stream will use those options unless overridden.
@@ -427,9 +427,7 @@ module ActionController
427
427
  # Note that the request method is not verified. The different methods are
428
428
  # available to make the tests more expressive.
429
429
  def get(action, **args)
430
- res = process(action, method: "GET", **args)
431
- cookies.update res.cookies
432
- res
430
+ process(action, method: "GET", **args)
433
431
  end
434
432
 
435
433
  # Simulate a POST request with the given parameters and set/volley the response.
@@ -637,6 +635,7 @@ module ActionController
637
635
  unless @request.cookie_jar.committed?
638
636
  @request.cookie_jar.write(@response)
639
637
  cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
638
+ cookies.update(@response.cookies)
640
639
  end
641
640
  end
642
641
  @response.prepare!
@@ -8,8 +8,7 @@ require "active_support/core_ext/array/wrap"
8
8
  module ActionDispatch # :nodoc:
9
9
  # # Action Dispatch Content Security Policy
10
10
  #
11
- # Configures the HTTP [Content-Security-Policy]
12
- # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
11
+ # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
13
12
  # response header to help protect against XSS and
14
13
  # injection attacks.
15
14
  #
@@ -27,6 +26,9 @@ module ActionDispatch # :nodoc:
27
26
  # policy.report_uri "/csp-violation-report-endpoint"
28
27
  # end
29
28
  class ContentSecurityPolicy
29
+ class InvalidDirectiveError < StandardError
30
+ end
31
+
30
32
  class Middleware
31
33
  def initialize(app)
32
34
  @app = app
@@ -226,8 +228,7 @@ module ActionDispatch # :nodoc:
226
228
  end
227
229
  end
228
230
 
229
- # Enable the [report-uri]
230
- # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
231
+ # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
231
232
  # directive. Violation reports will be sent to the
232
233
  # specified URI:
233
234
  #
@@ -237,8 +238,7 @@ module ActionDispatch # :nodoc:
237
238
  @directives["report-uri"] = [uri]
238
239
  end
239
240
 
240
- # Specify asset types for which [Subresource Integrity]
241
- # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
241
+ # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
242
242
  #
243
243
  # policy.require_sri_for :script, :style
244
244
  #
@@ -254,8 +254,7 @@ module ActionDispatch # :nodoc:
254
254
  end
255
255
  end
256
256
 
257
- # Specify whether a [sandbox]
258
- # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
257
+ # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
259
258
  # should be enabled for the requested resource:
260
259
  #
261
260
  # policy.sandbox
@@ -323,9 +322,9 @@ module ActionDispatch # :nodoc:
323
322
  @directives.map do |directive, sources|
324
323
  if sources.is_a?(Array)
325
324
  if nonce && nonce_directive?(directive, nonce_directives)
326
- "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
325
+ "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
327
326
  else
328
- "#{directive} #{build_directive(sources, context).join(' ')}"
327
+ "#{directive} #{build_directive(directive, sources, context).join(' ')}"
329
328
  end
330
329
  elsif sources
331
330
  directive
@@ -335,8 +334,22 @@ module ActionDispatch # :nodoc:
335
334
  end
336
335
  end
337
336
 
338
- def build_directive(sources, context)
339
- sources.map { |source| resolve_source(source, context) }
337
+ def validate(directive, sources)
338
+ sources.flatten.each do |source|
339
+ if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
340
+ raise InvalidDirectiveError, <<~MSG.squish
341
+ Invalid Content Security Policy #{directive}: "#{source}".
342
+ Directive values must not contain whitespace or semicolons.
343
+ Please use multiple arguments or other directive methods instead.
344
+ MSG
345
+ end
346
+ end
347
+ end
348
+
349
+ def build_directive(directive, sources, context)
350
+ resolved_sources = sources.map { |source| resolve_source(source, context) }
351
+
352
+ validate(directive, resolved_sources)
340
353
  end
341
354
 
342
355
  def resolve_source(source, context)
@@ -18,8 +18,8 @@ module ActionDispatch
18
18
  # 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) requires.
19
19
  # Some Rack servers simply drop preceding headers, and only report the value
20
20
  # that was [given in the last
21
- # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-server
22
- # s). If you are behind multiple proxy servers (like NGINX to HAProxy to
21
+ # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers).
22
+ # If you are behind multiple proxy servers (like NGINX to HAProxy to
23
23
  # Unicorn) then you should test your Rack server to make sure your data is good.
24
24
  #
25
25
  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. This
@@ -117,10 +117,9 @@ module ActionDispatch
117
117
  # instead, so we check that too.
118
118
  #
119
119
  # As discussed in [this post about Rails IP
120
- # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.c
121
- # om/2012/rails-ip-spoofing-vulnerabilities-and-protection/), while the first IP
122
- # in the list is likely to be the "originating" IP, it could also have been set
123
- # by the client maliciously.
120
+ # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/),
121
+ # while the first IP in the list is likely to be the "originating" IP, it
122
+ # could also have been set by the client maliciously.
124
123
  #
125
124
  # In order to find the first address that is (probably) accurate, we take the
126
125
  # list of IPs, remove known and trusted proxies, and then take the last address
@@ -17,7 +17,7 @@ module ActionDispatch
17
17
  #
18
18
  # Requests can opt-out of redirection with `exclude`:
19
19
  #
20
- # config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
20
+ # config.ssl_options = { redirect: { exclude: -> request { request.path == "/up" } } }
21
21
  #
22
22
  # Cookies will not be flagged as secure for excluded requests.
23
23
  #
@@ -101,7 +101,7 @@ module ActionDispatch
101
101
  { controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
102
102
  elsif filter[:grep]
103
103
  grep_pattern = Regexp.new(filter[:grep])
104
- path = URI::DEFAULT_PARSER.escape(filter[:grep])
104
+ path = RFC2396_PARSER.escape(filter[:grep])
105
105
  normalized_path = ("/" + path).squeeze("/")
106
106
 
107
107
  {
@@ -1048,6 +1048,7 @@ module ActionDispatch
1048
1048
  end
1049
1049
 
1050
1050
  # Allows you to set default parameters for a route, such as this:
1051
+ #
1051
1052
  # defaults id: 'home' do
1052
1053
  # match 'scoped_pages/(:id)', to: 'pages#show'
1053
1054
  # end
@@ -2024,7 +2025,7 @@ module ActionDispatch
2024
2025
  name_for_action(options.delete(:as), action)
2025
2026
  end
2026
2027
 
2027
- path = Mapping.normalize_path URI::DEFAULT_PARSER.escape(path), formatted
2028
+ path = Mapping.normalize_path RFC2396_PARSER.escape(path), formatted
2028
2029
  ast = Journey::Parser.parse path
2029
2030
 
2030
2031
  mapping = Mapping.build(@scope, @set, ast, controller, default_action, to, via, formatted, options_constraints, anchor, options)
@@ -917,7 +917,7 @@ module ActionDispatch
917
917
  params.each do |key, value|
918
918
  if value.is_a?(String)
919
919
  value = value.dup.force_encoding(Encoding::BINARY)
920
- params[key] = URI::DEFAULT_PARSER.unescape(value)
920
+ params[key] = RFC2396_PARSER.unescape(value)
921
921
  end
922
922
  end
923
923
  req.path_parameters = params
@@ -30,6 +30,7 @@ require "active_support/core_ext/module/attribute_accessors"
30
30
 
31
31
  require "action_pack"
32
32
  require "rack"
33
+ require "uri"
33
34
  require "action_dispatch/deprecator"
34
35
 
35
36
  module Rack # :nodoc:
@@ -47,6 +48,9 @@ end
47
48
  module ActionDispatch
48
49
  extend ActiveSupport::Autoload
49
50
 
51
+ RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
52
+ private_constant :RFC2396_PARSER
53
+
50
54
  class MissingController < NameError
51
55
  end
52
56
 
@@ -11,8 +11,8 @@ module ActionPack
11
11
  module VERSION
12
12
  MAJOR = 7
13
13
  MINOR = 2
14
- TINY = 1
15
- PRE = "2"
14
+ TINY = 2
15
+ PRE = "1"
16
16
 
17
17
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
18
18
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.1.2
4
+ version: 7.2.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-23 00:00:00.000000000 Z
11
+ date: 2024-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.2.1.2
19
+ version: 7.2.2.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.2.1.2
26
+ version: 7.2.2.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -148,28 +148,28 @@ dependencies:
148
148
  requirements:
149
149
  - - '='
150
150
  - !ruby/object:Gem::Version
151
- version: 7.2.1.2
151
+ version: 7.2.2.1
152
152
  type: :runtime
153
153
  prerelease: false
154
154
  version_requirements: !ruby/object:Gem::Requirement
155
155
  requirements:
156
156
  - - '='
157
157
  - !ruby/object:Gem::Version
158
- version: 7.2.1.2
158
+ version: 7.2.2.1
159
159
  - !ruby/object:Gem::Dependency
160
160
  name: activemodel
161
161
  requirement: !ruby/object:Gem::Requirement
162
162
  requirements:
163
163
  - - '='
164
164
  - !ruby/object:Gem::Version
165
- version: 7.2.1.2
165
+ version: 7.2.2.1
166
166
  type: :development
167
167
  prerelease: false
168
168
  version_requirements: !ruby/object:Gem::Requirement
169
169
  requirements:
170
170
  - - '='
171
171
  - !ruby/object:Gem::Version
172
- version: 7.2.1.2
172
+ version: 7.2.2.1
173
173
  description: Web apps on Rails. Simple, battle-tested conventions for building and
174
174
  testing MVC web applications. Works with any Rack-compatible server.
175
175
  email: david@loudthinking.com
@@ -369,10 +369,10 @@ licenses:
369
369
  - MIT
370
370
  metadata:
371
371
  bug_tracker_uri: https://github.com/rails/rails/issues
372
- changelog_uri: https://github.com/rails/rails/blob/v7.2.1.2/actionpack/CHANGELOG.md
373
- documentation_uri: https://api.rubyonrails.org/v7.2.1.2/
372
+ changelog_uri: https://github.com/rails/rails/blob/v7.2.2.1/actionpack/CHANGELOG.md
373
+ documentation_uri: https://api.rubyonrails.org/v7.2.2.1/
374
374
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
375
- source_code_uri: https://github.com/rails/rails/tree/v7.2.1.2/actionpack
375
+ source_code_uri: https://github.com/rails/rails/tree/v7.2.2.1/actionpack
376
376
  rubygems_mfa_required: 'true'
377
377
  post_install_message:
378
378
  rdoc_options: []
@@ -390,7 +390,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
390
390
  version: '0'
391
391
  requirements:
392
392
  - none
393
- rubygems_version: 3.5.16
393
+ rubygems_version: 3.5.22
394
394
  signing_key:
395
395
  specification_version: 4
396
396
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).