actionpack 7.2.2 → 7.2.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 805d9e62e9937e7cd8f12e22e2b806035577bd452e5ce321f75372c7f152edd7
4
- data.tar.gz: 0fb9629eae17852ae5eb92ad885f79a6938e36e8b72dfe4ce775920d8d0c153c
3
+ metadata.gz: e2f850764c42d33756dafc52b3a241cd1264cf780ef17f52b9b3b0a8b1c3d98e
4
+ data.tar.gz: 7febf80d5ab5a57de20b9658daaa10fb21216b30590837e66ceb43cb6cdfe38f
5
5
  SHA512:
6
- metadata.gz: ed08caeeb60bf9f444ddca5eafb519eab94c8475e0452ba146b98585d3f426f0444730e05f5a1e40583b5237e1ef535cad62c8d92bc96ac62e73987c19aed8a8
7
- data.tar.gz: 85304714962564e3997fad42e395efe05061bf95d5cc9ef89394d53f99e899862f93a7ff38d12e16c232d7b7ab39ea012268b3f0b7214ed373c9fd39c5608e91
6
+ metadata.gz: 6cd119f952b01a8fdf78c1a3c364bf5e681b6b0de52758a1830b935362bc7c0c9950d371bd6b6667e49dc49e8b9f98d0f60b06781a155bcf752be705e19c875f
7
+ data.tar.gz: 15339819a72191cd86e77924f9a108ec6c9f7bcc7f3169ba2127bc1ccdefc2a7fdb98609689a7271faf467664df7841f163610445294dbe8eed08c48c431aa01
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ ## Rails 7.2.2.1 (December 10, 2024) ##
2
+
3
+ * Add validation to content security policies to disallow spaces and semicolons.
4
+ Developers should use multiple arguments, and different directive methods instead.
5
+
6
+ [CVE-2024-54133]
7
+
8
+ *Gannon McGibbon*
9
+
10
+
1
11
  ## Rails 7.2.2 (October 30, 2024) ##
2
12
 
3
13
  * Fix non-GET requests not updating cookies in `ActionController::TestCase`.
@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
26
26
  # policy.report_uri "/csp-violation-report-endpoint"
27
27
  # end
28
28
  class ContentSecurityPolicy
29
+ class InvalidDirectiveError < StandardError
30
+ end
31
+
29
32
  class Middleware
30
33
  def initialize(app)
31
34
  @app = app
@@ -319,9 +322,9 @@ module ActionDispatch # :nodoc:
319
322
  @directives.map do |directive, sources|
320
323
  if sources.is_a?(Array)
321
324
  if nonce && nonce_directive?(directive, nonce_directives)
322
- "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
325
+ "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
323
326
  else
324
- "#{directive} #{build_directive(sources, context).join(' ')}"
327
+ "#{directive} #{build_directive(directive, sources, context).join(' ')}"
325
328
  end
326
329
  elsif sources
327
330
  directive
@@ -331,8 +334,22 @@ module ActionDispatch # :nodoc:
331
334
  end
332
335
  end
333
336
 
334
- def build_directive(sources, context)
335
- sources.map { |source| resolve_source(source, context) }
337
+ def validate(directive, sources)
338
+ sources.flatten.each do |source|
339
+ if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
340
+ raise InvalidDirectiveError, <<~MSG.squish
341
+ Invalid Content Security Policy #{directive}: "#{source}".
342
+ Directive values must not contain whitespace or semicolons.
343
+ Please use multiple arguments or other directive methods instead.
344
+ MSG
345
+ end
346
+ end
347
+ end
348
+
349
+ def build_directive(directive, sources, context)
350
+ resolved_sources = sources.map { |source| resolve_source(source, context) }
351
+
352
+ validate(directive, resolved_sources)
336
353
  end
337
354
 
338
355
  def resolve_source(source, context)
@@ -12,7 +12,7 @@ module ActionPack
12
12
  MAJOR = 7
13
13
  MINOR = 2
14
14
  TINY = 2
15
- PRE = nil
15
+ PRE = "1"
16
16
 
17
17
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
18
18
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.2.2
4
+ version: 7.2.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-31 00:00:00.000000000 Z
11
+ date: 2024-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.2.2
19
+ version: 7.2.2.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.2.2
26
+ version: 7.2.2.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: nokogiri
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -148,28 +148,28 @@ dependencies:
148
148
  requirements:
149
149
  - - '='
150
150
  - !ruby/object:Gem::Version
151
- version: 7.2.2
151
+ version: 7.2.2.1
152
152
  type: :runtime
153
153
  prerelease: false
154
154
  version_requirements: !ruby/object:Gem::Requirement
155
155
  requirements:
156
156
  - - '='
157
157
  - !ruby/object:Gem::Version
158
- version: 7.2.2
158
+ version: 7.2.2.1
159
159
  - !ruby/object:Gem::Dependency
160
160
  name: activemodel
161
161
  requirement: !ruby/object:Gem::Requirement
162
162
  requirements:
163
163
  - - '='
164
164
  - !ruby/object:Gem::Version
165
- version: 7.2.2
165
+ version: 7.2.2.1
166
166
  type: :development
167
167
  prerelease: false
168
168
  version_requirements: !ruby/object:Gem::Requirement
169
169
  requirements:
170
170
  - - '='
171
171
  - !ruby/object:Gem::Version
172
- version: 7.2.2
172
+ version: 7.2.2.1
173
173
  description: Web apps on Rails. Simple, battle-tested conventions for building and
174
174
  testing MVC web applications. Works with any Rack-compatible server.
175
175
  email: david@loudthinking.com
@@ -369,10 +369,10 @@ licenses:
369
369
  - MIT
370
370
  metadata:
371
371
  bug_tracker_uri: https://github.com/rails/rails/issues
372
- changelog_uri: https://github.com/rails/rails/blob/v7.2.2/actionpack/CHANGELOG.md
373
- documentation_uri: https://api.rubyonrails.org/v7.2.2/
372
+ changelog_uri: https://github.com/rails/rails/blob/v7.2.2.1/actionpack/CHANGELOG.md
373
+ documentation_uri: https://api.rubyonrails.org/v7.2.2.1/
374
374
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
375
- source_code_uri: https://github.com/rails/rails/tree/v7.2.2/actionpack
375
+ source_code_uri: https://github.com/rails/rails/tree/v7.2.2.1/actionpack
376
376
  rubygems_mfa_required: 'true'
377
377
  post_install_message:
378
378
  rdoc_options: []
@@ -390,7 +390,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
390
390
  version: '0'
391
391
  requirements:
392
392
  - none
393
- rubygems_version: 3.5.16
393
+ rubygems_version: 3.5.22
394
394
  signing_key:
395
395
  specification_version: 4
396
396
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).