RubyGems - actionpack - Versions diffs - 7.2.2 → 7.2.2.1 - Mend

actionpack 7.2.2 → 7.2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/lib/action_dispatch/http/content_security_policy.rb +21 -4
data/lib/action_pack/gem_version.rb +1 -1
metadata +12 -12

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 805d9e62e9937e7cd8f12e22e2b806035577bd452e5ce321f75372c7f152edd7
-  data.tar.gz: 0fb9629eae17852ae5eb92ad885f79a6938e36e8b72dfe4ce775920d8d0c153c
+  metadata.gz: e2f850764c42d33756dafc52b3a241cd1264cf780ef17f52b9b3b0a8b1c3d98e
+  data.tar.gz: 7febf80d5ab5a57de20b9658daaa10fb21216b30590837e66ceb43cb6cdfe38f
 SHA512:
-  metadata.gz: ed08caeeb60bf9f444ddca5eafb519eab94c8475e0452ba146b98585d3f426f0444730e05f5a1e40583b5237e1ef535cad62c8d92bc96ac62e73987c19aed8a8
-  data.tar.gz: 85304714962564e3997fad42e395efe05061bf95d5cc9ef89394d53f99e899862f93a7ff38d12e16c232d7b7ab39ea012268b3f0b7214ed373c9fd39c5608e91
+  metadata.gz: 6cd119f952b01a8fdf78c1a3c364bf5e681b6b0de52758a1830b935362bc7c0c9950d371bd6b6667e49dc49e8b9f98d0f60b06781a155bcf752be705e19c875f
+  data.tar.gz: 15339819a72191cd86e77924f9a108ec6c9f7bcc7f3169ba2127bc1ccdefc2a7fdb98609689a7271faf467664df7841f163610445294dbe8eed08c48c431aa01

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+## Rails 7.2.2.1 (December 10, 2024) ##
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+    [CVE-2024-54133]
+    *Gannon McGibbon*
 ## Rails 7.2.2 (October 30, 2024) ##
 *   Fix non-GET requests not updating cookies in `ActionController::TestCase`.

data/lib/action_dispatch/http/content_security_policy.rb CHANGED Viewed

@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
   #       policy.report_uri "/csp-violation-report-endpoint"
   #     end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
     class Middleware
       def initialize(app)
         @app = app
@@ -319,9 +322,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -331,8 +334,22 @@ module ActionDispatch # :nodoc:
         end
       end
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+        validate(directive, resolved_sources)
       end
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 2
     TINY  = 2
-    PRE   = nil
+    PRE   = "1"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.2.2
+  version: 7.2.2.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -148,28 +148,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -369,10 +369,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.2.2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.2.2/
+  changelog_uri: https://github.com/rails/rails/blob/v7.2.2.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.2.2.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.2.2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.2.2.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -390,7 +390,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).