RubyGems - actionpack - Versions diffs - 7.2.2 → 7.2.2.2 - Mend

actionpack 7.2.2 → 7.2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/lib/action_dispatch/http/content_security_policy.rb +21 -4
data/lib/action_pack/gem_version.rb +1 -1
metadata +12 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 805d9e62e9937e7cd8f12e22e2b806035577bd452e5ce321f75372c7f152edd7
-  data.tar.gz: 0fb9629eae17852ae5eb92ad885f79a6938e36e8b72dfe4ce775920d8d0c153c
+  metadata.gz: de497a4bfe038de60adf6ae41286240f2876e6708be4aa79f87639cf7c1b95d3
+  data.tar.gz: 77b807fbf7571a65674d4b78affdcc0c54821c935d6ec6634ee8e5fe63a13015
 SHA512:
-  metadata.gz: ed08caeeb60bf9f444ddca5eafb519eab94c8475e0452ba146b98585d3f426f0444730e05f5a1e40583b5237e1ef535cad62c8d92bc96ac62e73987c19aed8a8
-  data.tar.gz: 85304714962564e3997fad42e395efe05061bf95d5cc9ef89394d53f99e899862f93a7ff38d12e16c232d7b7ab39ea012268b3f0b7214ed373c9fd39c5608e91
+  metadata.gz: f8761d3f2b5c3be0bfd48360b9f568974a34c47752357b56b81a751068e5b27bc3b26a2474274be3653f3b822042c371346c502d61afc35f95fee4a614e93ee9
+  data.tar.gz: 0cda820f77379fa28d2243069428fbd068f7020b7ee1d9555b315e4924c9e866d8d08ff30d2b7e67680fe2fcd9706f435f9f542edf8ef8b4f84f4788858b48e0

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,18 @@
+## Rails 7.2.2.2 (August 13, 2025) ##
+*   No changes.
+## Rails 7.2.2.1 (December 10, 2024) ##
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+    [CVE-2024-54133]
+    *Gannon McGibbon*
 ## Rails 7.2.2 (October 30, 2024) ##
 *   Fix non-GET requests not updating cookies in `ActionController::TestCase`.

data/lib/action_dispatch/http/content_security_policy.rb CHANGED Viewed

@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
   #       policy.report_uri "/csp-violation-report-endpoint"
   #     end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
     class Middleware
       def initialize(app)
         @app = app
@@ -319,9 +322,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -331,8 +334,22 @@ module ActionDispatch # :nodoc:
         end
       end
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+        validate(directive, resolved_sources)
       end
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 2
     TINY  = 2
-    PRE   = nil
+    PRE   = "2"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.2.2
+  version: 7.2.2.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.2
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -148,28 +147,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.2.2
+        version: 7.2.2.2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -369,12 +368,11 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.2.2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.2.2/
+  changelog_uri: https://github.com/rails/rails/blob/v7.2.2.2/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.2.2.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.2.2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.2.2.2/actionpack
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -390,8 +388,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).
 test_files: []