actionpack 8.0.0 → 8.0.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 239a368486048f1afb68d3463355a6a9cde859c5cbe2199a708a35cb538d5dbb
-  data.tar.gz: 4d16e862e97e3348f81b68a966747a220543cbac4a2ec0a3a804318dda76ce09
+  metadata.gz: f9788d8055b6cde3b25a111756f7ca6ceb3016a0373fc7c0c93acbe4a617feb9
+  data.tar.gz: e991798032e8ae1c6e993d62d7da219fe1dd58ab7242f4805470888c330e3a7f
 SHA512:
-  metadata.gz: ddabd2752f936c6a8ef53d0ba4d077b9a28e8a4ef079ba45a0c3b3878ae21dc75675c8d36a16a05ac3f21f20ceae9e38b0f62049abadee67d4b2d15e6eb54b43
-  data.tar.gz: cfddc2490012b49d47458e41211d17e577b6e748a87e5b9c43a011c3312398a8b00faee7ba283e78bdc2082df3fe116896bfe05b9daf55962596f94c31afaa10
+  metadata.gz: 93ecb0819091de8e7792264cc49c0a3f4e6cc7ed18953c2064dfee14769e27fdffefd9c0eb36221a03be1fe20d930dcff1ebd2cba442169bcc74cad0727549fb
+  data.tar.gz: 154e96c7cd09af38ef3bd70db6c0f4c5da4d5c5daf292960b77032eb4c4687d5d0431413ca49893cb7fad9f22f5501da67c7ec6ba64ff11d560b9e496a8c51eb

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## Rails 8.0.0.1 (December 10, 2024) ##
+
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+
+    [CVE-2024-54133]
+
+    *Gannon McGibbon*
+
+
 ## Rails 8.0.0 (November 07, 2024) ##
 
 *   No changes.

data/lib/action_dispatch/http/content_security_policy.rb

@@ -26,6 +26,9 @@ module ActionDispatch # :nodoc:
   #       policy.report_uri "/csp-violation-report-endpoint"
   #     end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
+
     class Middleware
       def initialize(app)
         @app = app
@@ -320,9 +323,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -332,8 +335,22 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+
+        validate(directive, resolved_sources)
       end
 
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb

@@ -12,7 +12,7 @@ module ActionPack
     MAJOR = 8
     MINOR = 0
     TINY  = 0
-    PRE   = nil
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 8.0.0
+  version: 8.0.0.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-07 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0
+        version: 8.0.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0
+        version: 8.0.0.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0
+        version: 8.0.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0
+        version: 8.0.0.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0
+        version: 8.0.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 8.0.0
+        version: 8.0.0.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -350,10 +350,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v8.0.0/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v8.0.0/
+  changelog_uri: https://github.com/rails/rails/blob/v8.0.0.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v8.0.0.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v8.0.0/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v8.0.0.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []