actionpack 5.2.5 → 5.2.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +47 -1
  3. data/lib/action_controller/metal/http_authentication.rb +1 -1
  4. data/lib/action_controller/metal/request_forgery_protection.rb +60 -4
  5. data/lib/action_dispatch/routing/polymorphic_routes.rb +8 -4
  6. data/lib/action_pack/gem_version.rb +1 -1
  7. metadata +11 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3b9466cc66aef89ae39a6f759279293fa180454f543f7149d1ab8de9ed9ae899
4
- data.tar.gz: a72f72e877d142cc9c377615429190f6327fbd6d8e522f7ada200c30ec02bba8
3
+ metadata.gz: 63b72a20df1a2ed50dd3c7bc20791c4979eb1a886770734721d7ffca4d9a4cfb
4
+ data.tar.gz: f9c384ee114ec9e287a157fb5150cdcf86c79256cfaec9611edccc2ba18b7ff2
5
5
  SHA512:
6
- metadata.gz: caf16e1e2886b217f359e358d24d6eb33e692f40165c96a324571b009ceb7d1b97df22320c2e320106aad26e4f7874db26790ba7cc4f61c9a6a21fae13f9e366
7
- data.tar.gz: 30094a122031f1a4cff32d7cc0ad6fe4a14e318267e3cfea6ff85f9ca172f8b1f6677299634c776df580c4b3a44200e494fa06f6933821d4d5b8838d9a7a4815
6
+ metadata.gz: f33d0e9bb9cfb6a2ede9b0d11fad30752d92c3f81d07efd249cd7621b39430d0b5464e58f244d9cdbfce41e511d8dcc89f8539ee34218b369c6d0660b9d56340
7
+ data.tar.gz: c964bc901dc5baf4fa6f049005f8a6d164bd705c3c958614c13ec1f3b8cb30a31d12ca10577f72fc3cdf446bfa9b05d95bd186da6b2815426b464ece0dc596ab
data/CHANGELOG.md CHANGED
@@ -1,8 +1,54 @@
1
+ ## Rails 5.2.6 (May 05, 2021) ##
2
+
3
+ * Accept base64_urlsafe CSRF tokens to make forward compatible.
4
+
5
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
6
+ them difficult to deal with. For example, the common practice of sending
7
+ the CSRF token to a browser in a client-readable cookie does not work properly
8
+ out of the box: the value has to be url-encoded and decoded to survive transport.
9
+
10
+ In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
11
+ safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
12
+ tokens for backwards compatibility.
13
+
14
+ How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
15
+ config.
16
+
17
+ In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
18
+
19
+ **Atention**: If you already upgraded your application to 5.2.5, set the config
20
+ `urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
21
+ during the deploy of this new version.
22
+
23
+ ```ruby
24
+ Rails.application.config.action_controller.urlsafe_csrf_tokens = true
25
+ ```
26
+
27
+ If you are upgrading from 5.2.4.x, you don't need to change this configuration.
28
+
29
+ *Scott Blum*, *Étienne Barrié*
30
+
31
+
1
32
  ## Rails 5.2.5 (March 26, 2021) ##
2
33
 
3
34
  * No changes.
4
35
 
5
36
 
37
+ ## Rails 5.2.4.6 (May 05, 2021) ##
38
+
39
+ * Prevent regex DoS in HTTP token authentication
40
+ CVE-2021-22904
41
+
42
+ * Prevent string polymorphic route arguments.
43
+
44
+ `url_for` supports building polymorphic URLs via an array
45
+ of arguments (usually symbols and records). If a developer passes a
46
+ user input array, strings can result in unwanted route helper calls.
47
+
48
+ CVE-2021-22885
49
+
50
+ *Gannon McGibbon*
51
+
6
52
  ## Rails 5.2.4.5 (February 10, 2021) ##
7
53
 
8
54
  * No changes.
@@ -31,7 +77,7 @@
31
77
 
32
78
  The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
33
79
  gem dalli to be updated as well.
34
-
80
+
35
81
  _Breaking changes:_
36
82
  * `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
37
83
  * Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
data/lib/action_controller/metal/http_authentication.rb CHANGED
@@ -406,7 +406,7 @@ module ActionController
406
406
  module Token
407
407
  TOKEN_KEY = "token="
408
408
  TOKEN_REGEX = /^(Token|Bearer)\s+/
409
- AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
409
+ AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
410
410
  extend self
411
411
 
412
412
  module ControllerMethods
data/lib/action_controller/metal/request_forgery_protection.rb CHANGED
@@ -92,6 +92,10 @@ module ActionController #:nodoc:
92
92
  config_accessor :default_protect_from_forgery
93
93
  self.default_protect_from_forgery = false
94
94
 
95
+ # Controls whether URL-safe CSRF tokens are generated.
96
+ config_accessor :urlsafe_csrf_tokens, instance_writer: false
97
+ self.urlsafe_csrf_tokens = false
98
+
95
99
  helper_method :form_authenticity_token
96
100
  helper_method :protect_against_forgery?
97
101
  end
@@ -333,7 +337,7 @@ module ActionController #:nodoc:
333
337
  end
334
338
 
335
339
  begin
336
- masked_token = Base64.urlsafe_decode64(encoded_masked_token)
340
+ masked_token = decode_csrf_token(encoded_masked_token)
337
341
  rescue ArgumentError # encoded_masked_token is invalid Base64
338
342
  return false
339
343
  end
@@ -371,7 +375,7 @@ module ActionController #:nodoc:
371
375
  one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
372
376
  encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
373
377
  masked_token = one_time_pad + encrypted_csrf_token
374
- Base64.urlsafe_encode64(masked_token).delete("=")
378
+ encode_csrf_token(masked_token)
375
379
  end
376
380
 
377
381
  def compare_with_real_token(token, session) # :doc:
@@ -397,8 +401,8 @@ module ActionController #:nodoc:
397
401
  end
398
402
 
399
403
  def real_csrf_token(session) # :doc:
400
- session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
401
- Base64.urlsafe_decode64(session[:_csrf_token])
404
+ session[:_csrf_token] ||= generate_csrf_token
405
+ decode_csrf_token(session[:_csrf_token])
402
406
  end
403
407
 
404
408
  def per_form_csrf_token(session, action_path, method) # :doc:
@@ -461,5 +465,57 @@ module ActionController #:nodoc:
461
465
  uri = URI.parse(action_path)
462
466
  uri.path.chomp("/")
463
467
  end
468
+
469
+ def generate_csrf_token # :nodoc:
470
+ if urlsafe_csrf_tokens
471
+ SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
472
+ else
473
+ SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
474
+ end
475
+ end
476
+
477
+ if RUBY_VERSION.start_with?("2.2")
478
+ # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
479
+ using Module.new {
480
+ refine Base64.singleton_class do
481
+ def urlsafe_encode64(bin, padding: true)
482
+ str = strict_encode64(bin).tr("+/", "-_")
483
+ str = str.delete("=") unless padding
484
+ str
485
+ end
486
+
487
+ def urlsafe_decode64(str)
488
+ # NOTE: RFC 4648 does say nothing about unpadded input, but says that
489
+ # "the excess pad characters MAY also be ignored", so it is inferred that
490
+ # unpadded input is also acceptable.
491
+ str = str.tr("-_", "+/")
492
+ if !str.end_with?("=") && str.length % 4 != 0
493
+ str = str.ljust((str.length + 3) & ~3, "=")
494
+ end
495
+ strict_decode64(str)
496
+ end
497
+ end
498
+ }
499
+ end
500
+
501
+ def encode_csrf_token(csrf_token) # :nodoc:
502
+ if urlsafe_csrf_tokens
503
+ Base64.urlsafe_encode64(csrf_token, padding: false)
504
+ else
505
+ Base64.strict_encode64(csrf_token)
506
+ end
507
+ end
508
+
509
+ def decode_csrf_token(encoded_csrf_token) # :nodoc:
510
+ if urlsafe_csrf_tokens
511
+ Base64.urlsafe_decode64(encoded_csrf_token)
512
+ else
513
+ begin
514
+ Base64.strict_decode64(encoded_csrf_token)
515
+ rescue ArgumentError
516
+ Base64.urlsafe_decode64(encoded_csrf_token)
517
+ end
518
+ end
519
+ end
464
520
  end
465
521
  end
data/lib/action_dispatch/routing/polymorphic_routes.rb CHANGED
@@ -288,10 +288,12 @@ module ActionDispatch
288
288
 
289
289
  args = []
290
290
 
291
- route = record_list.map { |parent|
291
+ route = record_list.map do |parent|
292
292
  case parent
293
- when Symbol, String
293
+ when Symbol
294
294
  parent.to_s
295
+ when String
296
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
295
297
  when Class
296
298
  args << parent
297
299
  parent.model_name.singular_route_key
@@ -299,12 +301,14 @@ module ActionDispatch
299
301
  args << parent.to_model
300
302
  parent.to_model.model_name.singular_route_key
301
303
  end
302
- }
304
+ end
303
305
 
304
306
  route <<
305
307
  case record
306
- when Symbol, String
308
+ when Symbol
307
309
  record.to_s
310
+ when String
311
+ raise(ArgumentError, "Please use symbols for polymorphic route arguments.")
308
312
  when Class
309
313
  @key_strategy.call record.model_name
310
314
  else
data/lib/action_pack/gem_version.rb CHANGED
@@ -9,7 +9,7 @@ module ActionPack
9
9
  module VERSION
10
10
  MAJOR = 5
11
11
  MINOR = 2
12
- TINY = 5
12
+ TINY = 6
13
13
  PRE = nil
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.5
4
+ version: 5.2.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-03-26 00:00:00.000000000 Z
11
+ date: 2021-05-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 5.2.5
19
+ version: 5.2.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 5.2.5
26
+ version: 5.2.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rack
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
98
98
  requirements:
99
99
  - - '='
100
100
  - !ruby/object:Gem::Version
101
- version: 5.2.5
101
+ version: 5.2.6
102
102
  type: :runtime
103
103
  prerelease: false
104
104
  version_requirements: !ruby/object:Gem::Requirement
105
105
  requirements:
106
106
  - - '='
107
107
  - !ruby/object:Gem::Version
108
- version: 5.2.5
108
+ version: 5.2.6
109
109
  - !ruby/object:Gem::Dependency
110
110
  name: activemodel
111
111
  requirement: !ruby/object:Gem::Requirement
112
112
  requirements:
113
113
  - - '='
114
114
  - !ruby/object:Gem::Version
115
- version: 5.2.5
115
+ version: 5.2.6
116
116
  type: :development
117
117
  prerelease: false
118
118
  version_requirements: !ruby/object:Gem::Requirement
119
119
  requirements:
120
120
  - - '='
121
121
  - !ruby/object:Gem::Version
122
- version: 5.2.5
122
+ version: 5.2.6
123
123
  description: Web apps on Rails. Simple, battle-tested conventions for building and
124
124
  testing MVC web applications. Works with any Rack-compatible server.
125
125
  email: david@loudthinking.com
@@ -299,8 +299,8 @@ homepage: http://rubyonrails.org
299
299
  licenses:
300
300
  - MIT
301
301
  metadata:
302
- source_code_uri: https://github.com/rails/rails/tree/v5.2.5/actionpack
303
- changelog_uri: https://github.com/rails/rails/blob/v5.2.5/actionpack/CHANGELOG.md
302
+ source_code_uri: https://github.com/rails/rails/tree/v5.2.6/actionpack
303
+ changelog_uri: https://github.com/rails/rails/blob/v5.2.6/actionpack/CHANGELOG.md
304
304
  post_install_message:
305
305
  rdoc_options: []
306
306
  require_paths:
@@ -317,7 +317,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
317
317
  version: '0'
318
318
  requirements:
319
319
  - none
320
- rubygems_version: 3.1.2
320
+ rubygems_version: 3.1.6
321
321
  signing_key:
322
322
  specification_version: 4
323
323
  summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).