RubyGems - actionpack - Versions diffs - 7.0.8.6 → 7.0.8.7 - Mend

actionpack 7.0.8.6 → 7.0.8.7

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +9 -0
data/lib/action_dispatch/http/content_security_policy.rb +21 -4
data/lib/action_pack/gem_version.rb +1 -1
metadata +12 -12

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76f2e4ab652796862473bcf69baca0be66d20e972be7b6604b7477f4bfb9e773
-  data.tar.gz: cb4eb95dccda5350e577c88faeba18644013acf30496a026866266b0a44efe99
+  metadata.gz: 70dee7a29aa49cddf5164963e3f5686ee864164d8fa28da67bd989d7cdebf4d4
+  data.tar.gz: 7612f71cb68820c1ed4b5c0c6f620f326b30692e34bc9f835cb85c0baa5a0eb2
 SHA512:
-  metadata.gz: f895845c05ca602877bece43b5d30fb2a16ecce365e7ab41682c8adf021a2cfe8317fedf12c863a153219a583e95847a782c577a96f95cc97c40b1b2014fa2c1
-  data.tar.gz: 0e9767733ed255b38198c26dee3c5247fc9ae923b2a22720fbd0cd00842aab15b5e9f3be5357810d387638953811afc21db0c6e70d27a65b6e6315c13af91bf5
+  metadata.gz: c7b71a3f0fa3039dccac396aa80c7f765476de45c59c75a3afb4556b10b3265d80e8105139c6fc45bbfcac09dff851b16850e41e21bfb951d9bcb514ea2f0814
+  data.tar.gz: 3097c2c8ad4ed6f2453f58a5b0c2587e67f120cc18ce94f8dad7ce5d1381cc6d055294a4977a65f148d2f526e188b4a4a5c14b5dde750e042b73438ec32e7674

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,12 @@
+## Rails 7.0.8.7 (December 10, 2024) ##
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+    [CVE-2024-54133]
+    *Gannon McGibbon*
 ## Rails 7.0.8.6 (October 23, 2024) ##
 *   No changes.

data/lib/action_dispatch/http/content_security_policy.rb CHANGED Viewed

@@ -22,6 +22,9 @@ module ActionDispatch # :nodoc:
   #     policy.report_uri "/csp-violation-report-endpoint"
   #   end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
     class Middleware
       CONTENT_TYPE = "Content-Type"
       POLICY = "Content-Security-Policy"
@@ -316,9 +319,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -328,8 +331,22 @@ module ActionDispatch # :nodoc:
         end
       end
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+        validate(directive, resolved_sources)
       end
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 0
     TINY  = 8
-    PRE   = "6"
+    PRE   = "7"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.0.8.6
+  version: 7.0.8.7
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-23 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.8.6
+        version: 7.0.8.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.8.6
+        version: 7.0.8.7
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.8.6
+        version: 7.0.8.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.8.6
+        version: 7.0.8.7
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.8.6
+        version: 7.0.8.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.8.6
+        version: 7.0.8.7
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.8.6/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.8.6/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.8.7/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.8.7/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.8.6/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.8.7/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).