RubyGems - actionpack - Versions diffs - 7.1.5 → 7.1.5.1 - Mend

actionpack 7.1.5 → 7.1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/lib/action_dispatch/http/content_security_policy.rb +21 -4
data/lib/action_pack/gem_version.rb +1 -1
metadata +12 -12

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef6ded6ec75402697cbeaf5e35774fc5883ec6dea9a31c9698b28949c0b9547f
-  data.tar.gz: d31034f579dbab96df8449bbe31b449aa6c6d94711ce0f394ed3933bd316546b
+  metadata.gz: e2aff0dde19af40e507e288105ed67055af0847d0c37ad34de7cc6b3a630df02
+  data.tar.gz: 6718ca936b16397966ca7fbf39d6f9586313074d4255804532615d04f9c86a6d
 SHA512:
-  metadata.gz: 563f1655070799cff368211fbe55ce13d4cd8a5984ca16d9c94df8fb6fec119c644d0a43a3fadf088cf2df019d4c6266a1e36ea4e3de1a82dbdf92f8e100d3c1
-  data.tar.gz: 170f1c5406ee4c8d740d50b63fd74d8c803b3aa4f8a16b69d73355949bb7a9d7835d4118d685050c3dd967cac6933403e1097575ab1d9e4dbfbdce292defe978
+  metadata.gz: 0a7c6df6a5e8d50ea2d2d18aea80e255c270ffb51163a6291ca72e05740cbbaae83621b6c054939cfaf3042f281a7760dcc7bb717c2da525557a87c05205f6ed
+  data.tar.gz: 830503286b4ec58e7b1dc45e7d51c7cfa81c5b92d6d13f7021320991870abeb353888084c2d4140019c07c3c40060a4ce3cee82548ac9f3e08abe7faaaeb20e4

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+## Rails 7.1.5.1 (December 10, 2024) ##
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
+    [CVE-2024-54133]
+    *Gannon McGibbon*
 ## Rails 7.1.5 (October 30, 2024) ##
 *   No changes.

data/lib/action_dispatch/http/content_security_policy.rb CHANGED Viewed

@@ -24,6 +24,9 @@ module ActionDispatch # :nodoc:
   #     policy.report_uri "/csp-violation-report-endpoint"
   #   end
   class ContentSecurityPolicy
+    class InvalidDirectiveError < StandardError
+    end
     class Middleware
       def initialize(app)
         @app = app
@@ -317,9 +320,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -329,8 +332,22 @@ module ActionDispatch # :nodoc:
         end
       end
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+        validate(directive, resolved_sources)
       end
       def resolve_source(source, context)

data/lib/action_pack/gem_version.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 7
     MINOR = 1
     TINY  = 5
-    PRE   = nil
+    PRE   = "1"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.5
+  version: 7.1.5.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-31 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.5
+        version: 7.1.5.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.5/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.5/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.5.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.5.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.5/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.5.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).