RubyGems - rack-attack - Versions - 0.0.1 - Mend

rack-attack 0.0.1

1 security vulnerability found in version 0.0.1

rack-attack Gem for Ruby missing normalization before request path processing

high severity OSVDB-132234

Patched versions: >= 4.3.1

When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path "/login/" becomes "/login" by the time you're in ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.

This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.

This gem version has not been yanked and is still available for usage.