RubyGems - rack-attack - Versions - 2.1.0 - Mend

rack-attack 2.1.0

1 security vulnerability found in version 2.1.0

rack-attack Gem for Ruby missing normalization before request path processing

high severity OSVDB-132234

Patched versions: >= 4.3.1

When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path "/login/" becomes "/login" by the time you're in ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action.

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

Gem version without a license.

Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.

This gem version has not been yanked and is still available for usage.