rack-libinjection 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0203a3f1b8a3447818e725857364461f8f62632cb8f466b6c42178948a02f93d
-  data.tar.gz: 84d19b19a25a44987efdd3486d6896efad15e9c9d1ca715431bd612f4b0a580a
+  metadata.gz: 55b2c6d2117f60b522347c585c7b99ac85662fccf79f111de32efac96ceafba2
+  data.tar.gz: 8c521ba45e916f2226d7e874154f785a8bad0e3b47c4fe69305273dcc28a6ddf
 SHA512:
-  metadata.gz: 24a29c7bb6ec739b8f35170a721978b55fe2e2b4cbbdfe03c1fde47b8513c3e8b3eb0d5da2274e6cf770533e96d4e0c545c45dbbb62c916f09bcd02601ed211b
-  data.tar.gz: 57115bdc3838e5a5d47aaaf7a8e55f0b22a005dcee8042b0f71778a2f29a2a44c3c4bc8d7d8d7ca390694ddd83b831d15f178a9629fa86c1f32e18e6fc054531
+  metadata.gz: 85034605c3e383e8344eaa389a95f8ab12fcce1eb114af0333955d208c98a651819e4ff667d72411794ff8b2f419d6b6bcf72fad35d184eef32336fdda3c0231
+  data.tar.gz: cd4d8fe1733d9deb7a959b278903fa7b58c3c9a1116c3f8835766831262a488e6a3b6070b184316e1250b63a936b26eb4d95668dfbe435adf7c8d21d3a86faff

data/.github/workflows/ci.yml

@@ -38,11 +38,15 @@ jobs:
   sanitizers:
     needs: vendor-verify
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["3.3", "3.4", "4.0"]
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
         with:
-          ruby-version: "3.4"
+          ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
       - run: bundle exec rake vendor
       - run: LIBINJECTION_SANITIZE=1 bundle exec rake compile

data/CHANGELOG.md

@@ -2,8 +2,13 @@
 
 ## Unreleased
 
+## 0.1.1 - 2026-05-22
+
 ### Security / hardening
 
+- SQLi fingerprint Ruby strings are now constructed with a bounded length derived from the vendored libinjection fingerprint buffer instead of relying on C-string scanning.
+- Vendored archive extraction now explicitly rejects absolute paths, malformed paths, and `..` traversal before the keep-list is applied.
+- Sanitizer CI now runs the ASan/UBSan smoke job across Ruby 3.3, 3.4, and 4.0.
 - Added explicit Rack middleware parser-error policy. `parser_errors: :auto` now reports native libinjection and known Rack parameter/cookie parser errors in report mode and fails closed in block mode; `:report`, `:block`, and `:raise` are available for explicit behavior.
 - Added explicit skipped-input policy. `skipped_inputs: :auto` reports `max_value_bytes` / `max_depth` skips in report mode and fails closed in block mode; `:report`, `:block`, and `:allow` are available for explicit behavior.
 - Narrowed the default ignored params to `authenticity_token`; sensitive values such as `password` are scanned by default while raw values remain absent from notifications.
@@ -52,6 +57,7 @@
   (default 1024). The extension uses `rb_nogvl(..., RB_NOGVL_OFFLOAD_SAFE)`
   when the Ruby headers provide that flag, and falls back to
   `rb_thread_call_without_gvl` on older headers.
+- Documented the native invariant that `LI_NOGVL_THRESHOLD` controls both no-GVL execution and the temporary C-buffer copy decision.
 - `Rack::LibInjection` middleware rewritten on top of a mutable accumulator:
   no more per-level `flat_map`, no more `path + [key]` allocations, no more
   intermediate hashes per match. Path keys are now built as plain `String`s.

data/ext/libinjection/libinjection_ext.c

@@ -288,6 +288,22 @@ static void raise_on_error(injection_result_t result) {
     }
 }
 
+static size_t li_bounded_strlen(const char *str, size_t max_len) {
+    size_t len = 0;
+
+    while (len < max_len && str[len] != '\0') {
+        len++;
+    }
+
+    return len;
+}
+
+static VALUE li_sqli_fingerprint_value(const char *fingerprint) {
+    size_t len = li_bounded_strlen(fingerprint, LI_SQLI_FINGERPRINT_SIZE);
+
+    return len == 0 ? Qnil : rb_str_new(fingerprint, (long)len);
+}
+
 typedef struct {
     const char *src;
     size_t len;
@@ -460,7 +476,7 @@ static int li_url_decode_into(char *dst, const char *src, size_t len, size_t *ou
 
 static VALUE li_scan_out_to_value(const li_scan_out_t *out) {
     if (out->found_type == LI_THREAT_SQLI) {
-        return rb_ary_new3(2, sym_sqli, rb_str_new_cstr(out->sqli_fingerprint));
+        return rb_ary_new3(2, sym_sqli, li_sqli_fingerprint_value(out->sqli_fingerprint));
     }
     if (out->found_type == LI_THREAT_XSS) {
         return rb_ary_new3(2, sym_xss, Qnil);
@@ -578,7 +594,7 @@ static VALUE li_sqli_result_hash(const struct libinjection_sqli_state *state,
     rb_hash_aset(hash, li_id_sym("type"), sym_sqli);
     rb_hash_aset(hash, li_id_sym("detected"), result == LIBINJECTION_RESULT_TRUE ? Qtrue : Qfalse);
     rb_hash_aset(hash, li_id_sym("fingerprint"),
-                 fingerprint[0] == '\0' ? Qnil : rb_str_new_cstr(fingerprint));
+                 li_sqli_fingerprint_value(fingerprint));
     rb_hash_aset(hash, li_id_sym("flags"), INT2NUM(flags));
     rb_hash_aset(hash, li_id_sym("context"), context_name);
     rb_hash_aset(hash, li_id_sym("stats"), li_sqli_stats_hash(state));
@@ -654,7 +670,7 @@ static VALUE rb_li_sqli_fingerprint(VALUE self, VALUE input) {
     memcpy(fingerprint, args.work.sqli_fingerprint, sizeof(fingerprint));
     raise_on_error(args.work.sqli_result);
 
-    return args.work.sqli_detected ? rb_str_new_cstr(fingerprint) : Qnil;
+    return args.work.sqli_detected ? li_sqli_fingerprint_value(fingerprint) : Qnil;
 }
 
 typedef struct {
@@ -876,7 +892,7 @@ static VALUE rb_li_sqli_fingerprint_for(int argc, VALUE *argv, VALUE self) {
 
     result = li_run_sqli_context(str, flags, &state);
     raise_on_error(result);
-    return state.fingerprint[0] == '\0' ? Qnil : rb_str_new_cstr(state.fingerprint);
+    return li_sqli_fingerprint_value(state.fingerprint);
 }
 
 static VALUE rb_li_sqli_contexts(VALUE self, VALUE input) {
@@ -924,7 +940,7 @@ static VALUE rb_li_sqli_tokens(int argc, VALUE *argv, VALUE self) {
         int tlen;
         int i;
         libinjection_sqli_fingerprint(&state, flags);
-        tlen = (int)strlen(state.fingerprint);
+        tlen = (int)li_bounded_strlen(state.fingerprint, LI_SQLI_FINGERPRINT_SIZE);
         for (i = 0; i < tlen; i++) {
             rb_ary_push(out, li_sqli_token_hash(&state.tokenvec[i]));
         }

data/lib/libinjection/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module LibInjection
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
   LIBINJECTION_VERSION = "4.0.0"
 end

data/script/vendor_libs.rb

@@ -138,6 +138,25 @@ def http_download_to_file!(url, path, redirect_limit: 3)
   end
 end
 
+def safe_vendor_target_for!(relative)
+  if relative.include?("\0") || relative.start_with?("/", "\\")
+    abort "Unsafe archive path: #{relative.inspect}"
+  end
+
+  parts = relative.split("/")
+  if parts.empty? || parts.any? { |part| part.empty? || part == "." || part == ".." }
+    abort "Unsafe archive path: #{relative.inspect}"
+  end
+
+  root = File.expand_path(LIB_DIR)
+  target = File.expand_path(relative, root)
+  unless target.start_with?(root + File::SEPARATOR)
+    abort "Unsafe archive path escapes vendor root: #{relative.inspect}"
+  end
+
+  target
+end
+
 def download_archive!(path)
   url = format(PIN[:url], version: PIN[:version])
   puts "Downloading #{url}"
@@ -166,10 +185,11 @@ def extract_archive!(archive)
     tar.each do |entry|
       relative = entry.full_name.sub(prefix_re, "")
       next if relative.empty? || relative == entry.full_name
+
+      target = safe_vendor_target_for!(relative)
       next unless PIN[:keep].include?(relative)
       next unless entry.file?
 
-      target = File.join(LIB_DIR, relative)
       FileUtils.mkdir_p(File.dirname(target))
       File.binwrite(target, entry.read)
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-libinjection
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Roman Haydarov