rack 2.2.18 → 2.2.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a0c02f8ad516a9e66e1d8ec32ca620dfe46328d5b248fb6a72ed0b8e4a0f91c
-  data.tar.gz: d32193586a1367c718a9a4385b26a4159a8e376c852c624fd9e1ad6b77e5137d
+  metadata.gz: ef82ea76fce7ba344410cc419cff56e201f8ec9ded624b01b34ad9521b613f99
+  data.tar.gz: de812a77455e5e05e6e2ced224c8cd0ea3c664f9244ed055346a9912ad0091eb
 SHA512:
-  metadata.gz: 8ea04755b2f8c7d4482a35e601d5fdc73d1fd7f62fc0bade4cf6ce0769cbe7e182ec6c6659dddc44489069a19959a3d5fa799451573a38fb943f21376356329d
-  data.tar.gz: d8c8032d0fb15a750878a0d4127d79957f21890298b7dbdb743dc276ede56fb0a32b94ece434c7d6bea26bf55167b5318ffc9c0e4c0fe6f5d1baf0cadeba6ba5
+  metadata.gz: 53b096b3b1d67e810a7dbb880dab8e06a107bb9b9e640f94cc1136b5eb9dc9ca9712d9a0d1c28de7544796095222d71ab589776ea361e56a2136e791bbaf5110
+  data.tar.gz: 8fdc0b68d511c84b62d8eaaad9c520928d6e48b75aa2c01ede21b6309231a32652188726bb1e2bff67f849d6b804ad80c8896b3cf28e6a9c700edf8a9fc26ee3

data/CHANGELOG.md

@@ -2,9 +2,26 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [2.2.20] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
+## [2.2.19] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
 ## [2.2.18] - 2025-09-25
 
-- [CVE-2025-59830](https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
+### Security
+
+- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
 
 ## [2.2.17] - 2025-06-03
 
@@ -22,26 +39,26 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- [CVE-2025-32441](https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g) Rack session can be restored after deletion.
-- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+- [CVE-2025-32441](https://github.com/advisories/GHSA-vpfw-47h7-xj4g) Rack session can be restored after deletion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 
 ## [2.2.13] - 2025-03-11
 
 ### Security
 
-- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
 
 ## [2.2.12] - 2025-03-04
 
 ### Security
 
-- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
 
 ## [2.2.11] - 2025-02-12
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [2.2.10] - 2024-10-14
 

data/README.rdoc

@@ -206,6 +206,14 @@ query string, before attempting parsing, so if the same parameter key is
 used multiple times in the query, each counts as a separate parameter for
 this check.
 
+=== `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
 === key_space_limit
 
 The default number of bytes to allow all parameters keys in a given parameter hash to take up.

data/lib/rack/multipart/parser.rb

@@ -20,6 +20,27 @@ module Rack
 
       BOUNDARY_REGEX = /\A([^\n]*(?:\n|\Z))/
 
+      BOUNDARY_START_LIMIT = 16 * 1024
+      private_constant :BOUNDARY_START_LIMIT
+
+      MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
+      private_constant :MIME_HEADER_BYTESIZE_LIMIT
+
+      env_int = lambda do |key, val|
+        if str_val = ENV[key]
+          begin
+            val = Integer(str_val, 10)
+          rescue ArgumentError
+            raise ArgumentError, "non-integer value provided for environment variable #{key}"
+          end
+        end
+
+        val
+      end
+
+      BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
+      private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -187,6 +208,8 @@ module Rack
         @end_boundary = @boundary + '--'
         @state = :FAST_FORWARD
         @mime_index = 0
+        @body_retained = nil
+        @retained_size = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -241,7 +264,13 @@ module Rack
           @state = :MIME_HEAD
         else
           raise EOFError, "bad content body" if @sbuf.rest_size >= @bufsize
-          :want_read
+
+          # We raise if we don't find the multipart boundary, to avoid unbounded memory
+          # buffering. Note that the actual limit is the higher of 16KB and the buffer size (1MB by default)
+          raise EOFError, "multipart boundary not found within limit" if @sbuf.string.bytesize > BOUNDARY_START_LIMIT
+
+          # no boundary found, keep reading data
+          return :want_read
         end
       end
 
@@ -271,16 +300,30 @@ module Rack
             name = filename || "#{content_type || TEXT_PLAIN}[]".dup
           end
 
+          # Mime part head data is retained for both TempfilePart and BufferPart
+          # for the entireity of the parse, even though it isn't used for BufferPart.
+          update_retained_size(head.bytesize)
+
+          # If a filename is given, a TempfilePart will be used, so the body will
+          # not be buffered in memory. However, if a filename is not given, a BufferPart
+          # will be used, and the body will be buffered in memory.
+          @body_retained = !filename
+
           @collector.on_mime_head @mime_index, head, filename, content_type, name
           @state = :MIME_BODY
         else
-          :want_read
+          # We raise if the mime part header is too large, to avoid unbounded memory
+          # buffering. Note that the actual limit is the higher of 64KB and the buffer size (1MB by default)
+          raise EOFError, "multipart mime part header too large" if @sbuf.string.bytesize > MIME_HEADER_BYTESIZE_LIMIT
+
+          return :want_read
         end
       end
 
       def handle_mime_body
         if (body_with_boundary = @sbuf.check_until(@body_regex)) # check but do not advance the pointer yet
           body = body_with_boundary.sub(/#{@body_regex}\z/m, '') # remove the boundary from the string
+          update_retained_size(body.bytesize) if @body_retained
           @collector.on_mime_body @mime_index, body
           @sbuf.pos += body.length + 2 # skip \r\n after the content
           @state = :CONSUME_TOKEN
@@ -289,7 +332,9 @@ module Rack
           # Save what we have so far
           if @rx_max_size < @sbuf.rest_size
             delta = @sbuf.rest_size - @rx_max_size
-            @collector.on_mime_body @mime_index, @sbuf.peek(delta)
+            body = @sbuf.peek(delta)
+            update_retained_size(body.bytesize) if @body_retained
+            @collector.on_mime_body @mime_index, body
             @sbuf.pos += delta
             @sbuf.string = @sbuf.rest
           end
@@ -299,6 +344,17 @@ module Rack
 
       def full_boundary; @full_boundary; end
 
+      def update_retained_size(size)
+        @retained_size += size
+        if @retained_size > BUFFERED_UPLOAD_BYTESIZE_LIMIT
+          raise EOFError, "multipart data over retained size limit"
+        end
+      end
+
+      # Scan until the we find the start or end of the boundary.
+      # If we find it, return the appropriate symbol for the start or
+      # end of the boundary.  If we don't find the start or end of the
+      # boundary, clear the buffer and return nil.
       def consume_boundary
         while read_buffer = @sbuf.scan_until(BOUNDARY_REGEX)
           case read_buffer.strip

data/lib/rack/query_parser.rb

@@ -51,6 +51,8 @@ module Rack
     PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
     private_constant :PARAMS_LIMIT
 
+    attr_reader :bytesize_limit
+
     def initialize(params_class, key_space_limit, param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
       @params_class = params_class
       @key_space_limit = key_space_limit
@@ -185,7 +187,7 @@ module Rack
     def check_query_string(qs, sep)
       if qs
         if qs.bytesize > @bytesize_limit
-          raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
+          raise QueryLimitError, "total query size exceeds limit (#{@bytesize_limit})"
         end
 
         if (param_count = qs.count(sep.is_a?(String) ? sep : '&;')) >= @params_limit

data/lib/rack/request.rb

@@ -444,7 +444,10 @@ module Rack
           get_header(RACK_REQUEST_FORM_HASH)
         elsif form_data? || parseable_data?
           unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
-            form_vars = get_header(RACK_INPUT).read
+            # Add 2 bytes. One to check whether it is over the limit, and a second
+            # in case the slice! call below removes the last byte
+            # If read returns nil, use the empty string
+            form_vars = get_header(RACK_INPUT).read(query_parser.bytesize_limit + 2) || ''
 
             # Fix for Safari Ajax postings that always append \0
             # form_vars.sub!(/\0\z/, '') # performance replacement:

data/lib/rack/sendfile.rb

@@ -40,18 +40,23 @@ module Rack
   #     proxy_set_header   X-Real-IP           $remote_addr;
   #     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
   #
-  #     proxy_set_header   X-Sendfile-Type     X-Accel-Redirect;
   #     proxy_set_header   X-Accel-Mapping     /var/www/=/files/;
   #
   #     proxy_pass         http://127.0.0.1:8080/;
   #   }
   #
-  # Note that the X-Sendfile-Type header must be set exactly as shown above.
   # The X-Accel-Mapping header should specify the location on the file system,
   # followed by an equals sign (=), followed name of the private URL pattern
   # that it maps to. The middleware performs a simple substitution on the
   # resulting path.
   #
+  # To enable X-Accel-Redirect, you must configure the middleware explicitly:
+  #
+  #   use Rack::Sendfile, "X-Accel-Redirect"
+  #
+  # For security reasons, the X-Sendfile-Type header from requests is ignored.
+  # The sendfile variation must be set via the middleware constructor.
+  #
   # See Also: https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile
   #
   # === lighttpd
@@ -96,13 +101,25 @@ module Rack
   # X-Accel-Mapping header. Mappings should be provided in tuples of internal to
   # external. The internal values may contain regular expression syntax, they
   # will be matched with case indifference.
+  #
+  # When X-Accel-Redirect is explicitly enabled via the variation parameter,
+  # and no application-level mappings are provided, the middleware will read
+  # the X-Accel-Mapping header from the proxy. This allows nginx to control
+  # the path mapping without requiring application-level configuration.
+  #
+  # === Security
+  #
+  # For security reasons, the X-Sendfile-Type header from HTTP requests is
+  # ignored. The sendfile variation must be explicitly configured via the
+  # middleware constructor to prevent information disclosure vulnerabilities
+  # where attackers could bypass proxy restrictions.
 
   class Sendfile
     def initialize(app, variation = nil, mappings = [])
       @app = app
       @variation = variation
       @mappings = mappings.map do |internal, external|
-        [/^#{internal}/i, external]
+        [/\A#{internal}/i, external]
       end
     end
 
@@ -140,22 +157,35 @@ module Rack
     end
 
     private
+
     def variation(env)
-      @variation ||
-        env['sendfile.type'] ||
-        env['HTTP_X_SENDFILE_TYPE']
+      # Note: HTTP_X_SENDFILE_TYPE is intentionally NOT read for security reasons.
+      # Attackers could use this header to enable x-accel-redirect and bypass proxy restrictions.
+      @variation || env['sendfile.type']
+    end
+
+    def x_accel_mapping(env)
+      # Only allow header when:
+      # 1. X-Accel-Redirect is explicitly enabled via constructor.
+      # 2. No application-level mappings are configured.
+      return nil unless @variation =~ /x-accel-redirect/i
+      return nil if @mappings.any?
+      
+      env['HTTP_X_ACCEL_MAPPING']
     end
 
     def map_accel_path(env, path)
       if mapping = @mappings.find { |internal, _| internal =~ path }
-        path.sub(*mapping)
-      elsif mapping = env['HTTP_X_ACCEL_MAPPING']
+        return path.sub(*mapping)
+      elsif mapping = x_accel_mapping(env)
+        # Safe to use header: explicit config + no app mappings:
         mapping.split(',').map(&:strip).each do |m|
           internal, external = m.split('=', 2).map(&:strip)
-          new_path = path.sub(/^#{internal}/i, external)
+          new_path = path.sub(/\A#{internal}/i, external)
           return new_path unless path == new_path
         end
-        path
+
+        return path
       end
     end
   end

data/lib/rack/version.rb

@@ -20,7 +20,7 @@ module Rack
     VERSION.join(".")
   end
 
-  RELEASE = "2.2.18"
+  RELEASE = "2.2.20"
 
   # Return the Rack release as a dotted string.
   def self.release

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 2.2.18
+  version: 2.2.20
 platform: ruby
 authors:
 - Leah Neukirchen