RubyGems - rack - Versions diffs - 3.0.4.1 → 3.0.5 - Mend

rack 3.0.4.1 → 3.0.5

Potentially problematic release.

This version of rack might be problematic. Click here for more details.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -1
data/README.md +21 -5
data/lib/rack/constants.rb +2 -0
data/lib/rack/multipart/parser.rb +16 -4
data/lib/rack/multipart.rb +25 -0
data/lib/rack/query_parser.rb +34 -17
data/lib/rack/request.rb +69 -15
data/lib/rack/utils.rb +15 -4
data/lib/rack/version.rb +1 -1
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 966e37b13d3b25138d48a0a120a35b23f8821c95e55ae1132208dbf6e4d01f3e
-  data.tar.gz: 849cf474ff1e7d79f4d1bc6a7b6396c174c21f6f2c5100d7b63030e9cc3fd808
+  metadata.gz: 14dbe09610211d4f7ea05476089ae7c5a276f62d267dea6f3902bdfbe8ecab6b
+  data.tar.gz: 12354e0b19330b88a4fe73e5675625b3ae096e6e2db087fc2e8d4167f4c10368
 SHA512:
-  metadata.gz: 781ff34ba58e47c262f239af6d76b697a2d6df26329b21e5d055609c95b2855f13a9355d470c85f0055b6ff135edebdf83dba845452645a7a2965443b49bca8f
-  data.tar.gz: 8a56368346afee246702533dfed7b444d2fab999bcc4d405484cb3af0b8e674ffa35509ddd402ed73b7a36bc9f9bb99dd09e2c31dafcb170c4cdbc63a095bd21
+  metadata.gz: eee29ac6d6b1f61355b1e802fece0f3d4af51603cfd0dca142ed7846f26059467a8cc08143f4dab9bfcb2fa20f93fd67d7654b23c9898b545761de0b1ea57003
+  data.tar.gz: f654a6cb49ed589ec844f930bc8dc0edec5c818665183011215b72c7b3dc7619b1726a2ec6ff045fd1914de85592c2697a8b10b45073744cba98124cc6f19dbb

data/CHANGELOG.md CHANGED Viewed

@@ -2,13 +2,17 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.0.4.1] - 2023-03-02
+- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
 ## [3.0.4.1] - 2023-01-17
 - [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
 - [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
 - [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
-## [3.0.4] - 2022-01-17
+## [3.0.4] - 2023-01-17
 - `Rack::Request#POST` should consistently raise errors. Cache errors that occur when invoking `Rack::Request#POST` so they can be raised again later. ([#2010](https://github.com/rack/rack/pull/2010), [@ioquatix])
 - Fix `Rack::Lint` error message for `HTTP_CONTENT_TYPE` and `HTTP_CONTENT_LENGTH`. ([#2007](https://github.com/rack/rack/pull/2007), [@byroot](https://github.com/byroot))

data/README.md CHANGED Viewed

@@ -186,19 +186,35 @@ but this query string would not be allowed:
 Limiting the depth prevents a possible stack overflow when parsing parameters.
-### `multipart_part_limit`
+### `multipart_file_limit`
 ```ruby
-Rack::Utils.multipart_part_limit = 128 # default
+Rack::Utils.multipart_file_limit = 128 # default
 ```
-The maximum number of parts a request can contain. Accepting too many parts can
-lead to the server running out of file handles.
+The maximum number of parts with a filename a request can contain. Accepting
+too many parts can lead to the server running out of file handles.
 The default is 128, which means that a single request can't upload more than 128
 files at once. Set to 0 for no limit.
-Can also be set via the `RACK_MULTIPART_PART_LIMIT` environment variable.
+Can also be set via the `RACK_MULTIPART_FILE_LIMIT` environment variable.
+(This is also aliased as `multipart_part_limit` and `RACK_MULTIPART_PART_LIMIT` for compatibility)
+### `multipart_total_part_limit`
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+Set to 0 for no limit.
+Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
 ## Changelog

data/lib/rack/constants.rb CHANGED Viewed

@@ -54,11 +54,13 @@ module Rack
   RACK_RESPONSE_FINISHED              = 'rack.response_finished'
   RACK_REQUEST_FORM_INPUT             = 'rack.request.form_input'
   RACK_REQUEST_FORM_HASH              = 'rack.request.form_hash'
+  RACK_REQUEST_FORM_PAIRS             = 'rack.request.form_pairs'
   RACK_REQUEST_FORM_VARS              = 'rack.request.form_vars'
   RACK_REQUEST_FORM_ERROR             = 'rack.request.form_error'
   RACK_REQUEST_COOKIE_HASH            = 'rack.request.cookie_hash'
   RACK_REQUEST_COOKIE_STRING          = 'rack.request.cookie_string'
   RACK_REQUEST_QUERY_HASH             = 'rack.request.query_hash'
+  RACK_REQUEST_QUERY_PAIRS            = 'rack.request.query_pairs'
   RACK_REQUEST_QUERY_STRING           = 'rack.request.query_string'
   RACK_METHODOVERRIDE_ORIGINAL_METHOD = 'rack.methodoverride.original_method'
 end

data/lib/rack/multipart/parser.rb CHANGED Viewed

@@ -8,6 +8,8 @@ module Rack
   module Multipart
     class MultipartPartLimitError < Errno::EMFILE; end
+    class MultipartTotalPartLimitError < StandardError; end
     # Use specific error class when parsing multipart request
     # that ends early.
     class EmptyContentError < ::EOFError; end
@@ -166,7 +168,7 @@ module Rack
           @mime_parts[mime_index] = klass.new(body, head, filename, content_type, name)
-          check_open_files
+          check_part_limits
         end
         def on_mime_body(mime_index, content)
@@ -178,13 +180,23 @@ module Rack
         private
-        def check_open_files
-          if Utils.multipart_part_limit > 0
-            if @open_files >= Utils.multipart_part_limit
+        def check_part_limits
+          file_limit = Utils.multipart_file_limit
+          part_limit = Utils.multipart_total_part_limit
+          if file_limit && file_limit > 0
+            if @open_files >= file_limit
               @mime_parts.each(&:close)
               raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
             end
           end
+          if part_limit && part_limit > 0
+            if @mime_parts.size >= part_limit
+              @mime_parts.each(&:close)
+              raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached'
+            end
+          end
         end
       end

data/lib/rack/multipart.rb CHANGED Viewed

@@ -13,6 +13,31 @@ module Rack
   module Multipart
     MULTIPART_BOUNDARY = "AaB03x"
+    # Accumulator for multipart form data, conforming to the QueryParser API.
+    # In future, the Parser could return the pair list directly, but that would
+    # change its API.
+    class ParamList # :nodoc:
+      def self.make_params
+        new
+      end
+      def self.normalize_params(params, key, value)
+        params << [key, value]
+      end
+      def initialize
+        @pairs = []
+      end
+      def <<(pair)
+        @pairs << pair
+      end
+      def to_params_hash
+        @pairs
+      end
+    end
     class << self
       def parse_multipart(env, params = Rack::Utils.default_query_parser)
         io = env[RACK_INPUT]

data/lib/rack/query_parser.rb CHANGED Viewed

@@ -37,19 +37,42 @@ module Rack
       @param_depth_limit = param_depth_limit
     end
-    # Stolen from Mongrel, with some small modifications:
+    # Originally stolen from Mongrel, now with some modifications:
     # Parses a query string by breaking it up at the '&'.  You can also use this
     # to parse cookies by changing the characters used in the second parameter
     # (which defaults to '&').
-    def parse_query(qs, separator = nil, &unescaper)
-      unescaper ||= method(:unescape)
+    #
+    # Returns an array of 2-element arrays, where the first element is the
+    # key and the second element is the value.
+    def split_query(qs, separator = nil, &unescaper)
+      pairs = []
+      if qs && !qs.empty?
+        unescaper ||= method(:unescape)
+        qs.split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+          next if p.empty?
+          pair = p.split('=', 2).map!(&unescaper)
+          pair << nil if pair.length == 1
+          pairs << pair
+        end
+      end
-      params = make_params
+      pairs
+    rescue ArgumentError => e
+      raise InvalidParameterError, e.message, e.backtrace
+    end
-      (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
-        next if p.empty?
-        k, v = p.split('=', 2).map!(&unescaper)
+    # Parses a query string by breaking it up at the '&'.  You can also use this
+    # to parse cookies by changing the characters used in the second parameter
+    # (which defaults to '&').
+    #
+    # Returns a hash where each value is a string (when a key only appears once)
+    # or an array of strings (when a key appears more than once).
+    def parse_query(qs, separator = nil, &unescaper)
+      params = make_params
+      split_query(qs, separator, &unescaper).each do |k, v|
         if cur = params[k]
           if cur.class == Array
             params[k] << v
@@ -61,7 +84,7 @@ module Rack
         end
       end
-      return params.to_h
+      params.to_h
     end
     # parse_nested_query expands a query string into structural types. Supported
@@ -72,17 +95,11 @@ module Rack
     def parse_nested_query(qs, separator = nil)
       params = make_params
-      unless qs.nil? || qs.empty?
-        (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
-          k, v = p.split('=', 2).map! { |s| unescape(s) }
-          _normalize_params(params, k, v, 0)
-        end
+      split_query(qs, separator).each do |k, v|
+        _normalize_params(params, k, v, 0)
       end
-      return params.to_h
-    rescue ArgumentError => e
-      raise InvalidParameterError, e.message, e.backtrace
+      params.to_h
     end
     # normalize_params recursively expands parameters into structural types. If

data/lib/rack/request.rb CHANGED Viewed

@@ -483,11 +483,22 @@ module Rack
       # Returns the data received in the query string.
       def GET
         if get_header(RACK_REQUEST_QUERY_STRING) == query_string
-          get_header(RACK_REQUEST_QUERY_HASH)
+          if query_hash = get_header(RACK_REQUEST_QUERY_HASH)
+            return query_hash
+          end
+        end
+        set_header(RACK_REQUEST_QUERY_HASH, expand_params(query_param_list))
+      end
+      def query_param_list
+        if get_header(RACK_REQUEST_QUERY_STRING) == query_string
+          get_header(RACK_REQUEST_QUERY_PAIRS)
         else
-          query_hash = parse_query(query_string, '&')
-          set_header(RACK_REQUEST_QUERY_STRING, query_string)
-          set_header(RACK_REQUEST_QUERY_HASH, query_hash)
+          query_pairs = split_query(query_string, '&')
+          set_header RACK_REQUEST_QUERY_STRING, query_string
+          set_header RACK_REQUEST_QUERY_HASH, nil
+          set_header(RACK_REQUEST_QUERY_PAIRS, query_pairs)
         end
       end
@@ -496,32 +507,53 @@ module Rack
       # This method support both application/x-www-form-urlencoded and
       # multipart/form-data.
       def POST
+        if get_header(RACK_REQUEST_FORM_INPUT).equal?(get_header(RACK_INPUT))
+          if form_hash = get_header(RACK_REQUEST_FORM_HASH)
+            return form_hash
+          end
+        end
+        set_header(RACK_REQUEST_FORM_HASH, expand_params(body_param_list))
+      end
+      def body_param_list
         if error = get_header(RACK_REQUEST_FORM_ERROR)
           raise error.class, error.message, cause: error.cause
         end
         begin
-          if get_header(RACK_INPUT).nil?
-            raise "Missing rack.input"
-          elsif get_header(RACK_REQUEST_FORM_INPUT) == get_header(RACK_INPUT)
-            get_header(RACK_REQUEST_FORM_HASH)
+          rack_input = get_header(RACK_INPUT)
+          form_pairs = nil
+          # If the form data has already been memoized from the same
+          # input:
+          if get_header(RACK_REQUEST_FORM_INPUT).equal?(rack_input)
+            if form_pairs = get_header(RACK_REQUEST_FORM_PAIRS)
+              return form_pairs
+            end
+          end
+          if rack_input.nil?
+            form_pairs = []
           elsif form_data? || parseable_data?
-            unless set_header(RACK_REQUEST_FORM_HASH, parse_multipart)
-              form_vars = get_header(RACK_INPUT).read
+            unless form_pairs = Rack::Multipart.extract_multipart(self, Rack::Multipart::ParamList)
+              form_vars = rack_input.read
               # Fix for Safari Ajax postings that always append \0
               # form_vars.sub!(/\0\z/, '') # performance replacement:
               form_vars.slice!(-1) if form_vars.end_with?("\0")
               set_header RACK_REQUEST_FORM_VARS, form_vars
-              set_header RACK_REQUEST_FORM_HASH, parse_query(form_vars, '&')
+              form_pairs = split_query(form_vars, '&')
             end
-            set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
-            get_header RACK_REQUEST_FORM_HASH
           else
-            set_header RACK_REQUEST_FORM_INPUT, get_header(RACK_INPUT)
-            set_header(RACK_REQUEST_FORM_HASH, {})
+            form_pairs = []
           end
+          set_header RACK_REQUEST_FORM_INPUT, rack_input
+          set_header RACK_REQUEST_FORM_HASH, nil
+          set_header(RACK_REQUEST_FORM_PAIRS, form_pairs)
         rescue => error
           set_header(RACK_REQUEST_FORM_ERROR, error)
           raise
@@ -661,6 +693,28 @@ module Rack
         Rack::Multipart.extract_multipart(self, query_parser)
       end
+      def split_query(query, d = '&')
+        query_parser = query_parser()
+        unless query_parser.respond_to?(:split_query)
+          query_parser = Utils.default_query_parser
+          unless query_parser.respond_to?(:split_query)
+            query_parser = QueryParser.make_default(0)
+          end
+        end
+        query_parser.split_query(query, d)
+      end
+      def expand_params(pairs, query_parser = query_parser())
+        params = query_parser.make_params
+        pairs.each do |key, value|
+          query_parser.normalize_params(params, key, value)
+        end
+        params.to_params_hash
+      end
       def split_header(value)
         value ? value.strip.split(/[,\s]+/) : []
       end

data/lib/rack/utils.rb CHANGED Viewed

@@ -58,13 +58,24 @@ module Rack
     end
     class << self
-      attr_accessor :multipart_part_limit
+      attr_accessor :multipart_total_part_limit
+      attr_accessor :multipart_file_limit
+      # multipart_part_limit is the original name of multipart_file_limit, but
+      # the limit only counts parts with filenames.
+      alias multipart_part_limit multipart_file_limit
+      alias multipart_part_limit= multipart_file_limit=
     end
-    # The maximum number of parts a request can contain. Accepting too many part
-    # can lead to the server running out of file handles.
+    # The maximum number of file parts a request can contain. Accepting too
+    # many parts can lead to the server running out of file handles.
     # Set to `0` for no limit.
-    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || 128).to_i
+    self.multipart_file_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_FILE_LIMIT'] || 128).to_i
+    # The maximum total number of parts a request can contain. Accepting too
+    # many can lead to excessive memory use and parsing time.
+    self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
     def self.param_depth_limit
       default_query_parser.param_depth_limit

data/lib/rack/version.rb CHANGED Viewed

@@ -25,7 +25,7 @@ module Rack
     VERSION
   end
-  RELEASE = "3.0.4.1"
+  RELEASE = "3.0.5"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.4.1
+  version: 3.0.5
 platform: ruby
 authors:
 - Leah Neukirchen
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-17 00:00:00.000000000 Z
+date: 2023-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -164,7 +164,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.