RubyGems - rack - Versions diffs - 3.0.15 → 3.0.16 - Mend

rack 3.0.15 → 3.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37139bb900e9ae14b78c8d89e0bca433ac72b21e1a0a49b7fc583d90af333f03
-  data.tar.gz: d6ecdfd611b84d0871c08225c78dde2ca0c13c19f7d167638129098ba820472e
+  metadata.gz: eaf5a33f441d4e1a6b0a9600e54b74901556464d1ce61a232ce43b0cca7139ec
+  data.tar.gz: 0df47d8d7aa5a9bb86fb73ef60e73aa339a4c5ba070fbdd4e7d369b83e054dc7
 SHA512:
-  metadata.gz: 1bc716b5dc779109737a6bb703926e6ef9355c9ccb254c687fc0c95c1fe66563175c908b077f7dd826ac28e14640a9459dc3788668f5fd84577fd0db3c59737b
-  data.tar.gz: f943c6da9fe9008b8eb6bc19d68fbd041f5ed925965f74fe1dade8c115da67faf3710c46102a716160be30ee7e5df99ddc72ac1a1ac7cf8b44cbcaffc234cc84
+  metadata.gz: ae3b3583f15553fc4e42e147d9774aeae5fd76ae1bc24ebaf18ce5d3199a4cb341ef5476d8e4ecb5527430acb3718c23ad77b5c742df5b6acbbca37756337cdd
+  data.tar.gz: eb8880792c8bf5e6f61574edad0e6b56105b399adc393f82f25d3fa25b9e4d1c67a5365e342a7065a884635a6d9498b0c89ec4653644fd6f3036f354117986ff

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,12 @@
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
+## [3.0.16] - 2025-05-06
+### Security
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 ## [3.0.15] - 2025-04-13
 - Ensure `Rack::ETag` correctly updates response body. ([#2324](https://github.com/rack/rack/pull/2324), [@ioquatix])
@@ -204,6 +210,12 @@ All notable changes to this project will be documented in this file. For info on
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
+## [2.2.14] - 2025-05-06
+### Security
+- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 ## [2.2.13] - 2025-03-11
 ### Security

data/README.md CHANGED Viewed

@@ -165,6 +165,33 @@ quickly and without doing the same web stuff all over:
 Rack exposes several configuration parameters to control various features of the
 implementation.
+### `RACK_QUERY_PARSER_BYTESIZE_LIMIT`
+This environment variable sets the default for the maximum query string bytesize
+that `Rack::QueryParser` will attempt to parse.  Attempts to use a query string
+that exceeds this number of bytes will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `bytesize_limit` keyword argument when creating the `Rack::QueryParser`.
+### `RACK_QUERY_PARSER_PARAMS_LIMIT`
+This environment variable sets the default for the maximum number of query
+parameters that `Rack::QueryParser` will attempt to parse.  Attempts to use a
+query string with more than this many query parameters will result in a
+`Rack::QueryParser::QueryLimitError` exception. If this enviroment variable is
+provided, it must be an integer, or `Rack::QueryParser` will raise an exception.
+The default limit can be overridden on a per-`Rack::QueryParser` basis using
+the `params_limit` keyword argument when creating the `Rack::QueryParser`.
+This is implemented by counting the number of parameter separators in the
+query string, before attempting parsing, so if the same parameter key is
+used multiple times in the query, each counts as a separate parameter for
+this check.
 ### `param_depth_limit`
 ```ruby

data/lib/rack/query_parser.rb CHANGED Viewed

@@ -16,27 +16,54 @@ module Rack
     # sequence.
     class InvalidParameterError < ArgumentError; end
-    # ParamsTooDeepError is the error that is raised when params are recursively
-    # nested over the specified limit.
-    class ParamsTooDeepError < RangeError; end
+    # QueryLimitError is for errors raised when the query provided exceeds one
+    # of the query parser limits.
+    class QueryLimitError < RangeError
+    end
+    # ParamsTooDeepError is the old name for the error that is raised when params
+    # are recursively nested over the specified limit. Make it the same as
+    # as QueryLimitError, so that code that rescues ParamsTooDeepError error
+    # to handle bad query strings also now handles other limits.
+    ParamsTooDeepError = QueryLimitError
-    def self.make_default(_key_space_limit=(not_deprecated = true; nil), param_depth_limit)
+    def self.make_default(_key_space_limit=(not_deprecated = true; nil), param_depth_limit, **options)
       unless not_deprecated
         warn("`first argument `key_space limit` is deprecated and no longer has an effect. Please call with only one argument, which will be required in a future version of Rack", uplevel: 1)
       end
-      new Params, param_depth_limit
+      new Params, param_depth_limit, **options
     end
     attr_reader :param_depth_limit
-    def initialize(params_class, _key_space_limit=(not_deprecated = true; nil), param_depth_limit)
+    env_int = lambda do |key, val|
+      if str_val = ENV[key]
+        begin
+          val = Integer(str_val, 10)
+        rescue ArgumentError
+          raise ArgumentError, "non-integer value provided for environment variable #{key}"
+        end
+      end
+      val
+    end
+    BYTESIZE_LIMIT = env_int.call("RACK_QUERY_PARSER_BYTESIZE_LIMIT", 4194304)
+    private_constant :BYTESIZE_LIMIT
+    PARAMS_LIMIT = env_int.call("RACK_QUERY_PARSER_PARAMS_LIMIT", 4096)
+    private_constant :PARAMS_LIMIT
+    def initialize(params_class, _key_space_limit=(not_deprecated = true; nil), param_depth_limit, bytesize_limit: BYTESIZE_LIMIT, params_limit: PARAMS_LIMIT)
       unless not_deprecated
         warn("`second argument `key_space limit` is deprecated and no longer has an effect. Please call with only two arguments, which will be required in a future version of Rack", uplevel: 1)
       end
       @params_class = params_class
       @param_depth_limit = param_depth_limit
+      @bytesize_limit = bytesize_limit
+      @params_limit = params_limit
     end
     # Stolen from Mongrel, with some small modifications:
@@ -48,7 +75,7 @@ module Rack
       params = make_params
-      (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+      check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
         next if p.empty?
         k, v = p.split('=', 2).map!(&unescaper)
@@ -75,7 +102,7 @@ module Rack
       params = make_params
       unless qs.nil? || qs.empty?
-        (qs || '').split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
+        check_query_string(qs, separator).split(separator ? (COMMON_SEP[separator] || /[#{separator}] */n) : DEFAULT_SEP).each do |p|
           k, v = p.split('=', 2).map! { |s| unescape(s) }
           _normalize_params(params, k, v, 0)
@@ -190,6 +217,22 @@ module Rack
       true
     end
+    def check_query_string(qs, sep)
+      if qs
+        if qs.bytesize > @bytesize_limit
+          raise QueryLimitError, "total query size (#{qs.bytesize}) exceeds limit (#{@bytesize_limit})"
+        end
+        if (param_count = qs.count(sep.is_a?(String) ? sep : '&')) >= @params_limit
+          raise QueryLimitError, "total number of query parameters (#{param_count+1}) exceeds limit (#{@params_limit})"
+        end
+        qs
+      else
+        ''
+      end
+    end
     def unescape(string, encoding = Encoding::UTF_8)
       URI.decode_www_form_component(string, encoding)
     end

data/lib/rack/version.rb CHANGED Viewed

@@ -25,7 +25,7 @@ module Rack
     VERSION
   end
-  RELEASE = "3.0.15"
+  RELEASE = "3.0.16"
   # Return the Rack release as a dotted string.
   def self.release

metadata CHANGED Viewed

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack
 version: !ruby/object:Gem::Version
-  version: 3.0.15
+  version: 3.0.16
 platform: ruby
 authors:
 - Leah Neukirchen
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-13 00:00:00.000000000 Z
+date: 2025-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -148,6 +149,7 @@ metadata:
   changelog_uri: https://github.com/rack/rack/blob/main/CHANGELOG.md
   documentation_uri: https://rubydoc.info/github/rack/rack
   source_code_uri: https://github.com/rack/rack
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -162,7 +164,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: A modular Ruby webserver interface.
 test_files: []