rails-security-backports 0.0.1

data/.gitignore

@@ -0,0 +1,34 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+## 0.0.1 - Unreleased
+### Added
+- Initial base files (README, CHANGELOG, .gemspec, etc)
+- Rails: CVE-2013-0276
+- Rails: CVE-2013-0277
+- Ruby: CVE-2008-3790
+- Ruby: CVE-2014-8080

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,34 @@
+PATH
+  remote: .
+  specs:
+    rails-security-backports (0.0.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (1.3.6)
+      actionpack (= 1.13.6)
+    actionpack (1.13.6)
+      activesupport (= 1.4.4)
+    actionwebservice (1.2.6)
+      actionpack (= 1.13.6)
+      activerecord (= 1.15.6)
+    activerecord (1.15.6)
+      activesupport (= 1.4.4)
+    activesupport (1.4.4)
+    rails (1.2.6)
+      actionmailer (= 1.3.6)
+      actionpack (= 1.13.6)
+      actionwebservice (= 1.2.6)
+      activerecord (= 1.15.6)
+      activesupport (= 1.4.4)
+      rake (>= 0.7.2)
+    rake (0.9.6)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rails (~> 1.2)
+  rails-security-backports!
+  rake (~> 0.9)

data/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Marcos Wright-Kuhns
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

data/README.md

@@ -0,0 +1,15 @@
+# ruby-126-security-backports
+
+A collection of security-related Ruby & Rails patches backported from fixes in modern Ruby & Rails.
+
+This code currently specifically targets Rails 1.2.6 & Ruby 1.8.6, but pull requests targeting other versions are also welcomed.
+
+## Local Development
+
+Requirements:
+- Ruby 1.8.6
+
+````
+$ gem install bundler --version='1.0.22'
+$ bundle install
+````

data/Rakefile

@@ -0,0 +1,17 @@
+begin
+  require "bundler/gem_tasks"
+rescue LoadError
+  puts "Bundler not available. Install it with: gem install bundler"
+end
+
+#Dir[File.join(File.dirname(__FILE__), "lib/tasks/*.rake")].sort.each { |ext| load ext }
+
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/*_test.rb']
+  t.verbose = true
+end
+
+task :default => :test

data/lib/rails-security-backports.rb

@@ -0,0 +1,11 @@
+$:.unshift File.dirname(__FILE__)
+
+require 'rails-security-backports/version'
+
+require 'active_record'
+
+require 'rails-security-backports/rails-cve-backports/cve-2013-0276.rb'
+require 'rails-security-backports/rails-cve-backports/cve-2013-0277.rb'
+
+require 'rails-security-backports/ruby-cve-backports/cve-2008-3790.rb'
+require 'rails-security-backports/ruby-cve-backports/cve-2014-8080.rb'

data/lib/rails-security-backports/rails-cve-backports/cve-2013-0276.rb

@@ -0,0 +1,26 @@
+module ActiveRecord
+  module CVE20130276
+    module ClassMethods
+      private
+      # Suffixes a, ?, c become regexp /(a|\?|c)$/
+      def rebuild_attribute_method_regexp
+        suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
+        @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
+      end
+    end
+
+    module Base
+      def remove_attributes_protected_from_mass_assignment(attributes)
+        if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
+          attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+        elsif self.class.protected_attributes.nil?
+          attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+        elsif self.class.accessible_attributes.nil?
+          attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"").intern) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+        end
+      end
+    end
+  end
+end
+ActiveRecord::Base.extend(        ActiveRecord::CVE20130276::ClassMethods)
+ActiveRecord::Base.send(:include, ActiveRecord::CVE20130276::Base)

data/lib/rails-security-backports/rails-cve-backports/cve-2013-0277.rb

@@ -0,0 +1,37 @@
+module ActiveRecord
+  class Base
+    private
+    def write_attribute(attr_name, value)
+      attr_name = attr_name.to_s
+      if (column = column_for_attribute(attr_name)) && column.number?
+        @attributes[attr_name] = convert_number_column_value(value)
+      else
+        if self.class.serialized_attributes[attr_name] && value.is_a?(String) && value =~ /^---/
+          raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+        end
+        @attributes[attr_name] = value
+      end
+    end
+    # For comparison, this is the original write_attribue from rails 1.2.6
+    # def write_attribute(attr_name, value)
+    #   attr_name = attr_name.to_s
+    #   if (column = column_for_attribute(attr_name)) && column.number?
+    #     @attributes[attr_name] = convert_number_column_value(value)
+    #   else
+    #     @attributes[attr_name] = value
+    #   end
+    # end
+    # For comparison this is the patch from rails 2.3
+    # def define_write_method_for_serialized_attribute(attr_name)
+    #   method_body = <<-EOV
+    #     def #{attr_name}=(value)
+    #       if value.is_a?(String) and value =~ /^---/
+    #         raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+    #       end
+    #       write_attribute(:#{attr_name}, value)
+    #     end
+    #   EOV
+    #   evaluate_attribute_method attr_name, method_body, "#{attr_name}="
+    # end
+  end
+end

data/lib/rails-security-backports/ruby-cve-backports/cve-2008-3790.rb

@@ -0,0 +1,59 @@
+# Fixes CVE-2008-3790 - https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
+# Originally based on https://github.com/NZKoz/rexml-expansion-fix
+
+# Copyright (c) 2008 Michael Koziarski <michael@koziarski.com>
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+require 'rexml/document'
+require 'rexml/entity'
+module REXML
+  class Entity < Child
+    def unnormalized
+      # Due to an optimisation in REXML, the default entities aren't
+      # associated with a document.  As these enties are defined and
+      # not recursive, we know that expanding them won't cause any
+      # issues.  Other entities in the document will still have
+      # the association to the document preventing this from opening
+      # a new attack vector.
+      document.record_entity_expansion! if document
+      v = value()
+      return nil if v.nil?
+      @unnormalized = Text::unnormalize(v, parent)
+      @unnormalized
+    end
+  end
+
+  class Document < Element
+    def record_entity_expansion!
+      @number_of_expansions ||= 0
+      @number_of_expansions += 1
+      if @number_of_expansions > Security.entity_expansion_limit
+        raise "Processing aborted: number of entity expansions (#{@number_of_expansions}) exceeded the limit (#{Security.entity_expansion_limit})."
+      end
+    end
+  end
+
+  class Security
+    @@entity_expansion_limit = 10_000
+
+    # Set the entity expansion limit. By default the limit is set to 10000.
+    def self.entity_expansion_limit=( val )
+      @@entity_expansion_limit = val
+    end
+
+    # Get the entity expansion limit. By default the limit is set to 10000.
+    def self.entity_expansion_limit
+      return @@entity_expansion_limit
+    end
+  end
+end

data/lib/rails-security-backports/ruby-cve-backports/cve-2014-8080.rb

@@ -0,0 +1,45 @@
+# Fixes CVE-2014-8080 - https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/
+
+require 'rexml/document'
+require 'rexml/entity'
+
+module REXML
+  class Entity
+
+    def value
+      if @value
+        matches = @value.scan(PEREFERENCE_RE)
+        rv = @value.clone
+        if @parent
+          sum = 0
+          matches.each do |entity_reference|
+            entity_value = @parent.entity( entity_reference[0] )
+            if sum + entity_value.size > Security.entity_expansion_text_limit
+              raise "Processing aborted: entity expansion (#{sum + entity_value.size}) exceeded our limit (#{Security.entity_expansion_text_limit})."
+            else
+              sum += entity_value.size
+            end
+            rv.gsub!( /%#{entity_reference};/um, entity_value )
+          end
+        end
+        return rv
+      end
+      nil
+    end
+
+  end
+
+  class Security
+    @@entity_expansion_text_limit = 10_240
+
+    # Set the entity expansion limit. By default the limit is set to 10240.
+    def self.entity_expansion_text_limit=( val )
+      @@entity_expansion_text_limit = val
+    end
+
+    # Get the entity expansion limit. By default the limit is set to 10240.
+    def self.entity_expansion_text_limit
+      return @@entity_expansion_text_limit
+    end
+  end
+end

data/lib/rails-security-backports/version.rb

@@ -0,0 +1,18 @@
+module RailsSecurityBackports
+  class Version
+    MAJOR = 0
+    MINOR = 0
+    PATCH = 1
+    STRING = "#{MAJOR}.#{MINOR}.#{PATCH}"
+
+    class << self
+      # A String representing the current version of this gem.
+      def inspect
+        STRING
+      end
+      alias_method :to_s, :inspect
+    end
+  end
+
+  VERSION = Version::STRING
+end

data/rails-security-backports.gemspec

@@ -0,0 +1,45 @@
+# -*- encoding: utf-8 -*-
+
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'rails-security-backports/version'
+
+Gem::Specification.new do |s|
+  s.name = "rails-security-backports"
+  s.version = RailsSecurityBackports::Version.to_s
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Marcos Wright Kuhns"]
+  s.date = "2014-11-03"
+  s.description = "A collection of security-related Ruby & Rails patches backported from fixes in modern Ruby & Rails."
+  s.email = "marcos@wrightkuhns.com"
+  s.homepage = "https://github.com/metavida/rails-security-backports"
+  s.licenses = ["MIT"]
+
+  s.files = `git ls-files`.split("\n")
+  s.test_files = s.files.grep(%r{^(test|spec|features,integration_test)/})
+
+  s.rdoc_options = ["--main", "README.rdoc", "--title", "rails-security-backports-#{RailsSecurityBackports::Version}", "--inline-source", "--exclude", "tasks", "CHANGELOG.md"]
+  s.extra_rdoc_files = s.files.grep(%r{\.rdoc$}) + %w{LICENSE}
+
+  s.require_paths = ["lib"]
+  s.rubygems_version = "1.8.19"
+  s.summary = "Backports of security patches for Ruby & Rails"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rake>, ["~> 0.9"])
+      s.add_development_dependency(%q<rails>, ["~> 1.2"])
+    else
+      s.add_dependency(%q<rake>, ["~> 0.9"])
+      s.add_dependency(%q<rails>, ["~> 1.2"])
+    end
+  else
+    s.add_dependency(%q<rake>, ["~> 0.9"])
+    s.add_dependency(%q<rails>, ["~> 1.2"])
+  end
+end
+

data/test/ruby-cve-2008-3790_test.rb

@@ -0,0 +1,63 @@
+require 'test/unit'
+require 'rails-security-backports'
+
+class RubyCve_2008_3790Test < Test::Unit::TestCase
+
+  def setup
+    @orig_limit = REXML::Security.entity_expansion_limit
+  end
+
+  def teardown
+    REXML::Security.entity_expansion_limit = @orig_limit
+  end
+
+
+  def test__record_entity_expansion__with_small_num_expansions
+    REXML::Security.entity_expansion_limit = 50
+
+    xml = get_expandable_xml_that_expands_to(REXML::Security.entity_expansion_limit)
+
+    assert_nothing_raised(RuntimeError, "Expected NO exception with xml:\n#{xml}") do
+      REXML::Document.new(xml).root.text
+    end
+  end
+
+  def test__record_entity_expansion__with_too_many_expansions
+    REXML::Security.entity_expansion_limit = 50
+
+    xml = get_expandable_xml_that_expands_to(REXML::Security.entity_expansion_limit + 1000)
+
+    assert_raise(RuntimeError, "Expected exception with xml:\n#{xml}") do
+      REXML::Document.new(xml).root.text
+    end
+  end
+
+  private
+
+  def get_expandable_xml_that_expands_to(num_expansions_required = 51)
+    expansion_keys = %w{a b}
+    expansion_text = "x"*10
+
+    expansions_per_key = Math.sqrt(num_expansions_required).floor - 1
+    num_expansions_expected = expansions_per_key ** 2
+    num_expansions_expected += 1 + expansions_per_key
+
+    non_exponential_expansions = num_expansions_required - 1 - num_expansions_expected
+
+    <<-XML
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+<!ENTITY a "#{'&b;'*expansions_per_key}">
+<!ENTITY b "#{'&x;'*expansions_per_key}">
+<!ENTITY x "#{expansion_text}">
+<!ENTITY c "#{'&y;'*non_exponential_expansions}">
+<!ENTITY y "#{expansion_text}">
+]>
+<member>
+&a;
+&c;
+</member>
+    XML
+  end
+
+end

data/test/ruby-cve-2014-8080_test.rb

@@ -0,0 +1,67 @@
+require 'test/unit'
+require 'rails-security-backports'
+
+class RubyCve_2014_8080Test < Test::Unit::TestCase
+
+  def setup
+    @orig_limit = REXML::Security.entity_expansion_text_limit
+  end
+
+  def teardown
+    REXML::Security.entity_expansion_text_limit = @orig_limit
+  end
+
+  def test__record_entity_expansion__with_small_num_text_expansions
+    REXML::Security.entity_expansion_text_limit = 50
+
+    xml = get_expandable_xml_that_expands_to(:less_than=>REXML::Security.entity_expansion_text_limit)
+
+    assert_nothing_raised(REXML::ParseException, "Expected NO exception with xml:\n#{xml}") do
+      REXML::Document.new(xml).root.text
+    end
+  end
+
+  def test__record_entity_expansion__with_too_many_text_expansions
+    REXML::Security.entity_expansion_text_limit = 50
+
+    xml = get_expandable_xml_that_expands_to(:more_than=>REXML::Security.entity_expansion_text_limit)
+
+    assert_raise(REXML::ParseException, "Expected exception with xml:\n#{xml}") do
+      REXML::Document.new(xml).root.text
+    end
+  end
+
+  private
+
+  def get_expandable_xml_that_expands_to(opts = {})
+    more_or_less = nil
+    num_text_expansions_required = if opts.has_key?(:less_than)
+      more_or_less = :less
+      opts[:less_than].to_i
+    elsif opts.has_key?(:more_than)
+      more_or_less = :more
+      opts[:more_than].to_i
+    else
+      raise ArgumentError.new("Argument must be either `:less_than=>x` or `:more_than=>x`, but was #{opts.inspect}")
+    end
+
+    expansion_keys = %w{a b}
+    expansion_text = "x"*1
+
+    expansions_per_key = Math.sqrt(num_text_expansions_required)
+    expansions_per_key = more_or_less == :more ? expansions_per_key.ceil : expansions_per_key.floor
+
+    <<-XML
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE member [
+<!ENTITY a "#{'%b;'*expansions_per_key}">
+<!ENTITY % b "#{'%x;'*expansions_per_key}">
+<!ENTITY % x "#{expansion_text}">
+]>
+<member>
+&a;
+</member>
+    XML
+  end
+
+end

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification 
+name: rails-security-backports
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Marcos Wright Kuhns
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2014-11-03 00:00:00 -08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rake
+  version_requirements: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 9
+        version: "0.9"
+  prerelease: false
+  type: :development
+  requirement: *id001
+- !ruby/object:Gem::Dependency 
+  name: rails
+  version_requirements: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 2
+        version: "1.2"
+  prerelease: false
+  type: :development
+  requirement: *id002
+description: A collection of security-related Ruby & Rails patches backported from fixes in modern Ruby & Rails.
+email: marcos@wrightkuhns.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+files: 
+- .gitignore
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- lib/rails-security-backports.rb
+- lib/rails-security-backports/rails-cve-backports/cve-2013-0276.rb
+- lib/rails-security-backports/rails-cve-backports/cve-2013-0277.rb
+- lib/rails-security-backports/ruby-cve-backports/cve-2008-3790.rb
+- lib/rails-security-backports/ruby-cve-backports/cve-2014-8080.rb
+- lib/rails-security-backports/version.rb
+- rails-security-backports.gemspec
+- test/ruby-cve-2008-3790_test.rb
+- test/ruby-cve-2014-8080_test.rb
+has_rdoc: true
+homepage: https://github.com/metavida/rails-security-backports
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: 
+- --main
+- README.rdoc
+- --title
+- rails-security-backports-0.0.1
+- --inline-source
+- --exclude
+- tasks
+- CHANGELOG.md
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.4.2
+signing_key: 
+specification_version: 3
+summary: Backports of security patches for Ruby & Rails
+test_files: 
+- test/ruby-cve-2008-3790_test.rb
+- test/ruby-cve-2014-8080_test.rb