unpoly-rails 2.0.0.pre.rc2

1 security vulnerability found in version 2.0.0.pre.rc2

unpoly-rails Denial of Service vulnerability

medium severity CVE-2023-28846
medium severity CVE-2023-28846
Patched versions: >= 2.7.2.2

There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.

Impact

This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.

The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.

If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.

Workarounds

If you cannot upgrade to a fixed release, several workarounds are available:

  • Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.

  • Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL.

  • Instead of changing your server configuration you may also configure your Rails application to delete redundant X-Up-Location headers set by unpoly-rails:

    class ApplicationController < ActionController::Base
    
      after_action :remove_redundant_up_location_header
    
      private
    
      def remove_redundant_up_location_header
        if request.original_url == response.headers['X-Up-Location']
          response.headers.delete('X-Up-Location')
        end
      end
    
    end
    

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.