Created by: dependabot-preview[bot]
Bumps actionpack from 6.1.3.1 to 6.1.3.2. This update includes security fixes.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
Open Redirect in Action Pack Impact
This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com.
Releases
The fixed releases are available at the normal locations.
Workarounds
The following monkey patch put in an initializer can be used as a workaround.
... (truncated)
Affected versions: >= 6.1.0, <= 6.1.3.1
Sourced from The GitHub Security Advisory Database.
Denial of Service in Action Dispatch Impact
There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
Releases
The fixed releases are available at the normal locations.
Workarounds
The following monkey patch placed in an initializer can be used to work around the issue.
module Mime class Type MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/ end </tr></table>
... (truncated)
Affected versions: >= 6.1.0, <= 6.1.3.1
Sourced from The GitHub Security Advisory Database.
Denial of Service in Action Controller Token Authentication Impact
Impacted code uses
authenticate_or_request_with_http_token
orauthenticate_with_http_token
for request authentication. Impacted code will look something like this:class PostsController < ApplicationController before_action :authenticate private def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end
... (truncated)
Affected versions: >= 6.1.0, <= 6.1.3.1
Sourced from The GitHub Security Advisory Database.
Information Disclosure / Unintended Method Execution in Action Pack Impact
There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the
redirect_to
orpolymorphic_url
helper with untrusted user input.Vulnerable code will look like this.
redirect_to(params[:some_param])
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
... (truncated)
Affected versions: >= 6.1.0, <= 6.1.3.1
Release notes
Sourced from actionpack's releases.
6.1.3.2
Active Support
- No changes.
Active Model
- No changes.
Active Record
- No changes.
Action View
- No changes.
Action Pack
Prevent open redirects by correctly escaping the host allow list CVE-2021-22903
Prevent catastrophic backtracking during mime parsing CVE-2021-22902
Prevent regex DoS in HTTP token authentication CVE-2021-22904
Prevent string polymorphic route arguments.
url_for
supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.CVE-2021-22885
Gannon McGibbon
Active Job
... (truncated)
Changelog
Sourced from actionpack's changelog.
Rails 6.1.3.2 (May 05, 2021)
Prevent open redirects by correctly escaping the host allow list CVE-2021-22903
Prevent catastrophic backtracking during mime parsing CVE-2021-22902
Prevent regex DoS in HTTP token authentication CVE-2021-22904
Prevent string polymorphic route arguments.
url_for
supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.CVE-2021-22885
Gannon McGibbon
Commits
-
75ac626
Preparing for 6.1.3.2 release -
9c21201
Prep for release -
20a4e60
Prevent slow regex when parsing host authorization header -
1439db5
Escape allow list hosts correctly -
0303187
Prevent string polymorphic route arguments -
40f82dc
Prevent catastrophic backtracking during mime parsing - See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language -
@dependabot badge me
will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)