Sha256: 9f36a6b67133e3a458c8c10526481f5bf7c3e8a38bd8e9e3d26cc7e83150de3c

Contents?: true

Size: 1.11 KB

Versions: 21

Compression:

Stored size: 1.11 KB

Contents

# frozen_string_literal: true

if Gem.loaded_specs["rack"].version >= Gem::Version.new("3.0.0")
  fail <<~ERR
    This patch is unnecessary in Rack versions 3.0.0 or newer.
    Please remove this file and the associated spec.

    See https://github.com/rack/rack/blob/main/CHANGELOG.md#security (issue #1733)
  ERR
end

# Patches a cache poisoning attack vector in Rack by not allowing semicolons
# to delimit query parameters.
# See https://github.com/rack/rack/issues/1732.
#
# Solution is taken from the same issue.
#
# The actual patch is due for release in Rack 3.0.0.
module Rack
  class Request # rubocop:disable Style/Documentation
    Helpers.module_eval do
      # rubocop: disable Naming/MethodName
      def GET
        if get_header(RACK_REQUEST_QUERY_STRING) == query_string
          get_header(RACK_REQUEST_QUERY_HASH)
        else
          query_hash = parse_query(query_string, "&") # only allow ampersand here
          set_header(RACK_REQUEST_QUERY_STRING, query_string)
          set_header(RACK_REQUEST_QUERY_HASH, query_hash)
        end
      end
      # rubocop: enable Naming/MethodName
    end
  end
end

Version data entries

21 entries across 21 versions & 1 rubygems

Version Path
gitlab-exporter-11.18.2 lib/gitlab_exporter/rack_vulndb_255039_patch.rb