diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-26 17:39:41 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-26 17:39:41 +0300 |
commit | 93fd80667dcfbacca2b41168da6fcb3f67c0899b (patch) | |
tree | 17d0bd9c303b7a0dbed87811e438d10fee49991f /config | |
parent | f332982c82ad95ae2ee22242c39f78717613165f (diff) |
Add latest changes from gitlab-org/security/gitlab@15-3-stable-ee
Diffstat (limited to 'config')
-rw-r--r-- | config/initializers/rack_VULNDB-255039_patch.rb | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/config/initializers/rack_VULNDB-255039_patch.rb b/config/initializers/rack_VULNDB-255039_patch.rb new file mode 100644 index 00000000000..b613ed9bdb1 --- /dev/null +++ b/config/initializers/rack_VULNDB-255039_patch.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +if Gem.loaded_specs['rack'].version >= Gem::Version.new("3.0.0") + raise <<~ERR + This patch is unnecessary in Rack versions 3.0.0 or newer. + Please remove this file and the associated spec. + + See https://github.com/rack/rack/blob/main/CHANGELOG.md#security (issue #1733) + ERR +end + +# Patches a cache poisoning attack vector in Rack by not allowing semicolons +# to delimit query parameters. +# See https://github.com/rack/rack/issues/1732. +# +# Solution is taken from the same issue. +# +# The actual patch is due for release in Rack 3.0.0. +module Rack + class Request + Helpers.module_eval do + # rubocop: disable Naming/MethodName + def GET + if get_header(RACK_REQUEST_QUERY_STRING) == query_string + get_header(RACK_REQUEST_QUERY_HASH) + else + query_hash = parse_query(query_string, '&') # only allow ampersand here + set_header(RACK_REQUEST_QUERY_STRING, query_string) + set_header(RACK_REQUEST_QUERY_HASH, query_hash) + end + end + # rubocop: enable Naming/MethodName + end + end +end |