Skip to content

v4.3.1: Security release
Compare
Choose a tag to compare
@ktheory ktheory released this 18 Dec 17:37
· 581 commits to main since this release
v4.3.1
4ec58e3

There is a security vulnerability with how requests are normalized when using Rails' ActionDispatch.

Versions Affected: < 4.3.0
Not affected: rack apps not using Rails
Fixed Versions: 4.3.1

Impact

When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.

Releases

Install rack-attack 4.3.1 from rubygems.org.

# In Gemfile using bundler
gem 'rack-attack', '~> 4.3.1'

Workarounds

If you prefer not to upgrade, you may work around this issue by making sure your throttles, blacklists, etc handle an optional trailing slash in req.path.

For example:

# Unsafe:
throttle(...) { |req| req.path == '/login' }

# Safe:
throttle(...) { |req| req.path == '/login' || req.path == '/login/' }

Credit

This vulnerability was reported by Andres Riancho from Include Security (@IncludeSecurity on GitHub and Twitter). Thank you, Andres & Include Security.

Other changes in v4.3.1

  • Remove support for ruby 1.9.x
  • Add Code of Conduct
  • Several documentation and testing improvements

Changes: v4.3.0...v4.3.1

Assets 2
Loading