[Security] Bump rack from 2.0.4 to 2.2.3

[dependabot-preview]

Bumps rack from 2.0.4 to 2.2.3. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

Impact

The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.

Releases

The 1.6.12 and 2.0.8 releases are available at the normal locations.

Workarounds

There are no known workarounds.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a

Affected versions: >= 2.0.0, < 2.0.8

Sourced from The Ruby Advisory Database.

Possible information leak / session hijack vulnerability There's a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.

Patched versions: ~> 1.6.12; >= 2.0.8 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Directory traversal in Rack::Directory app bundled with Rack There was a possible directory traversal vulnerability in the Rack::Directory app that is bundled with Rack.

Versions Affected: rack < 2.2.0 Not affected: Applications that do not use Rack::Directory. Fixed Versions: 2.1.3, >= 2.2.0

Impact

If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.

Workarounds

Until such time as the patch is applied or their Rack version is upgraded, we recommend that developers do not use Rack::Directory in their

Patched versions: ~> 2.1.3; >= 2.2.0 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Percent-encoded cookies can be used to overwrite existing prefixed cookie names It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated into processing an insecure or cross-origin request. This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4 Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact

An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application.

Workarounds

Patched versions: ~> 2.1.4; >= 2.2.3 Unaffected versions: none

Sourced from The Ruby Advisory Database.

Possible DoS vulnerability in Rack There is a possible DoS vulnerability in the multipart parser in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16470.

Versions Affected: 2.0.4, 2.0.5 Not affected: <= 2.0.3 Fixed Versions: 2.0.6

Impact

There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.

Impacted code can look something like this:

Rack::Request.new(env).params

Patched versions: >= 2.0.6 Unaffected versions: <= 2.0.3

Sourced from The Ruby Advisory Database.

Possible XSS vulnerability in Rack There is a possible vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16471.

Versions Affected: All. Not affected: None. Fixed Versions: 2.0.6, 1.6.11

Impact

There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

Patched versions: ~> 1.6.11; >= 2.0.6 Unaffected versions: none

Changelog

Sourced from rack's changelog.

[2.2.3] - 2020-06-15

Security

• [CVE-2020-8184] Do not allow percent-encoded cookie name to override existing cookie names. BREAKING CHANGE: Accessing cookie names that require URL encoding with decoded name no longer works. (@fletchto99)

[2.2.2] - 2020-02-11

Fixed

• Fix incorrect Rack::Request#host value. (#1591, @ioquatix)
• Revert Rack::Handler::Thin implementation. (#1583, @jeremyevans)
• Double assignment is still needed to prevent an "unused variable" warning. (#1589, @kamipo)
• Fix to handle same_site option for session pool. (#1587, @kamipo)

[2.2.1] - 2020-02-09

Fixed

• Rework Rack::Request#ip to handle empty forwarded_for. (#1577, @ioquatix)

[2.2.0] - 2020-02-08

SPEC Changes

• rack.session request environment entry must respond to to_hash and return unfrozen Hash. (@jeremyevans)
• Request environment cannot be frozen. (@jeremyevans)
• CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. (@jeremyevans)
• Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. (#1561, @ioquatix)

Added

• rackup supports multiple -r options and will require all arguments. (@jeremyevans)
• Server supports an array of paths to require for the :require option. (@khotta)
• Files supports multipart range requests. (@fatkodima)
• Multipart::UploadedFile supports an IO-like object instead of using the filesystem, using :filename and :io options. (@jeremyevans)
• Multipart::UploadedFile supports keyword arguments :path, :content_type, and :binary in addition to positional arguments. (@jeremyevans)
• Static supports a :cascade option for calling the app if there is no matching file. (@jeremyevans)
• Session::Abstract::SessionHash#dig. (@jeremyevans)
• Response.[] and MockResponse.[] for creating instances using status, headers, and body. (@ioquatix)
• Convenient cache and content type methods for Rack::Response. (#1555, @ioquatix)

Changed

• Request#params no longer rescues EOFError. (@jeremyevans)
• Directory uses a streaming approach, significantly improving time to first byte for large directories. (@jeremyevans)
• Directory no longer includes a Parent directory link in the root directory index. (@jeremyevans)
• QueryParser#parse_nested_query uses original backtrace when reraising exception with new class. (@jeremyevans)
• ConditionalGet follows RFC 7232 precedence if both If-None-Match and If-Modified-Since headers are provided. (@jeremyevans)
• .ru files supports the frozen-string-literal magic comment. (@eregon)

Commits

• 1741c58 bump version
• 5ccca47 When parsing cookies, only decode the values
• a5e80f0 Bump version.
• b0de37d Remove trailing whitespace.
• 1a784e5 Prepare CHANGELOG for next patch release.
• a0d57d4 Fix to handle same_site option for session pool
• a9b223b Ensure full match. Fixes #1590.
• f4c5645 Double assignment is still needed to prevent an "unused variable" warning
• 5c121dd Revert "Update Thin handler to better handle more options"
• 961d976 Prepare point release.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)