Patch for CVE-2020-11082 for kaminari v0.17.0

[utkarsh2102]

Hi @yuki24,

I am sorry for raising this up but wanted a bit more clarity on the patch for CVE-2020-11082.
We have a Debian package of kaminari and in oldstable (Stretch) release, the version of kaminari is v0.17.0.

Since the patch for CVE-2020-11082 cannot be backported to this version, the patch that you mentioned at #1020 (comment) should be used to mitigate the risk, how?

By creating a config/initializers/kaminari.rb in our Rails app, right? But how to patch this library itself for v0.17.0?

Am I missing something?

CC: @JamesChevalier (hoping you'd know as well!)

[JamesChevalier]

I'm not aware of a library-level patch, only the patch at the app level. I ended up with:

module KaminariSecurityPatch
  prepend_features Kaminari::Helpers::Tag

  PARAM_KEY_DENIED_LIST = ["authenticity_token", "commit", "utf8", "method", "script_name", "original_script_name"].freeze

  def page_url_for(page)
    params = @params.merge(@param_name => (page <= 1 ? nil : page), only_path: true).except(*PARAM_KEY_DENIED_LIST)
    @template.url_for(params)
  end
end

[utkarsh2102]

Ah, thanks @JamesChevalier! ❤️
However, I am looking for a library-level patch. Maybe @yuki24 would know?

[ruurd]

(@param_name => (page <= 1 ? nil : page)

I think you need to check if it is OK to remove the page parameter from the kaminari configuration.