There is a security vulnerability with how requests are normalized when using Rails' ActionDispatch.
Versions Affected: < 4.3.0
Not affected: rack apps not using Rails
Fixed Versions: 4.3.1
Impact
When using rack-attack with a rails app, developers expect the request
path to be normalized. In particular, trailing slashes are stripped so
a request path "/login/" becomes "/login" by the time you're in
ActionController.
Since Rack::Attack runs before ActionDispatch, the request path is not
yet normalized. This can cause throttles and blacklists to not work as
expected.
E.g., a throttle:
throttle('logins', ...) {|req| req.path == "/login" }
would not match a request to '/login/', though Rails would route
'/login/' to the same '/login' action.
Releases
Install rack-attack 4.3.1 from rubygems.org.
# In Gemfile using bundler
gem 'rack-attack', '~> 4.3.1'
Workarounds
If you prefer not to upgrade, you may work around this issue by making sure your throttles, blacklists, etc handle an optional trailing slash in req.path.
For example:
# Unsafe:
throttle(...) { |req| req.path == '/login' }
# Safe:
throttle(...) { |req| req.path == '/login' || req.path == '/login/' }Credit
This vulnerability was reported by Andres Riancho from Include Security (@IncludeSecurity on GitHub and Twitter). Thank you, Andres & Include Security.
Other changes in v4.3.1
- Remove support for ruby 1.9.x
- Add Code of Conduct
- Several documentation and testing improvements
Changes: v4.3.0...v4.3.1