Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a Set-Cookie header along with the user's
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.
This vulnerability has been assigned the CVE identifier CVE-2024-26144.
There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.
Applications using translation methods like translate, or t on a
controller, with a key ending in "_html", a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.
For example, impacted code will look something like this:
class ArticlesController < ApplicationController
def show
@​message = t("message_html", default: untrusted_input)
# The `show` template displays the contents of `@message`
end
end
To reiterate the pre-conditions, applications must:
Use a translation function from a controller (i.e. not I18n.t, or t from
a view)
Use a key that ends in _html
Use a default value where the default value is untrusted and unescaped input
Send the text to the victim (whether that's part of a template, or a
render call)
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
rails/rails (rails)
### [`v7.0.8.1`](https://togithub.com/rails/rails/releases/tag/v7.0.8.1): 7.0.8.1
[Compare Source](https://togithub.com/rails/rails/compare/v7.0.8...v7.0.8.1)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- Fix possible XSS vulnerability with the `translate` method in controllers
CVE-2024-26143
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- Disables the session in `ActiveStorage::Blobs::ProxyController`
and `ActiveStorage::Representations::ProxyController`
in order to allow caching by default in some CDNs as CloudFlare
Fixes [#44136](https://togithub.com/rails/rails/issues/44136)
*Bruno Prieto*
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v7.0.8`](https://togithub.com/rails/rails/releases/tag/v7.0.8): 7.0.8
[Compare Source](https://togithub.com/rails/rails/compare/v7.0.7.2...v7.0.8)
##### Active Support
- Fix `TimeWithZone` still using deprecated `#to_s` when `ENV` or `config` to
disable it are set.
*Hartley McGuire*
- Fix CacheStore#write_multi when using a distributed Redis cache with a connection pool.
Fixes [#48938](https://togithub.com/rails/rails/issues/48938).
*Jonathan del Strother*
##### Active Model
- No changes.
##### Active Record
- Fix `change_column` not setting `precision: 6` on `datetime` columns when
using 7.0+ Migrations and SQLite.
*Hartley McGuire*
- Fix unscope is not working in specific case
Before:
```ruby
Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts` WHERE `posts`.`id` >= 1 AND `posts`.`id` < 3"
```
After:
```ruby
Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts`"
```
Fixes [#48094](https://togithub.com/rails/rails/issues/48094).
*Kazuya Hatanaka*
- Fix associations to a STI model including a `class_name` parameter
```ruby
class Product < ApplicationRecord
has_many :requests, as: :requestable, class_name: "ProductRequest", dependent: :destroy
end
```
##### STI tables
class Request < ApplicationRecord
belongs_to :requestable, polymorphic: true
validate :request_type, presence: true
end
class ProductRequest < Request
belongs_to :user
end
```
Accessing such association would lead to:
```
table_metadata.rb:22:in `has_column?': undefined method `key?' for nil:NilClass (NoMethodError)
```
*Romain Filinto*
- Fix `change_table` setting datetime precision for 6.1 Migrations
*Hartley McGuire*
- Fix change_column setting datetime precision for 6.1 Migrations
*Hartley McGuire*
##### Action View
- Fix `form_for` missing the hidden `_method` input for models with a
namespaced route.
*Hartley McGuire*
- Fix `render collection: @records, cache: true` inside `jbuilder` templates
The previous fix that shipped in `7.0.7` assumed template fragments are always strings,
this isn't true with `jbuilder`.
*Jean Boussier*
##### Action Pack
- Fix `HostAuthorization` potentially displaying the value of the
X_FORWARDED_HOST header when the HTTP_HOST header is being blocked.
*Hartley McGuire*, *Daniel Schlosser*
##### Active Job
- Fix Active Job log message to correctly report a job failed to enqueue
when the adapter raises an `ActiveJob::EnqueueError`.
*Ben Sheldon*
##### Action Mailer
- No changes.
##### Action Cable
- No changes.
##### Active Storage
- No changes.
##### Action Mailbox
- No changes.
##### Action Text
- No changes.
##### Railties
- Omit `webdrivers` gem dependency from `Gemfile` template
*Sean Doyle*
### [`v7.0.7.2`](https://togithub.com/rails/rails/releases/tag/v7.0.7.2): 7.0.7.2
[Compare Source](https://togithub.com/rails/rails/compare/v7.0.7.1...v7.0.7.2)
No changes between this and 7.0.7.2. This release was just to fix file permissions in the previous release.
### [`v7.0.7.1`](https://togithub.com/rails/rails/releases/tag/v7.0.7.1): 7.0.7.1
[Compare Source](https://togithub.com/rails/rails/compare/v7.0.7...v7.0.7.1)
#### Active Support
- Use a temporary file for storing unencrypted files while editing
\[CVE-2023-38037]
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v7.0.7`](https://togithub.com/rails/rails/releases/tag/v7.0.7): 7.0.7
[Compare Source](https://togithub.com/rails/rails/compare/v7.0.6...v7.0.7)
#### Active Support
- Fix `Cache::NullStore` with local caching for repeated reads.
*fatkodima*
- Fix `to_s` with no arguments not respecting custom `:default` formats
*Hartley McGuire*
- Fix `ActiveSupport::Inflector.humanize(nil)` raising ``NoMethodError: undefined method `end_with?' for nil:NilClass``.
*James Robinson*
- Fix `Enumerable#sum` for `Enumerator#lazy`.
*fatkodima*, *Matthew Draper*, *Jonathan Hefner*
- Improve error message when EventedFileUpdateChecker is used without a
compatible version of the Listen gem
*Hartley McGuire*
#### Active Model
- Error.full_message now strips ":base" from the message.
*zzak*
- Add a load hook for `ActiveModel::Model` (named `active_model`) to match the load hook for
`ActiveRecord::Base` and allow for overriding aspects of the `ActiveModel::Model` class.
#### Active Record
- Restores functionality to the missing method when using enums and fixes.
*paulreece*
- Fix `StatementCache::Substitute` with serialized type.
*ywenc*
- Fix `:db_runtime` on notification payload when application have multiple databases.
*Eileen M. Uchitelle*
- Correctly dump check constraints for MySQL 8.0.16+.
*Steve Hill*
- Fix `ActiveRecord::QueryMethods#in_order_of` to include `nil`s, to match the
behavior of `Enumerable#in_order_of`.
For example, `Post.in_order_of(:title, [nil, "foo"])` will now include posts
with `nil` titles, the same as `Post.all.to_a.in_order_of(:title, [nil, "foo"])`.
*fatkodima*
- Revert "Fix autosave associations with validations added on `:base` of the associated objects."
This change intended to remove the :base attribute from the message,
but broke many assumptions which key these errors were stored.
*zzak*
- Fix `#previously_new_record?` to return true for destroyed records.
Before, if a record was created and then destroyed, `#previously_new_record?` would return true.
Now, any UPDATE or DELETE to a record is considered a change, and will result in `#previously_new_record?`
returning false.
*Adrianna Chang*
- Revert breaking changes to `has_one` relationship deleting the old record before the new one is validated.
*zzak*
- Fix support for Active Record instances being uses in queries.
As of `7.0.5`, query arguments were deep duped to avoid mutations impacting
the query cache, but this had the adverse effect to clearing the primary key when
the query argument contained an `ActiveRecord::Base` instance.
This broke the `noticed` gem.
*Jean Boussier*
#### Action View
- Fix `render collection: @records, cache: true` to cache fragments as bare strings
Previously it would incorrectly cache them as Action View buffers.
*Jean Boussier*
- Don't double-encode nested `field_id` and `field_name` index values
Pass `index: @options` as a default keyword argument to `field_id` and
`field_name` view helper methods.
*Sean Doyle*
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- Update default scaffold templates to set 303 (See Other) as status code
on redirect for the update action for XHR requests other than GET or POST
to avoid issues (e.g browsers trying to follow the redirect using the
original request method resulting in double PATCH/PUT)
*Guillermo Iguaran*
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
7.0.6->7.0.8.1GitHub Vulnerability Alerts
CVE-2024-26144
Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a
Set-Cookieheader along with the user's session cookie when serving blobs. It also setsCache-Controlto public. Certain proxies may cache the Set-Cookie, leading to an information leak.This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7
Impact
A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa.
This was patched in 7.1.0 but not previously identified as a security vulnerability.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers.
Credits
Thanks to tyage for reporting this!
CVE-2024-26143
Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers (
translate,t, etc) in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2024-26143.Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1
Impact
Applications using translation methods like
translate, orton a controller, with a key ending in "_html", a:defaultkey which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability.For example, impacted code will look something like this:
To reiterate the pre-conditions, applications must:
tfrom a view)_htmlrendercall)All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
Credits
Thanks to ooooooo_q for the patch and fix!
Release Notes
rails/rails (rails)
### [`v7.0.8.1`](https://togithub.com/rails/rails/releases/tag/v7.0.8.1): 7.0.8.1 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.8...v7.0.8.1) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - Fix possible XSS vulnerability with the `translate` method in controllers CVE-2024-26143 #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Disables the session in `ActiveStorage::Blobs::ProxyController` and `ActiveStorage::Representations::ProxyController` in order to allow caching by default in some CDNs as CloudFlare Fixes [#44136](https://togithub.com/rails/rails/issues/44136) *Bruno Prieto* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v7.0.8`](https://togithub.com/rails/rails/releases/tag/v7.0.8): 7.0.8 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.7.2...v7.0.8) ##### Active Support - Fix `TimeWithZone` still using deprecated `#to_s` when `ENV` or `config` to disable it are set. *Hartley McGuire* - Fix CacheStore#write_multi when using a distributed Redis cache with a connection pool. Fixes [#48938](https://togithub.com/rails/rails/issues/48938). *Jonathan del Strother* ##### Active Model - No changes. ##### Active Record - Fix `change_column` not setting `precision: 6` on `datetime` columns when using 7.0+ Migrations and SQLite. *Hartley McGuire* - Fix unscope is not working in specific case Before: ```ruby Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts` WHERE `posts`.`id` >= 1 AND `posts`.`id` < 3" ``` After: ```ruby Post.where(id: 1...3).unscope(where: :id).to_sql # "SELECT `posts`.* FROM `posts`" ``` Fixes [#48094](https://togithub.com/rails/rails/issues/48094). *Kazuya Hatanaka* - Fix associations to a STI model including a `class_name` parameter ```ruby class Product < ApplicationRecord has_many :requests, as: :requestable, class_name: "ProductRequest", dependent: :destroy end ``` ##### STI tables class Request < ApplicationRecord belongs_to :requestable, polymorphic: true validate :request_type, presence: true end class ProductRequest < Request belongs_to :user end ``` Accessing such association would lead to: ``` table_metadata.rb:22:in `has_column?': undefined method `key?' for nil:NilClass (NoMethodError) ``` *Romain Filinto* - Fix `change_table` setting datetime precision for 6.1 Migrations *Hartley McGuire* - Fix change_column setting datetime precision for 6.1 Migrations *Hartley McGuire* ##### Action View - Fix `form_for` missing the hidden `_method` input for models with a namespaced route. *Hartley McGuire* - Fix `render collection: @records, cache: true` inside `jbuilder` templates The previous fix that shipped in `7.0.7` assumed template fragments are always strings, this isn't true with `jbuilder`. *Jean Boussier* ##### Action Pack - Fix `HostAuthorization` potentially displaying the value of the X_FORWARDED_HOST header when the HTTP_HOST header is being blocked. *Hartley McGuire*, *Daniel Schlosser* ##### Active Job - Fix Active Job log message to correctly report a job failed to enqueue when the adapter raises an `ActiveJob::EnqueueError`. *Ben Sheldon* ##### Action Mailer - No changes. ##### Action Cable - No changes. ##### Active Storage - No changes. ##### Action Mailbox - No changes. ##### Action Text - No changes. ##### Railties - Omit `webdrivers` gem dependency from `Gemfile` template *Sean Doyle* ### [`v7.0.7.2`](https://togithub.com/rails/rails/releases/tag/v7.0.7.2): 7.0.7.2 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.7.1...v7.0.7.2) No changes between this and 7.0.7.2. This release was just to fix file permissions in the previous release. ### [`v7.0.7.1`](https://togithub.com/rails/rails/releases/tag/v7.0.7.1): 7.0.7.1 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.7...v7.0.7.1) #### Active Support - Use a temporary file for storing unencrypted files while editing \[CVE-2023-38037] #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v7.0.7`](https://togithub.com/rails/rails/releases/tag/v7.0.7): 7.0.7 [Compare Source](https://togithub.com/rails/rails/compare/v7.0.6...v7.0.7) #### Active Support - Fix `Cache::NullStore` with local caching for repeated reads. *fatkodima* - Fix `to_s` with no arguments not respecting custom `:default` formats *Hartley McGuire* - Fix `ActiveSupport::Inflector.humanize(nil)` raising ``NoMethodError: undefined method `end_with?' for nil:NilClass``. *James Robinson* - Fix `Enumerable#sum` for `Enumerator#lazy`. *fatkodima*, *Matthew Draper*, *Jonathan Hefner* - Improve error message when EventedFileUpdateChecker is used without a compatible version of the Listen gem *Hartley McGuire* #### Active Model - Error.full_message now strips ":base" from the message. *zzak* - Add a load hook for `ActiveModel::Model` (named `active_model`) to match the load hook for `ActiveRecord::Base` and allow for overriding aspects of the `ActiveModel::Model` class. #### Active Record - Restores functionality to the missing method when using enums and fixes. *paulreece* - Fix `StatementCache::Substitute` with serialized type. *ywenc* - Fix `:db_runtime` on notification payload when application have multiple databases. *Eileen M. Uchitelle* - Correctly dump check constraints for MySQL 8.0.16+. *Steve Hill* - Fix `ActiveRecord::QueryMethods#in_order_of` to include `nil`s, to match the behavior of `Enumerable#in_order_of`. For example, `Post.in_order_of(:title, [nil, "foo"])` will now include posts with `nil` titles, the same as `Post.all.to_a.in_order_of(:title, [nil, "foo"])`. *fatkodima* - Revert "Fix autosave associations with validations added on `:base` of the associated objects." This change intended to remove the :base attribute from the message, but broke many assumptions which key these errors were stored. *zzak* - Fix `#previously_new_record?` to return true for destroyed records. Before, if a record was created and then destroyed, `#previously_new_record?` would return true. Now, any UPDATE or DELETE to a record is considered a change, and will result in `#previously_new_record?` returning false. *Adrianna Chang* - Revert breaking changes to `has_one` relationship deleting the old record before the new one is validated. *zzak* - Fix support for Active Record instances being uses in queries. As of `7.0.5`, query arguments were deep duped to avoid mutations impacting the query cache, but this had the adverse effect to clearing the primary key when the query argument contained an `ActiveRecord::Base` instance. This broke the `noticed` gem. *Jean Boussier* #### Action View - Fix `render collection: @records, cache: true` to cache fragments as bare strings Previously it would incorrectly cache them as Action View buffers. *Jean Boussier* - Don't double-encode nested `field_id` and `field_name` index values Pass `index: @options` as a default keyword argument to `field_id` and `field_name` view helper methods. *Sean Doyle* #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - Update default scaffold templates to set 303 (See Other) as status code on redirect for the update action for XHR requests other than GET or POST to avoid issues (e.g browsers trying to follow the redirect using the original request method resulting in double PATCH/PUT) *Guillermo Iguaran*Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.