🚨 [security] [ruby] Update rack 3.1.17 → 3.1.18 (patch)
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ rack (indirect, 3.1.17 → 3.1.18) · Repo · Changelog
Security Advisories 🚨
🚨 Rack has a Possible Information Disclosure Vulnerability
Summary
A possible information disclosure vulnerability existed in
Rack::Sendfilewhen running behind a proxy that supportsx-sendfileheaders (such as Nginx). Specially crafted headers could causeRack::Sendfileto miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.Details
When
Rack::Sendfilereceived untrustedx-sendfile-typeorx-accel-mappingheaders from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy's access controls.An attacker could exploit this by:
- Setting a crafted
x-sendfile-type: x-accel-redirectheader.- Setting a crafted
x-accel-mappingheader.- Requesting a path that qualifies for proxy-based acceleration.
Impact
Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes.
This issue only affected systems meeting all of the following conditions:
- The application used
Rack::Sendfilewith a proxy that supportsx-accel-redirect(e.g., Nginx).- The proxy did not always set or remove the
x-sendfile-typeandx-accel-mappingheaders.- The application exposed an endpoint that returned a body responding to
.to_path.Mitigation
Upgrade to a fixed version of Rack which requires explicit configuration to enable
x-accel-redirect:use Rack::Sendfile, "x-accel-redirect"Alternatively, configure the proxy to always set or strip the headers (you should be doing this!):
proxy_set_header x-sendfile-type x-accel-redirect; proxy_set_header x-accel-mapping /var/www/=/files/;Or in Rails applications, disable sendfile completely:
config.action_dispatch.x_sendfile_header = nil
🚨 Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Summary
Rack::Request#POSTreads the entire request body into memory forContent-Type: application/x-www-form-urlencoded, callingrack.input.read(nil)without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.Details
When handling non-multipart form submissions, Rack’s request parser performs:
form_vars = get_header(RACK_INPUT).readSince
readis called with no argument, the entire request body is loaded into a RubyString. This occurs before query parameter parsing or enforcement of anyparams_limit. As a result, Rack applications without an upstream body-size limit can experience unbounded memory allocation proportional to request size.Impact
Attackers can send large
application/x-www-form-urlencodedbodies to consume process memory, causing slowdowns or termination by the operating system (OOM). The effect scales linearly with request size and concurrency. Even with parsing limits configured, the issue occurs before those limits are enforced.Mitigation
- Update to a patched version of Rack that enforces form parameter limits using
query_parser.bytesize_limit, preventing unbounded reads ofapplication/x-www-form-urlencodedbodies.- Enforce strict maximum body size at the proxy or web server layer (e.g., Nginx
client_max_body_size, ApacheLimitRequestBody).
Commits
See the full diff on Github. The new version differs by 5 commits:
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* Circle CI, Semaphore and Github Actions are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)