Fix CVE-2024-28103

(cherry picked from commit 57470a5c4761deb4a1edc7688c6aca2da9186b74)
2024-06-06 09:40:58 +08:00 · 2024-06-06 09:40:58 +08:00 · 2a6a446f35
commit 2a6a446f35
parent 52536829da
3 changed files with 114 additions and 1 deletions
--- a/CVE-2024-28103-test.patch
+++ b/CVE-2024-28103-test.patch
@ -0,0 +1,62 @@
+diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
+index 030e37942bd0e..533b59a55094d 100644
+--- a/actionpack/test/dispatch/permissions_policy_test.rb
+++ b/actionpack/test/dispatch/permissions_policy_test.rb
+@@ -41,6 +41,57 @@ def test_invalid_directive_source
+   end
+ end
+ 
+class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
+  APP = ->(env) { [200, {}, []] }
+
+  POLICY = ActionDispatch::PermissionsPolicy.new do |p|
+    p.gyroscope :self
+  end
+
+  class PolicyConfigMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["action_dispatch.permissions_policy"] = POLICY
+      env["action_dispatch.show_exceptions"] = :none
+
+      @app.call(env)
+    end
+  end
+
+  test "html requests will set a policy" do
+    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
+    # Dummy CONTENT_TYPE to avoid including backport of the following commit in
+    # a security-related patch:
+    # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
+    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+    assert_equal "text/html", response.headers['Content-Type']
+    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+  end
+
+  test "non-html requests will set a policy" do
+    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
+    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+    assert_equal "application/json", response.headers['Content-Type']
+    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+  end
+
+  private
+    def build_app(app)
+      PolicyConfigMiddleware.new(
+        Rack::Lint.new(
+          ActionDispatch::PermissionsPolicy::Middleware.new(
+            Rack::Lint.new(app),
+          ),
+        ),
+      )
+    end
+end
+
+ class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
+   class PolicyController < ActionController::Base
+     permissions_policy only: :index do |f|
--- a/CVE-2024-28103.patch
+++ b/CVE-2024-28103.patch
@ -0,0 +1,43 @@
+From b329b261dd32a61316f2831788d6078ca0563ab6 Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Wed, 28 Feb 2024 16:49:11 -0500
+Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
+
+[CVE-2024-28103]
+The application configurable Permissions-Policy is only
+served on responses with an HTML related Content-Type.
+
+This change allows all Content-Types to serve the
+configured Permissions-Policy as there are many non-HTML
+Content-Types that would benefit from this header.
+(examples include image/svg+xml and application/xml)
+---
+ .../http/permissions_policy.rb                |  7 ---
+ .../test/dispatch/permissions_policy_test.rb  | 51 +++++++++++++++++++
+ 2 files changed, 51 insertions(+), 7 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+index d1917a7193696..b190faa3e894f 100644
+--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
+++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+@@ -21,7 +21,6 @@ def call(env)
+         request = ActionDispatch::Request.new(env)
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.permissions_policy
+@@ -36,12 +35,6 @@ def call(env)
+       end
+ 
+       private
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            /html/.match?(content_type)
+-          end
+-        end
+-
+         def policy_present?(headers)
+           headers[POLICY]
+         end
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release: 	4
+Release: 	5
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@ -18,6 +18,9 @@ Patch2:         CVE-2023-22792.patch
 Patch3:         CVE-2023-22792-test.patch
 # https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
 Patch4:         CVE-2023-22795.patch
+# https://github.com/rails/rails/commit/b329b261dd32a61316f2831788d6078ca0563ab6
+Patch5:         CVE-2024-28103.patch
+Patch6:         CVE-2024-28103-test.patch

 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@ -58,9 +61,11 @@ Documentation for %{name}.
 %patch0 -p2
 %patch2 -p2
 %patch4 -p2
+%patch5 -p2
 pushd %{_builddir}
 %patch1 -p2
 %patch3 -p2
+%patch6 -p2
 popd


@ -104,6 +109,9 @@ popd
 %doc %{gem_instdir}/README.rdoc

 %changelog
+* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-5
+- Fix CVE-2024-28103
+
 * Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-4
 - Fix CVE-2023-22792 and CVE-2023-22795