!55 [sync] PR-52: Fix CVE-2024-28103

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2023-22792-test.patch

@@ -0,0 +1,58 @@
+diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
+index 23716c0aeb7b6..6f4b78c7208ea 100644
+--- a/actionpack/test/dispatch/cookies_test.rb
++++ b/actionpack/test/dispatch/cookies_test.rb
+@@ -247,6 +247,11 @@ def set_cookie_with_domain_and_tld
+       head :ok
+     end
+ 
++    def set_cookie_with_domain_and_longer_tld
++      cookies[:user_name] = { value: "rizwanreza", domain: :all, tld_length: 4 }
++      head :ok 
++    end
++
+     def delete_cookie_with_domain_and_tld
+       cookies.delete(:user_name, domain: :all, tld_length: 2)
+       head :ok
+@@ -1044,6 +1049,13 @@ def test_cookie_with_all_domain_option_using_australian_style_tld
+     assert_cookie_header "user_name=rizwanreza; domain=.nextangle.com.au; path=/; SameSite=Lax"
+   end
+ 
++  def test_cookie_with_all_domain_option_using_australian_style_tld_and_two_subdomains
++    @request.host = "x.nextangle.com.au"
++    get :set_cookie_with_domain
++    assert_response :success
++    assert_cookie_header "user_name=rizwanreza; domain=.nextangle.com.au; path=/; SameSite=Lax"
++  end
++
+   def test_cookie_with_all_domain_option_using_uk_style_tld
+     @request.host = "nextangle.co.uk"
+     get :set_cookie_with_domain
+@@ -1051,6 +1063,13 @@ def test_cookie_with_all_domain_option_using_uk_style_tld
+     assert_cookie_header "user_name=rizwanreza; domain=.nextangle.co.uk; path=/; SameSite=Lax"
+   end
+ 
++  def test_cookie_with_all_domain_option_using_uk_style_tld_and_two_subdomains
++    @request.host = "x.nextangle.co.uk"
++    get :set_cookie_with_domain
++    assert_response :success
++    assert_cookie_header "user_name=rizwanreza; domain=.nextangle.co.uk; path=/; SameSite=Lax"
++  end
++
+   def test_cookie_with_all_domain_option_using_host_with_port
+     @request.host = "nextangle.local:3000"
+     get :set_cookie_with_domain
+@@ -1113,6 +1132,13 @@ def test_cookie_with_all_domain_option_using_host_with_port_and_tld_length
+     assert_cookie_header "user_name=rizwanreza; domain=.nextangle.local; path=/; SameSite=Lax"
+   end
+ 
++  def test_cookie_with_all_domain_option_using_longer_tld_length
++    @request.host = "x.y.z.t.com"
++    get :set_cookie_with_domain_and_longer_tld
++    assert_response :success
++    assert_cookie_header "user_name=rizwanreza; domain=.y.z.t.com; path=/; SameSite=Lax"
++  end
++
+   def test_deleting_cookie_with_all_domain_option_and_tld_length
+     request.cookies[:user_name] = "Joe"
+     get :delete_cookie_with_domain_and_tld

CVE-2023-22792.patch

@@ -0,0 +1,78 @@
+From 7a7f37f146aa977350cf914eba20a95ce371485f Mon Sep 17 00:00:00 2001
+From: sabulikia <sabakiaei@gmail.com>
+Date: Thu, 7 Jul 2022 16:10:20 -0400
+Subject: [PATCH] Use string#split instead of regex for domain parts
+
+[CVE-2023-22792]
+---
+ .../lib/action_dispatch/middleware/cookies.rb | 48 +++++++++++--------
+ actionpack/test/dispatch/cookies_test.rb      | 26 ++++++++++
+ 2 files changed, 54 insertions(+), 20 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
+index ac5844723303a..335122adb5c73 100644
+--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
++++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
+@@ -283,20 +283,6 @@ def signed_cookie_digest
+     class CookieJar #:nodoc:
+       include Enumerable, ChainedCookieJars
+ 
+-      # This regular expression is used to split the levels of a domain.
+-      # The top level domain can be any string without a period or
+-      # **.**, ***.** style TLDs like co.uk or com.au
+-      #
+-      # www.example.co.uk gives:
+-      # $& => example.co.uk
+-      #
+-      # example.com gives:
+-      # $& => example.com
+-      #
+-      # lots.of.subdomains.example.local gives:
+-      # $& => example.local
+-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
+-
+       def self.build(req, cookies)
+         jar = new(req)
+         jar.update(cookies)
+@@ -449,13 +435,35 @@ def handle_options(options)
+           options[:same_site] ||= cookies_same_site_protection.call(request)
+ 
+           if options[:domain] == :all || options[:domain] == "all"
+-            # If there is a provided tld length then we use it otherwise default domain regexp.
+-            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
++            cookie_domain = ""
++            dot_splitted_host = request.host.split('.', -1)
++
++            # Case where request.host is not an IP address or it's an invalid domain
++            # (ip confirms to the domain structure we expect so we explicitly check for ip)
++            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
++              options[:domain] = nil
++              return
++            end
++
++            # If there is a provided tld length then we use it otherwise default domain.
++            if options[:tld_length].present? 
++              # Case where the tld_length provided is valid
++              if dot_splitted_host.length >= options[:tld_length]
++                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
++              end
++            # Case where tld_length is not provided
++            else
++              # Regular TLDs
++              if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
++                cookie_domain = dot_splitted_host.last(2).join('.')
++              # **.**, ***.** style TLDs like co.uk and com.au
++              else
++                cookie_domain = dot_splitted_host.last(3).join('.')
++              end
++            end
+ 
+-            # If host is not ip and matches domain regexp.
+-            # (ip confirms to domain regexp so we explicitly check for ip)
+-            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
+-              ".#{$&}"
++            options[:domain] = if cookie_domain.present?
++              ".#{cookie_domain}"
+             end
+           elsif options[:domain].is_a? Array
+             # If host matches one of the supplied domains.

CVE-2023-22795.patch

@@ -0,0 +1,23 @@
+From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Fri, 13 Jan 2023 15:54:40 -0800
+Subject: [PATCH] Avoid regex backtracking on If-None-Match header
+
+[CVE-2023-22795]
+---
+ actionpack/lib/action_dispatch/http/cache.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/cache.rb b/actionpack/lib/action_dispatch/http/cache.rb
+index 9c46c5c8a4d81..d9d6f325342ea 100644
+--- a/actionpack/lib/action_dispatch/http/cache.rb
++++ b/actionpack/lib/action_dispatch/http/cache.rb
+@@ -18,7 +18,7 @@ def if_none_match
+         end
+ 
+         def if_none_match_etags
+-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
++          if_none_match ? if_none_match.split(",").each(&:strip!) : []
+         end
+ 
+         def not_modified?(modified_at)

CVE-2023-28362-test.patch

@@ -0,0 +1,36 @@
+
+diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb
+index e218ef35e483b..c088d96413132 100644
+--- a/actionpack/test/controller/redirect_test.rb
++++ b/actionpack/test/controller/redirect_test.rb
+@@ -153,6 +153,11 @@ def redirect_with_null_bytes
+     redirect_to "\000/lol\r\nwat"
+   end
+ 
++  def unsafe_redirect_with_illegal_http_header_value_character
++    redirect_to "javascript:alert(document.domain)\b"
++  end
++
++
+   def rescue_errors(e) raise e end
+ 
+   private
+@@ -437,6 +442,18 @@ def test_redirect_to_with_block_and_accepted_options
+       assert_redirected_to "http://test.host/redirect/hello_world"
+     end
+   end
++
++  def test_unsafe_redirect_with_illegal_http_header_value_character
++    error = assert_raise(ActionController::Redirecting::UnsafeRedirectError) do
++      get :unsafe_redirect_with_illegal_http_header_value_character
++    end
++
++    msg = "The redirect URL javascript:alert(document.domain)\b contains one or more illegal HTTP header field character. " \
++      "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
++
++    assert_equal msg, error.message
++  end
++
+ end
+ 
+ module ModuleTest

CVE-2023-28362.patch

@@ -0,0 +1,71 @@
+From 1c3f93d1e90a3475f9ae2377ead25ccf11f71441 Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Fri, 12 May 2023 13:04:22 -0400
+Subject: [PATCH] Added check for illegal HTTP header value in redirect_to
+
+The set of legal characters for an HTTP header value is described
+in https://datatracker.ietf.org/doc/html/rfc7230\#section-3.2.6.
+
+This commit adds a check to redirect_to that ensures the
+provided URL does not contain any of the illegal characters.
+
+Downstream consumers of the resulting Location response header
+may remove the header if it does not comply with the RFC.
+This can result in a cross site scripting (XSS) vector by
+allowing for the redirection page to sit idle waiting
+for user interaction with the provided malicious link.
+
+[CVE-2023-28362]
+
+Origin: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
+
+---
+ .../action_controller/metal/redirecting.rb    | 21 ++++++++++++++++++-
+ actionpack/test/controller/redirect_test.rb   | 17 +++++++++++++++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
+index 11d462855d064..fdd3f9dc44149 100644
+--- a/actionpack/lib/action_controller/metal/redirecting.rb
++++ b/actionpack/lib/action_controller/metal/redirecting.rb
+@@ -7,6 +7,10 @@ module Redirecting
+     include AbstractController::Logger
+     include ActionController::UrlFor
+ 
++    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
++
++    class UnsafeRedirectError < StandardError; end
++
+     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+     #
+     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+@@ -60,7 +64,11 @@ def redirect_to(options = {}, response_options = {})
+       raise AbstractController::DoubleRenderError if response_body
+ 
+       self.status        = _extract_redirect_to_status(options, response_options)
+-      self.location      = _compute_redirect_to_location(request, options)
++
++      redirect_to_location = _compute_redirect_to_location(request, options)
++      _ensure_url_is_http_header_safe(redirect_to_location)
++
++      self.location      = redirect_to_location
+       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+     end
+ 
+@@ -129,5 +137,16 @@ def _url_host_allowed?(url)
+       rescue ArgumentError, URI::Error
+         false
+       end
++
++      def _ensure_url_is_http_header_safe(url)
++        # Attempt to comply with the set of valid token characters
++        # defined for an HTTP header value in
++        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
++        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
++          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
++            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
++          raise UnsafeRedirectError, msg
++        end
++      end
+   end
+ end

CVE-2024-28103-test.patch

@@ -0,0 +1,62 @@
+diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
+index 030e37942bd0e..533b59a55094d 100644
+--- a/actionpack/test/dispatch/permissions_policy_test.rb
++++ b/actionpack/test/dispatch/permissions_policy_test.rb
+@@ -41,6 +41,57 @@ def test_invalid_directive_source
+   end
+ end
+ 
++class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
++  APP = ->(env) { [200, {}, []] }
++
++  POLICY = ActionDispatch::PermissionsPolicy.new do |p|
++    p.gyroscope :self
++  end
++
++  class PolicyConfigMiddleware
++    def initialize(app)
++      @app = app
++    end
++
++    def call(env)
++      env["action_dispatch.permissions_policy"] = POLICY
++      env["action_dispatch.show_exceptions"] = :none
++
++      @app.call(env)
++    end
++  end
++
++  test "html requests will set a policy" do
++    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
++    # Dummy CONTENT_TYPE to avoid including backport of the following commit in
++    # a security-related patch:
++    # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
++    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
++
++    assert_equal "text/html", response.headers['Content-Type']
++    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
++  end
++
++  test "non-html requests will set a policy" do
++    @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
++    get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
++
++    assert_equal "application/json", response.headers['Content-Type']
++    assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
++  end
++
++  private
++    def build_app(app)
++      PolicyConfigMiddleware.new(
++        Rack::Lint.new(
++          ActionDispatch::PermissionsPolicy::Middleware.new(
++            Rack::Lint.new(app),
++          ),
++        ),
++      )
++    end
++end
++
+ class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
+   class PolicyController < ActionController::Base
+     permissions_policy only: :index do |f|

CVE-2024-28103.patch

@@ -0,0 +1,43 @@
+From b329b261dd32a61316f2831788d6078ca0563ab6 Mon Sep 17 00:00:00 2001
+From: Zack Deveau <zack.ref@gmail.com>
+Date: Wed, 28 Feb 2024 16:49:11 -0500
+Subject: [PATCH] include the HTTP Permissions-Policy on non-HTML Content-Types
+
+[CVE-2024-28103]
+The application configurable Permissions-Policy is only
+served on responses with an HTML related Content-Type.
+
+This change allows all Content-Types to serve the
+configured Permissions-Policy as there are many non-HTML
+Content-Types that would benefit from this header.
+(examples include image/svg+xml and application/xml)
+---
+ .../http/permissions_policy.rb                |  7 ---
+ .../test/dispatch/permissions_policy_test.rb  | 51 +++++++++++++++++++
+ 2 files changed, 51 insertions(+), 7 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/permissions_policy.rb b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+index d1917a7193696..b190faa3e894f 100644
+--- a/actionpack/lib/action_dispatch/http/permissions_policy.rb
++++ b/actionpack/lib/action_dispatch/http/permissions_policy.rb
+@@ -21,7 +21,6 @@ def call(env)
+         request = ActionDispatch::Request.new(env)
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.permissions_policy
+@@ -36,12 +35,6 @@ def call(env)
+       end
+ 
+       private
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            /html/.match?(content_type)
+-          end
+-        end
+-
+         def policy_present?(headers)
+           headers[POLICY]
+         end

rubygem-actionpack.spec

@@ -4,13 +4,23 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	6.1.4.1
-Release: 	1
+Release: 	5
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
 Source0: 	https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1: 	%{gem_name}-%{version}-tests.txz
 Source2: 	rails-%{version}-tools.txz
+Patch0: 	CVE-2023-28362.patch
+Patch1: 	CVE-2023-28362-test.patch
+# https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f
+Patch2:         CVE-2023-22792.patch
+Patch3:         CVE-2023-22792-test.patch
+# https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
+Patch4:         CVE-2023-22795.patch
+# https://github.com/rails/rails/commit/b329b261dd32a61316f2831788d6078ca0563ab6
+Patch5:         CVE-2024-28103.patch
+Patch6:         CVE-2024-28103-test.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -48,6 +58,16 @@ Documentation for %{name}.
 
 %prep
 %setup -q -n %{gem_name}-%{version}%{?prerelease} -b1 -b2
+%patch0 -p2
+%patch2 -p2
+%patch4 -p2
+%patch5 -p2
+pushd %{_builddir}
+%patch1 -p2
+%patch3 -p2
+%patch6 -p2
+popd
+
 
 %build
 gem build ../%{gem_name}-%{version}%{?prerelease}.gemspec
@@ -69,7 +89,6 @@ for tname in 'rendering a relative path with dot' 'rendering a relative path'; d
     test/controller/new_base/render_file_test.rb
 done
 
-sed -i '/\s*"browserName" => "\S*"\s*$/ d' test/dispatch/system_testing/driver_test.rb
 find test -type f -name '*_test.rb' -print0 | \
   sort -z | \
   xargs -0 -n1 -i sh -c "echo '* Test file: {}'; ruby -Ilib:test -- '{}' || exit 255"
@@ -90,7 +109,19 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
-* Thu May 03 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
+* Thu Jun 06 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-5
+- Fix CVE-2024-28103
+
+* Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:6.1.4.1-4
+- Fix CVE-2023-22792 and CVE-2023-22795
+
+* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:6.1.4.1-3
+- Fix CVE-2023-28362
+
+* Thu Oct 20 2022 caodongxia <caodongxia@h-partners.com> - 1:6.1.4.1-2
+- Fix compilation failed
+
+* Tue May 03 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
 - Upgrade to 6.1.4.1
 
 * Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3