New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency sinatra to v4 [SECURITY] #197

Open

renovate wants to merge 1 commit into master from renovate/rubygems-sinatra-vulnerability

Contributor

renovate bot commented Jul 28, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sinatra (source, changelog)	`'2.0.4'` -> `'4.1.0'`

GitHub Vulnerability Alerts

CVE-2022-29970

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

CVE-2022-45442

Description

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

References

CVE-2024-21510

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Release Notes

sinatra/sinatra (sinatra)

`v4.1.0`

New: Add host_authorization setting (#2053)
- Defaults to .localhost, .test and any IP address in development mode.
- Security: addresses CVE-2018-11627.
Fix: Return an instance of Sinatra::IndifferentHash when calling #except (#2044)
Fix: Address warning from URI for Ruby 3.4 (#2060)
Fix: rackup no longer depends on WEBrick, recommend Puma instead (4a558503)
Fix: Zeitwerk 2.7.0+ compatibility (#2050)
Fix: Address warning about Hash construction for Ruby 3.4 (#2028)
Fix: Declare missing dependencies for Ruby 3.5 (#2032)
Fix: Compatibility with --enable-frozen-string-literal (#2033)
Fix: Rack 3.1 compatibility (#2035)
- Don't depend on Rack::Logger
- Don't delete content-length header when Rack::Files is used

`v4.0.0`

New: Add support for Rack 3 (#1857)
- Note: you may want to read the Rack 3 Upgrade Guide
Require Ruby 2.7.8 as minimum Ruby version (#1993)
Breaking change: Drop support for Rack 2 (#1857)
- Note: when using Sinatra to start the web server, you now need the rackup gem installed
Breaking change: Remove the IndifferentHash initializer (#1982)
Breaking change: Disable session_hijacking protection by default (#1984)
Breaking change: Remove Rack::Protection::EncryptedCookie (#1989)
- Note: cookies are still encrypted (by [Rack::Session::Cookie][Rack::Session::Cookie])

`v3.2.0`

New: Add #except method to Sinatra::IndifferentHash (#1940)
New: Use Exception#detailed_message to show backtrace (#1952)
New: Add Sinatra::HamlHelpers to sinatra-contrib (#1960)
Fix: Add base64 to rack-protection runtime dependencies (#1946)
Fix: Avoid open-ended dependencies for sinatra-contrib and rack-protection (#1949)
Fix: Helpful message when Sinatra::Runner times out (#1975)
Fix: Ruby 3.3 + Bundler 2.5 compatibility (#1975)

`v3.1.0`

New: Add sass support via sass-embedded #1911 by なつき
New: Add start and stop callbacks #1913 by Jevin Sew
New: Warn on dropping sessions #1900 by Jonathan del Strother
New: Make Puma the default server #1924 by Patrik Ragnarsson
Fix: Remove use of Tilt::Cache #1922 by Jeremy Evans (allows use of Tilt 2.2.0 without deprecation warning)
Fix: rack-protection: specify rack version requirement #1932 by Patrik Ragnarsson

`v3.0.6`

Fix: Add support to keep open streaming connections with Puma #1858 by Jordan Owens
Fix: Avoid crash in uri helper on Integer input #1890 by Patrik Ragnarsson
Fix: Rescue RuntimeError when trying to use SecureRandom #1888 by Stefan Sundin

`v3.0.5`

Fix: Add Zeitwerk compatibility. #1831 by Dawid Janczak
Fix: Allow CALLERS_TO_IGNORE to be overridden

`v3.0.4`

Fix: Escape filename in the Content-Disposition header. #1841 by Kunpei Sakai

`v3.0.3`

Fix: fixed ReDoS for Rack::Protection::IPSpoofing. #1823 by @ooooooo-q

`v3.0.2`

New: Add Haml 6 support. #1820 by Jordan Owens

`v3.0.1`

Fix: Revert removal of rack-protection.rb. #1814 by Olle Jonsson
Fix: Revert change to server start and stop messaging by using Kernel#warn. Renamed internal warn method warn_for_deprecation. #1818 by Jordan Owens

`v3.0.0`

New: Add Falcon support. #1794 by Samuel Williams and @horaciob
New: Add AES GCM encryption support for session cookies. [#1324] (https://github.com/sinatra/sinatra/pull/1324) by Michael Coyne
Deprecated: Sinatra Reloader will be removed in the next major release.
Fix: Internal Sinatra errors now extend Sinatra::Error. This fixes #1204 and #1518. bda8c29d by Jordan Owens
Fix: Preserve query param value if named route param nil. #1676 by Jordan Owens
Require Ruby 2.6 as minimum Ruby version. #1699 by Eloy Pérez
Breaking change: Remove support for the Stylus template engine. #1697 by Eloy Pérez
Breaking change: Remove support for the erubis template engine. #1761 by Eloy Pérez
Breaking change: Remove support for the textile template engine. #1766 by Eloy Pérez
Breaking change: Remove support for SASS as a template engine. #1768 by Eloy Pérez
Breaking change: Remove support for Wlang as a template engine. #1780 by Eloy Pérez
Breaking change: Remove support for CoffeeScript as a template engine. #1790 by Eloy Pérez
Breaking change: Remove support for Mediawiki as a template engine. #1791 by Eloy Pérez
Breaking change: Remove support for Creole as a template engine. #1792 by Eloy Pérez
Breaking change: Remove support for Radius as a template engine. #1793 by Eloy Pérez
Breaking change: Remove support for the defunct Less templating library. See #1716, #1715 for more discussion and background. d1af2f1e by Olle Jonsson
Breaking change: Remove Reel integration. 54597502 by Olle Jonsson
CI: Start testing on Ruby 3.1. 60e221940 and b0fa4bef by Johannes Würbach
Use Kernel#caller_locations. #1491 by Julik Tarkhanov
Docs: Japanese documentation: Add notes about the default_content_type setting. #1650 by Akifumi Tominaga
Docs: Polish documentation: Add section about Multithreaded modes and Routes. #1708 by Patrick Gramatowski
Docs: Japanese documentation: Make Session section reflect changes done to README.md. #1731 by @shu-i-chi

`v2.2.4`

`v2.2.3`

Fix: Escape filename in the Content-Disposition header. #1841 by Kunpei Sakai
Fix: fixed ReDoS for Rack::Protection::IPSpoofing. #1823 by @ooooooo-q

`v2.2.2`

Update mustermann dependency to version 2.

`v2.2.1`

Fix JRuby regression by using ruby2_keywords for delegation. #1750 by Patrik Ragnarsson
Add JRuby to CI. #1755 by Karol Bucek

`v2.2.0`

Breaking change: Add #select, #reject and #compact methods to Sinatra::IndifferentHash. If hash keys need to be converted to symbols, call #to_h to get a Hash instance first. #1711 by Olivier Bellone
Handle EOFError raised by Rack and return Bad Request 400 status. #1743 by tamazon
Minor refactors in base.rb. #1640 by ceclinux
Add escaping to the static 404 page. #1645 by Chris Gavin
Remove detect_rack_handler method. #1652 by ceclinux
Respect content type set in superclass before filter. Fixes #1647 #1649 by Jordan Owens
Revert "Use prepend instead of include for helpers. #1662 by namusyaka
Fix usage of inherited Sinatra::Base classes keyword arguments. Fixes #1669 #1670 by Cadu Ribeiro
Reduce RDoc generation time by not including every README. Fixes #1578 #1671 by Eloy Pérez
Add support for per form csrf tokens. Fixes #1616 #1653 by Jordan Owens
Update MAINTENANCE.md with the stable branch status. #1681 by Fredrik Rubensson
Validate expanded path matches public_dir when serving static files. #1683 by cji-stripe
Fix Delegator to pass keyword arguments for Ruby 3.0. #1684 by andrewtblake
Fix use with keyword arguments for Ruby 3.0. #1701 by Robin Wallin
Fix memory leaks for proc template. Fixes #1704 #1719 by Slevin
Remove unnecessary test_files from the gemspec. #1712 by Masataka Pocke Kuwabara
Docs: Spanish documentation: Update README.es.md with removal of Thin. #1630 by Espartaco Palma
Docs: German documentation: Fixed typos in German README.md. #1648 by Juri
Docs: Japanese documentation: Update README.ja.md with removal of Thin. #1629 by Ryuichi KAWAMATA
Docs: English documentation: Various minor fixes to README.md. #1663 by Yanis Zafirópulos
Docs: English documentation: Document when dump_errors is enabled. Fixes #1664 #1665 by Patrik Ragnarsson
Docs: Brazilian Portuguese documentation: Update README.pt-br.md with translation fixes. #1668 by Vitor Oliveira

CI

Use latest JRuby 9.2.16.0 on CI. #1682 by Olle Jonsson
Switch CI from travis to GitHub Actions. #1691 by namusyaka
Skip the Slack action if secrets.SLACK_WEBHOOK is not set. #1705 by Robin Wallin
Small CI improvements. #1703 by Robin Wallin
Drop auto-generated boilerplate comments from CI configuration file. #1728 by Olle Jonsson

sinatra-contrib

Do not raise when key is an enumerable. #1619 by Ulysse Buonomo

Rack protection

Fix broken origin_whitelist option. Fixes #1641 #1642 by Takeshi YASHIRO

`v2.1.0`

Fix additional Ruby 2.7 keyword warnings #1586 by Stefan Sundin
Drop Ruby 2.2 support #1455 by Eloy Pérez
Add Rack::Protection::ReferrerPolicy #1291 by Stefan Sundin
Add default_content_type setting. Fixes #1238 #1239 by Mike Pastore
Allow set :<engine> in sinatra-namespace #1255 by Christian Höppner
Use prepend instead of include for helpers. Fixes #1213 #1214 by Mike Pastore
Fix issue with passed routes and provides Fixes #1095 #1606 by Mike Pastore, Jordan Owens
Add QuietLogger that excludes paths from Rack::CommonLogger 1250 by Christoph Wagner
Sinatra::Contrib dependency updates. Fixes #1207 #1411 by Mike Pastore
Allow CSP to fallback to default-src. Fixes #1484 #1490 by Jordan Owens
Replace origin_whitelist with permitted_origins. Closes #1620 #1625 by rhymes
Use Rainbows instead of thin for async/stream features. Closes #1624 #1627 by Ryuichi KAWAMATA
Enable EscapedParams if passed via settings. Closes #1615 #1632 by Anders Bälter
Support for parameters in mime types. Fixes #1141 by John Hope
Handle null byte when serving static files #1574 by Kush Fanikiso
Improve development support and documentation and source code by Olle Jonsson, Pierre-Adrien Buisson, Shota Iguchi

`v2.0.8.1`

Allow multiple hashes to be passed in merge and merge! for Sinatra::IndifferentHash #1572 by Shota Iguchi

`v2.0.8`

Allow multiple hashes to be passed in merge and merge! for Sinatra::IndifferentHash #1572 by Shota Iguchi

`v2.0.7`

Fix a regression #1560 by Kunpei Sakai

`v2.0.6`

Fix an issue setting environment from command line option #1547, #1554 by Jordan Owens, Kunpei Sakai
Support pandoc as a new markdown renderer #1533 by Vasiliy
Remove outdated code for tilt 1.x #1532 by Vasiliy
Remove an extra logic for force_encoding #1527 by Jordan Owens
Avoid multiple errors even if params contains special values #1526 by Kunpei Sakai
Support bundler/inline with require 'sinatra' integration #1520 by Kunpei Sakai
Avoid TypeError when params contain a key without a value on Ruby < 2.4 #1516 by Samuel Giddins
Improve development support and documentation and source code by Olle Jonsson, Basavanagowda Kanur, Yuki MINAMIYA

`v2.0.5`

Avoid FrozenError when params contains frozen value #1506 by Kunpei Sakai
Add support for Erubi #1494 by @tkmru
IndifferentHash monkeypatch warning improvements #1477 by Mike Pastore
Improve development support and documentation and source code by Anusree Prakash, Jordan Owens, @ceclinux and @krororo.

sinatra-contrib

Add flush option to content_for #1225 by Shota Iguchi
Drop activesupport dependency from sinatra-contrib #1448
Update yield_content to append default to ERB template buffer #1500 by Jordan Owens

rack-protection

Don't track the Accept-Language header by default #1504 by Artem Chistyakov

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Contributor Author

renovate bot commented Jul 28, 2024 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Fetching gem metadata from https://rubygems.org/.........
Resolving dependencies...

Could not find compatible versions

Because sinatra >= 4.0.0 depends on rack >= 3.0.0, < 4
  and Gemfile depends on rack = 2.1.4.1,
  sinatra >= 4.0.0 is forbidden.
So, because Gemfile depends on sinatra = 4.1.0,
  version solving has failed.

Owner

yegor256 commented Jul 28, 2024

@rultor please, try to merge

Collaborator

rultor commented Jul 28, 2024

@rultor please, try to merge

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here

Collaborator

rultor commented Jul 28, 2024

@rultor please, try to merge

@renovate[bot] @yegor256 Oops, I failed. You can see the full log here (spent 7min)


77% [16 Packages store 0 B] [Waiting for headers] [19 Packages 16.1 kB/216 kB 7
                                                                               
Get:20 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1,129 kB]

78% [16 Packages store 0 B] [20 Packages 72.2 kB/1,129 kB 6%] [19 Packages 35.4
                                                                               
84% [16 Packages store 0 B] [19 Packages 35.4 kB/216 kB 16%]
                                                            
Get:21 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [44.7 kB]

84% [16 Packages store 0 B] [21 Packages 0 B/44.7 kB 0%] [19 Packages 35.4 kB/2
                                                                               
84% [16 Packages store 0 B] [19 Packages 35.4 kB/216 kB 16%]
                                                            
Get:22 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2,104 kB]

84% [16 Packages store 0 B] [22 Packages 0 B/2,104 kB 0%] [19 Packages 35.4 kB/
                                                                               
97% [22 Packages 1,977 kB/2,104 kB 94%] [19 Packages 192 kB/216 kB 89%]
97% [20 Packages store 0 B] [22 Packages 1,977 kB/2,104 kB 94%] [19 Packages 19
                                                                               
98% [20 Packages store 0 B] [19 Packages 209 kB/216 kB 97%]
                                                           
98% [20 Packages store 0 B]
                           
99% [Working]
99% [21 Packages store 0 B]
                           
99% [Working]
99% [22 Packages store 0 B]
                           
100% [Working]
100% [19 Packages store 0 B]
                            
100% [Working]
              
Fetched 13.6 MB in 2s (6,569 kB/s)

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 5%

Reading package lists... 5%

Reading package lists... 5%

Reading package lists... 5%

Reading package lists... 53%

Reading package lists... 53%

Reading package lists... 54%

Reading package lists... 54%

Reading package lists... 55%

Reading package lists... 62%

Reading package lists... 62%

Reading package lists... 72%

Reading package lists... 72%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 84%

Reading package lists... 84%

Reading package lists... 94%

Reading package lists... 94%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done

Using /usr/local/rvm/gems/ruby-3.2.2
Using /usr/local/rvm/gems/ruby-3.2.2

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 5%

Reading package lists... 5%

Reading package lists... 5%

Reading package lists... 5%

Reading package lists... 53%

Reading package lists... 53%

Reading package lists... 54%

Reading package lists... 54%

Reading package lists... 57%

Reading package lists... 62%

Reading package lists... 62%

Reading package lists... 72%

Reading package lists... 72%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 77%

Reading package lists... 84%

Reading package lists... 84%

Reading package lists... 94%

Reading package lists... 94%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 98%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done


Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree... Done


Reading state information... 0% 

Reading state information... 0%

Reading state information... Done

The following additional packages will be installed:
  libpq5
Suggested packages:
  postgresql-doc-14
The following packages will be upgraded:
  libpq-dev libpq5
2 upgraded, 0 newly installed, 0 to remove and 116 not upgraded.
Need to get 296 kB of archives.
After this operation, 12.3 kB of additional disk space will be used.

0% [Working]
            
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpq-dev amd64 14.12-0ubuntu0.22.04.1 [147 kB]

0% [1 libpq-dev 0 B/147 kB 0%]
                              
50% [Working]
             
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpq5 amd64 14.12-0ubuntu0.22.04.1 [149 kB]

50% [2 libpq5 0 B/149 kB 0%]
                            
100% [Working]
              
Fetched 296 kB in 1s (540 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 93704 files and directories currently installed.)
Preparing to unpack .../libpq-dev_14.12-0ubuntu0.22.04.1_amd64.deb ...
Unpacking libpq-dev (14.12-0ubuntu0.22.04.1) over (14.11-0ubuntu0.22.04.1) ...
Preparing to unpack .../libpq5_14.12-0ubuntu0.22.04.1_amd64.deb ...
Unpacking libpq5:amd64 (14.12-0ubuntu0.22.04.1) over (14.11-0ubuntu0.22.04.1) ...
Setting up libpq5:amd64 (14.12-0ubuntu0.22.04.1) ...
Setting up libpq-dev (14.12-0ubuntu0.22.04.1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
Processing triggers for man-db (2.10.2-1) ...
Using /usr/local/rvm/gems/ruby-3.2.2
Using /usr/local/rvm/gems/ruby-3.2.2
Updating installed gems
Updating bundler
Fetching bundler-2.5.16.gem
Successfully installed bundler-2.5.16
Gems updated: bundler
Using /usr/local/rvm/gems/ruby-3.2.2
Using /usr/local/rvm/gems/ruby-3.2.2
Don't run Bundler as root. Installing your bundle as root will break this
application for all non-root users on this machine.
Bundler 2.5.16 is running, but your lockfile was generated with 2.4.6. Installing Bundler 2.4.6 and restarting using that version.
Fetching gem metadata from https://rubygems.org/.
Fetching bundler 2.4.6
Installing bundler 2.4.6
Don't run Bundler as root. Installing your bundle as root will break this
application for all non-root users on this machine.
Fetching gem metadata from https://rubygems.org/.........
Resolving dependencies...
Could not find compatible versions

Because sinatra >= 2.1.0, < 3.0.0 depends on rack ~> 2.2
  and Gemfile depends on rack = 2.1.4.1,
  sinatra >= 2.1.0, < 3.0.0 is forbidden.
So, because Gemfile depends on sinatra = 2.2.3,
  version solving has failed.
container f8208345f52baeb5238324ec06c37458af10b2988d82c04cc86f2ef5ee046e0f is dead
Sun Jul 28 13:35:01 UTC 2024


          Update dependency sinatra to v4 [SECURITY]

cfeda62

renovate bot force-pushed the renovate/rubygems-sinatra-vulnerability branch from dd144eb to cfeda62 Compare

November 18, 2024 22:19

renovate bot changed the title ~~Update dependency sinatra to v2.2.3 [SECURITY]~~ Update dependency sinatra to v4 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet