!73 Fix CVE-2022-22577

From: @Higos997 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu

CVE-2021-22904.patch

@@ -0,0 +1,29 @@
+From f97d14a056c9b6ec6bf46d24e0c04b4893e78d41 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 4 May 2021 15:49:21 -0700
+Subject: [PATCH] Prevent slow regex when parsing host authorization header
+
+The old regex could take too long when parsing an authorization header,
+and this could potentially cause a DoS vulnerability
+
+[CVE-2021-22904]
+---
+ .../lib/action_controller/metal/http_authentication.rb          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+index 01676f3..d2e6674 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_controller/metal/http_authentication.rb
+@@ -406,7 +406,7 @@ module ActionController
+     module Token
+       TOKEN_KEY = "token="
+       TOKEN_REGEX = /^(Token|Bearer)\s+/
+-      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t+)/
++      AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
+       extend self
+ 
+       module ControllerMethods
+-- 
+2.23.0
+

CVE-2022-23633.patch

@@ -0,0 +1,32 @@
+From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001
+From: Jean Boussier <jean.boussier@gmail.com>
+Date: Fri, 11 Feb 2022 13:09:30 +0100
+Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`
+
+Under certain circumstances, the middleware isn't informed that the
+response body has been fully closed which result in request state not
+being fully reset before the next request.
+
+[CVE-2022-23633]
+---
+ .../action_dispatch/middleware/executor.rb    |  2 +-
+ actionpack/test/dispatch/executor_test.rb     | 21 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletions(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
+index 129b18d3d9..a32f916260 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb
+@@ -9,7 +9,7 @@ def initialize(app, executor)
+     end
+ 
+     def call(env)
+-      state = @executor.run!
++      state = @executor.run!(reset: true)
+       begin
+         response = @app.call(env)
+         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
+ 
+-- 
+2.25.1
+

CVE-2023-22792.patch

@@ -0,0 +1,80 @@
+From 7a7f37f146aa977350cf914eba20a95ce371485f Mon Sep 17 00:00:00 2001
+From: sabulikia <sabakiaei@gmail.com>
+Date: Thu, 7 Jul 2022 16:10:20 -0400
+Subject: [PATCH] Use string#split instead of regex for domain parts
+
+[CVE-2023-22792]
+---
+ .../lib/action_dispatch/middleware/cookies.rb | 48 +++++++++++++----------
+ 1 file changed, 28 insertions(+), 20 deletions(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb
+index 2188795..ed4a566 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb
+@@ -282,20 +282,6 @@ module ActionDispatch
+     class CookieJar #:nodoc:
+       include Enumerable, ChainedCookieJars
+ 
+-      # This regular expression is used to split the levels of a domain.
+-      # The top level domain can be any string without a period or
+-      # **.**, ***.** style TLDs like co.uk or com.au
+-      #
+-      # www.example.co.uk gives:
+-      # $& => example.co.uk
+-      #
+-      # example.com gives:
+-      # $& => example.com
+-      #
+-      # lots.of.subdomains.example.local gives:
+-      # $& => example.local
+-      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
+-
+       def self.build(req, cookies)
+         new(req).tap do |hash|
+           hash.update(cookies)
+@@ -365,13 +351,35 @@ module ActionDispatch
+         options[:path] ||= "/"
+ 
+         if options[:domain] == :all || options[:domain] == "all"
+-          # If there is a provided tld length then we use it otherwise default domain regexp.
+-          domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
++          cookie_domain = ""
++          dot_splitted_host = request.host.split('.', -1)
++
++          # Case where request.host is not an IP address or it's an invalid domain
++          # (ip confirms to the domain structure we expect so we explicitly check for ip)
++          if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
++            options[:domain] = nil
++            return
++          end
++
++          # If there is a provided tld length then we use it otherwise default domain.
++          if options[:tld_length].present?
++            # Case where the tld_length provided is valid
++            if dot_splitted_host.length >= options[:tld_length]
++              cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
++            end
++          # Case where tld_length is not provided
++          else
++            # Regular TLDs
++            if !(/([^.]{2,3}\.[^.]{2})$/.match?(request.host))
++              cookie_domain = dot_splitted_host.last(2).join('.')
++            # **.**, ***.** style TLDs like co.uk and com.au
++            else
++              cookie_domain = dot_splitted_host.last(3).join('.')
++            end
++          end
+ 
+-          # If host is not ip and matches domain regexp.
+-          # (ip confirms to domain regexp so we explicitly check for ip)
+-          options[:domain] = if (request.host !~ /^[\d.]+$/) && (request.host =~ domain_regexp)
+-            ".#{$&}"
++          options[:domain] = if cookie_domain.present?
++            ".#{cookie_domain}"
+           end
+         elsif options[:domain].is_a? Array
+           # If host matches one of the supplied domains without a dot in front of it.
+-- 
+2.33.0
+

CVE-2023-22795.patch

@@ -0,0 +1,23 @@
+From 484fc9185db6c6a6a49ab458b11f9366da02bab2 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Fri, 13 Jan 2023 15:54:40 -0800
+Subject: [PATCH] Avoid regex backtracking on If-None-Match header
+
+[CVE-2023-22795]
+---
+ .../lib/action_dispatch/http/cache.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb
+index 9c46c5c8a4d81..d9d6f325342ea 100644
+--- a/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb
++++ b/usr/share/gems/gems/actionpack-5.2.4.4/lib/action_dispatch/http/cache.rb
+@@ -18,7 +18,7 @@ def if_none_match
+         end
+ 
+         def if_none_match_etags
+-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
++          if_none_match ? if_none_match.split(",").each(&:strip!) : []
+         end
+ 
+         def not_modified?(modified_at)

backport-CVE-2022-22577.patch

@@ -0,0 +1,38 @@
+From d2253115ac2b30f5f7210670af906cebf79cf809 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron@rubyonrails.org>
+Date: Tue, 8 Mar 2022 13:23:15 -0800
+Subject: [PATCH] Merge pull request #44635 from imtayadeway/tjw/api-csp-i
+
+Generate content security policy for non-HTML responses
+---
+ lib/action_dispatch/http/content_security_policy.rb | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/lib/action_dispatch/http/content_security_policy.rb b/lib/action_dispatch/http/content_security_policy.rb
+index 6f9fb11..a1d0740 100644
+--- a/lib/action_dispatch/http/content_security_policy.rb
++++ b/lib/action_dispatch/http/content_security_policy.rb
+@@ -17,7 +17,6 @@ module ActionDispatch #:nodoc:
+         request = ActionDispatch::Request.new env
+         _, headers, _ = response = @app.call(env)
+ 
+-        return response unless html_response?(headers)
+         return response if policy_present?(headers)
+ 
+         if policy = request.content_security_policy
+@@ -31,12 +30,6 @@ module ActionDispatch #:nodoc:
+ 
+       private
+ 
+-        def html_response?(headers)
+-          if content_type = headers[CONTENT_TYPE]
+-            content_type =~ /html/
+-          end
+-        end
+-
+         def header_name(request)
+           if request.content_security_policy_report_only
+             POLICY_REPORT_ONLY
+-- 
+2.27.0
+

backport-CVE-2024-41128.patch

@@ -0,0 +1,41 @@
+From fb493bebae1a9b83e494fe7edbf01f6167d606fd Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:41:33 -0700
+Subject: [PATCH] Avoid backtracking in filtered_query_string
+
+Thanks scyoon for the patch
+
+CVE-2024-41128
+---
+ lib/action_dispatch/http/filter_parameters.rb | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/action_dispatch/http/filter_parameters.rb b/lib/action_dispatch/http/filter_parameters.rb
+index ec86b8b..6bc5c0b 100644
+--- a/lib/action_dispatch/http/filter_parameters.rb
++++ b/lib/action_dispatch/http/filter_parameters.rb
+@@ -72,12 +72,17 @@ module ActionDispatch
+         ParameterFilter.new(filters)
+       end
+ 
+-      KV_RE   = "[^&;=]+"
+-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
+       def filtered_query_string # :doc:
+-        query_string.gsub(PAIR_RE) do |_|
+-          parameter_filter.filter($1 => $2).first.join("=")
++        parts = query_string.split(/([&;])/)
++        filtered_parts = parts.map do |part|
++          if part.include?("=")
++            key, value = part.split("=", 2)
++            parameter_filter.filter(key => value).first.join("=")
++          else
++            part
++          end
+         end
++        filtered_parts.join("")
+       end
+     end
+   end
+-- 
+2.33.0
+

backport-CVE-2024-47887.patch

@@ -0,0 +1,29 @@
+From 8e057db25bff1dc7a98e9ae72e0083825b9ac545 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Thu, 10 Oct 2024 20:32:00 -0700
+Subject: [PATCH] Avoid backtracking in Token#raw_params
+
+Thanks to scyoon for the patch
+
+[CVE-2024-47887]
+---
+ lib/action_controller/metal/http_authentication.rb | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/action_controller/metal/http_authentication.rb b/lib/action_controller/metal/http_authentication.rb
+index 01676f3..55760aa 100644
+--- a/lib/action_controller/metal/http_authentication.rb
++++ b/lib/action_controller/metal/http_authentication.rb
+@@ -481,7 +481,8 @@ module ActionController
+       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
+       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
+       def raw_params(auth)
+-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
++        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
++        _raw_params.reject!(&:empty?)
+ 
+         if !(_raw_params.first =~ %r{\A#{TOKEN_KEY}})
+           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"
+-- 
+2.33.0
+

rubygem-actionpack.spec

@@ -4,13 +4,25 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             2
+Release:             7
 Summary:             Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
 Patch0:              CVE-2021-22885.patch
+Patch1:              CVE-2021-22904.patch
+# https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f
+Patch2:              CVE-2023-22792.patch
+# https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2
+Patch3:              CVE-2023-22795.patch
+# https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08
+Patch3000:           CVE-2022-23633.patch
+Patch3001:           backport-CVE-2024-41128.patch
+Patch3002:           backport-CVE-2024-47887.patch
+# https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
+Patch3003:           backport-CVE-2022-22577.patch
+
 BuildRequires:       ruby(release) rubygems-devel ruby >= 2.2.2
 %if ! 0%{?bootstrap}
 BuildRequires:       rubygem(activemodel) = %{version} rubygem(activerecord) = %{version}
@@ -35,6 +47,16 @@ Documentation for %{name}.
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch3000 -p1
+
+pushd .%{gem_instdir}
+%patch3001 -p1
+%patch3002 -p1
+%patch3003 -p1
+popd
 
 %build
 
@@ -65,6 +87,24 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Mon Nov 4 2024 yinzeqiang <yinzeqiang@chinaredflag.cn> - 1:5.2.4.4-7
+- Fix CVE-2022-22577
+
+* Thu Oct 17 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-6
+- Fix CVE-2024-41128 and CVE-2024-47887
+
+* Tue Jun 25 2024 zouzhimin <zouzhimin@kylinos.cn> - 1:5.2.4.4-5
+- Type:CVES
+- ID:CVE-2022-23633
+- SUG:NA
+- DESC:fix CVE-2022-23633
+
+* Mon Feb 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:5.2.4.4-4
+- Fix CVE-2023-22792 and CVE-2023-22795
+
+* Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3
+- Fix CVE-2021-22904
+
 * Fri Jun 11 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-2
 - Fix CVE-2021-22885