OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
openproject/config/initializers/fix_sprockets_cve_2014_7819.rb

132 lines
4.4 KiB

#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See doc/COPYRIGHT.rdoc for more details.
#++
# Fixes an arbitrary file disclosure bug in sprockets
# see: https://groups.google.com/forum/#!topic/rubyonrails-security/wQBeGXqGs3E
# This initializer can be removes as soon as we use sprockets v2.12.X
module Sprockets
module Server
# `call` implements the Rack 1.x specification which accepts an
# `env` Hash and returns a three item tuple with the status code,
# headers, and body.
#
# Mapping your environment at a url prefix will serve all assets
# in the path.
#
# map "/assets" do
# run Sprockets::Environment.new
# end
#
# A request for `"/assets/foo/bar.js"` will search your
# environment for `"foo/bar.js"`.
def call(env)
start_time = Time.now.to_f
time_elapsed = lambda { ((Time.now.to_f - start_time) * 1000).to_i }
msg = "Served asset #{env['PATH_INFO']} -"
# Mark session as "skipped" so no `Set-Cookie` header is set
env['rack.session.options'] ||= {}
env['rack.session.options'][:defer] = true
env['rack.session.options'][:skip] = true
# Extract the path from everything after the leading slash
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
# Strip fingerprint
if fingerprint = path_fingerprint(path)
path = path.sub("-#{fingerprint}", '')
end
# URLs containing a `".."` are rejected for security reasons.
if forbidden_request?(path)
return forbidden_response
end
# Look up the asset.
asset = find_asset(path, bundle: !body_only?(env))
# `find_asset` returns nil if the asset doesn't exist
if asset.nil?
logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)"
# Return a 404 Not Found
not_found_response
# Check request headers `HTTP_IF_NONE_MATCH` against the asset digest
elsif etag_match?(asset, env)
logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)"
# Return a 304 Not Modified
not_modified_response(asset, env)
else
logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)"
# Return a 200 with the asset contents
ok_response(asset, env)
end
rescue Exception => e
logger.error "Error compiling asset #{path}:"
logger.error "#{e.class.name}: #{e.message}"
case content_type_of(path)
when "application/javascript"
# Re-throw JavaScript asset exceptions to the browser
logger.info "#{msg} 500 Internal Server Error\n\n"
return javascript_exception_response(e)
when "text/css"
# Display CSS asset exceptions in the browser
logger.info "#{msg} 500 Internal Server Error\n\n"
return css_exception_response(e)
else
raise
end
end
private
def forbidden_request?(path)
# Prevent access to files elsewhere on the file system
#
# http://example.org/assets/../../../etc/passwd
#
path.include?("..") || Pathname.new(path).absolute?
end
# Gets digest fingerprint.
#
# "foo-0aa2105d29558f3eb790d411d7d8fb66.js"
# # => "0aa2105d29558f3eb790d411d7d8fb66"
#
def path_fingerprint(path)
path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
end
end
end