====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN097
_____________________________________________________________________

DATE                : 12/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Rails versions prior to 6.1.2.1,
                                    6.0.3.5, 5.2.4.5.

=====================================================================
https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E
https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
_____________________________________________________________________


There is a possible open redirect vulnerability in the Host
Authorization middleware in Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2021-22881.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.1.2.1, 6.0.3.5

Impact
------
Specially crafted "Host" headers in combination with certain "allowed
host" formats can cause the Host Authorization middleware in Action Pack
to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot.  For
example, configuration files that look like this:

```
config.hosts <<  '.tkte.ch'
```

When an allowed host contains a leading dot, a specially crafted Host
header can be used to redirect to a malicious website.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be
used in an initializer:

```ruby
module ActionDispatch
  class HostAuthorization
    private
      def authorized?(request)
        valid_host = /
          \A
          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
          (:\d+)?
          \z
        /x

        origin_host = valid_host.match(
          request.get_header("HTTP_HOST").to_s.downcase)
        forwarded_host = valid_host.match(
          request.x_forwarded_host.to_s.split(/,\s?/).last)

        origin_host && @permissions.allows?(origin_host[:host]) && (
          forwarded_host.nil? ||
@permissions.allows?(forwarded_host[:host]))
      end
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am format
and consist of a single changeset.

* 6-0-host-authorization-open-redirect.patch
* 6-1-host-authorization-open-redirect.patch

Please note that only the 5.2, 6.0, and 6.1 series are supported at
present. Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability of
security fixes for unsupported releases.

Credits
-------

Thanks to @tktech (https://hackerone.com/tktech) for reporting this issue!

_____________________________________________________________________


[CVE-2021-22880] Possible DoS Vulnerability in Active Record PostgreSQL
adapter

Rafael França

11 févr. 2021, 00:40:22 (hier)
à rubyonrail...@googlegroups.com,ruby-sec...@googlegroups.com


There is a possible DoS vulnerability in the PostgreSQL adapter in
Active Record. This vulnerability has been assigned the CVE identifier
CVE-2021-22880.

Versions Affected:  >= 4.2.0
Not affected:       < 4.2.0
Fixed Versions:     6.1.2.1, 6.0.3.5, 5.2.4.5

Impact
------
Carefully crafted input can cause the input validation in the "money"
type of the PostgreSQL adapter in Active Record to spend too much time
in a regular expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along
with money type columns that take user input.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be
used in an initializer:

```
module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money < Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value

            value = value.sub(/^\((.+)\)$/, '-\1') # (4)
            case value
            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
              value.gsub!(/[^-\d.]/, "")
            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
              value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
            end

            super(value)
          end
        end
      end
    end
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am format
and consist of a single changeset.

* 5-2-postgresql-money-dos.patch
* 6-0-postgresql-money-dos.patch
* 6-1-postgresql-money-dos.patch

Please note that only the 5.2, 6.0, and 6.1 series are supported at
present. Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability of
security fixes for unsupported releases.

Credits
-------

Thanks to @dee-see from HackerOne for reporting this issue!

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================