Added two Rack vulnerabilities #1000
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| --- | ||
| gem: rack | ||
| cve: 2026-22860 | ||
| ghsa: mxw3-3hh2-x2mh | ||
| url: https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh | ||
| title: Rack has a Directory Traversal via Rack:Directory | ||
| date: 2026-02-17 | ||
| description: "## Summary\n\n`Rack::Directory`’s path check used a string prefix match | ||
| on the expanded path. A request like `/../root_example/` can escape the configured | ||
| root if the target path starts with the root string, allowing directory listing | ||
| outside the intended root.\n\n## Details\n\nIn `directory.rb`, `File.expand_path(File.join(root, | ||
| path_info)).start_with?(root)` does not enforce a path boundary. If the server root | ||
| is `/var/www/root`, a path like `/var/www/root_backup` passes the check because | ||
| it shares the same prefix, so `Rack::Directory` will list that directory also. \n\n## | ||
| Impact\n\nInformation disclosure via directory listing outside the configured root | ||
| when `Rack::Directory` is exposed to untrusted clients and a directory shares the | ||
| root prefix (e.g., `public2`, `www_backup`).\n\n## Mitigation\n\n* Update to a patched | ||
| version of Rack that correctly checks the root prefix.\n* Don't name directories | ||
| with the same prefix as one which is exposed via `Rack::Directory`." | ||
| cvss_v3: 7.5 | ||
| patched_versions: | ||
| - "~> 2.2.22" | ||
| - "~> 3.1.20" | ||
| - ">= 3.2.5" | ||
|
Member
There was a problem hiding this comment. YAML Array elements should be indented by two spaces. |
||
| related: | ||
| url: | ||
| - https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh | ||
| - https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7 | ||
| - https://github.com/advisories/GHSA-mxw3-3hh2-x2mh | ||
|
Member
There was a problem hiding this comment. YAML Array elements should be indented by two spaces. |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| gem: rack | ||
| cve: 2026-25500 | ||
| ghsa: whrj-4476-wvmp | ||
| url: https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp | ||
| title: 'Stored XSS in Rack::Directory via javascript: filenames rendered into anchor | ||
| href' | ||
| date: 2026-02-17 | ||
| description: |- | ||
| ## Summary | ||
|
|
||
| `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application. | ||
|
|
||
| This results in a client-side XSS condition in directory listings generated by `Rack::Directory`. | ||
|
|
||
| ## Details | ||
|
|
||
| `Rack::Directory` renders directory entries using an HTML row template similar to: | ||
|
|
||
| ```html | ||
| <a href='%s'>%s</a> | ||
| ``` | ||
|
|
||
| The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL: | ||
|
|
||
| ```html | ||
| <a href='javascript:alert(1)'>javascript:alert(1)</a> | ||
| ``` | ||
|
|
||
| Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. | ||
|
|
||
| ## Impact | ||
|
|
||
| If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`. | ||
|
|
||
| When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). | ||
|
|
||
| ## Mitigation | ||
|
|
||
| * Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`). | ||
| * Avoid exposing user-controlled directories via `Rack::Directory`. | ||
| * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. | ||
| * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes. | ||
| cvss_v3: 5.4 | ||
| patched_versions: | ||
| - "~> 2.2.22" | ||
| - "~> 3.1.20" | ||
| - ">= 3.2.5" | ||
|
Member
There was a problem hiding this comment. YAML Array elements should be indented by two spaces. |
||
| related: | ||
| url: | ||
| - https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp | ||
| - https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff | ||
| - https://github.com/advisories/GHSA-whrj-4476-wvmp | ||
|
Member
There was a problem hiding this comment. YAML Array elements should be indented by two spaces. |
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description:should be block text, not a quoted string. It appears that code blocks can confuse YAML's formatting.