There is a security vulnerability with how requests are normalized when using Rails' ActionDispatch.

Versions Affected: < 4.3.0 Not affected: rack apps not using Rails Fixed Versions: 4.3.1

Impact

When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path "/login/" becomes "/login" by the time you're in ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action.

Releases

Install rack-attack 4.3.1 from rubygems.org.

# In Gemfile using bundler
gem 'rack-attack', '~> 4.3.1'

Workarounds

If you prefer not to upgrade, you may work around this issue by making sure your throttles, blacklists, etc handle an optional trailing slash in req.path.

For example:

# Unsafe:
throttle(...) { |req| req.path == '/login' }

# Safe:
throttle(...) { |req| req.path == '/login' || req.path == '/login/' }

Credit

This vulnerability was reported by Andres Riancho from Include Security (@includesecurity on GitHub and Twitter). Thank you, Andres & Include Security.

Other changes in v4.3.1

• Remove support for ruby 1.9.x
• Add Code of Conduct
• Several documentation and testing improvements

Changes: https://github.com/kickstarter/rack-attack/compare/v4.3.0...v4.3.1