From 78fe149509fac5b05e54187aaaef216fbb5fd0d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafael@rubyonrails.org>
Date: Thu, 3 Aug 2023 16:00:34 -0400
Subject: [PATCH] Merge pull request #48869 from
 brunoprietog/disable-session-active-storage-proxy-controllers

Disable session in ActiveStorage blobs and representations proxy controllers

[CVE-2024-26144]
---
 activestorage/CHANGELOG.md                           |  8 ++++++++
 .../active_storage/blobs/proxy_controller.rb         |  1 +
 .../representations/proxy_controller.rb              |  1 +
 .../concerns/active_storage/disable_session.rb       | 12 ++++++++++++
 4 files changed, 22 insertions(+)
 create mode 100644 activestorage/app/controllers/concerns/active_storage/disable_session.rb

diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
index 3b4de519902a8..9a86ee321c4c2 100644
--- a/activestorage/CHANGELOG.md
+++ b/activestorage/CHANGELOG.md
@@ -1,3 +1,11 @@
+*   Disables the session in `ActiveStorage::Blobs::ProxyController`
+    and `ActiveStorage::Representations::ProxyController`
+    in order to allow caching by default in some CDNs as CloudFlare
+
+    Fixes #44136
+
+    *Bruno Prieto*
+
 ## Rails 6.1.7.6 (August 22, 2023) ##
 
 *   No changes.
diff --git a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
index 9b4993f240738..0a70d1d7dfc48 100644
--- a/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/blobs/proxy_controller.rb
@@ -4,6 +4,7 @@
 class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
   include ActiveStorage::SetHeaders
+  include ActiveStorage::DisableSession
 
   def show
     http_cache_forever public: true do
diff --git a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
index e1ebba109fa8d..5ac55fc6e9bcd 100644
--- a/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
+++ b/activestorage/app/controllers/active_storage/representations/proxy_controller.rb
@@ -3,6 +3,7 @@
 # Proxy files through application. This avoids having a redirect and makes files easier to cache.
 class ActiveStorage::Representations::ProxyController < ActiveStorage::Representations::BaseController
   include ActiveStorage::SetHeaders
+  include ActiveStorage::DisableSession
 
   def show
     http_cache_forever public: true do
diff --git a/activestorage/app/controllers/concerns/active_storage/disable_session.rb b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
new file mode 100644
index 0000000000000..200ad7c9d23ac
--- /dev/null
+++ b/activestorage/app/controllers/concerns/active_storage/disable_session.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This concern disables the session in order to allow caching by default in some CDNs as CloudFlare.
+module ActiveStorage::DisableSession
+  extend ActiveSupport::Concern
+
+  included do
+    before_action do
+      request.session_options[:skip] = true
+    end
+  end
+end