Permalink
25 changes: 17 additions & 8 deletions
25
actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb
14 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix #46244 Remove innerHTML usage to avoid self-XSS
- Loading branch information
1 parent
be0b5c6
commit be177e4
Showing
1 changed file
with
17 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure github, whatever you say
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course, this page should never be triggered in a production environment anyway.
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's wrong with making "dev" pages safe?
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can do what you want, but I'm not losing any sleep over this.
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What am i supposed to do about this? lol
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does someone know if the Rails team is planning a patch for Rails 6 in response to this vulnerability GHSA-9chr-4fjh-5rgw?
I know the commit was merged into the main branch, but I don't think the patch applies retroactively for older versions.
Thanks in advance for your answer.
Additionally, I saw this PR d35b1a8 targeting Rails 5.2 but it was closed.
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no CVE here. Who created it? it is a development page, even if there was a XSS here, the impact is so low that there is no reason to call this a vulnerability.
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a notification we get from Github with periodic CVEs in different gems we use in our projects. Not sure who created it but it is listed on the National Vulnerability Database page: https://nvd.nist.gov/vuln/detail/CVE-2022-3704.
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I saw that. We are disputing that CVE since it is invalid.
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Ok, let's get rid of the CVE thing, and let me put my question from another perspective. Is there a way to get this commit patch (PR associated: #46269) into the Rails 6 version?
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It already is here: 5a7fa9a
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry @skipkayhil, I had to be more precise. The version we are using is
6.1.7and I saw that the rails6-1-stablebranch already has this patch too, but when I check the tagv1.7.6the change is not there: https://github.com/rails/rails/blob/v6.1.7/actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb#L116.I don't know the internal process the Rails team uses to apply the patches so what do you suggest to me to get this fix in the version we are using?
be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gem "rails", github: "rails/rails", branch: "6-1-stable"be177e4There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, thank you so much. I'll discuss this solution with the team.