Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi level subdomain is not allowed after Rails 6.1.4.2 #44771

Closed
r7kamura opened this issue Mar 26, 2022 · 2 comments
Closed

Multi level subdomain is not allowed after Rails 6.1.4.2 #44771

r7kamura opened this issue Mar 26, 2022 · 2 comments

Comments

@r7kamura
Copy link
Contributor

r7kamura commented Mar 26, 2022
edited
Loading

Steps to reproduce

Run this test:

# frozen_string_literal: true

require 'bundler/inline'

gemfile(true) do
  source 'https://rubygems.org'

  gem 'rails', '7.0.2.3'
end

require 'rack/test'
require 'action_controller/railtie'

class TestApp < Rails::Application
  config.root = __dir__
  config.hosts << '.example.org'
  config.session_store :cookie_store, key: 'cookie_store_key'
  secrets.secret_key_base = 'secret_key_base'

  config.logger = Logger.new($stdout)
  Rails.logger  = config.logger

  routes.draw do
    get '/' => 'test#index'
  end
end

class TestController < ActionController::Base
  include Rails.application.routes.url_helpers

  def index
    render plain: 'Home'
  end
end

require 'minitest/autorun'

class BugTest < Minitest::Test
  include Rack::Test::Methods

  def test_two_level_subdomain_returns_success
    header 'Host', 'b.a.example.org'
    get '/'
    assert last_response.ok?
  end

  private

  def app
    Rails.application
  end
end

Expected behavior

It passes.

In other words, when I set up .example.org, I expect b.a.example.org to be allowed as on Rails 6.1.4.1 and earlier.

Actual behavior

It fails.

It succeeded on Rails 6.1.4.1 and earlier, but started to fail on Rails 6.1.4.2. Is this an intended change?

System configuration

rails 7.0.2.3:

ruby 2.7.2p137:
@pixeltrix
Copy link
Contributor

@r7kamura yes, the change is deliberate - see this explicit test:

rails/actionpack/test/dispatch/host_authorization_test.rb

Lines 366 to 376 in af0733a

test "sub-sub domains should not be permitted" do
@app = ActionDispatch::HostAuthorization.new(App, ".domain.com")
get "/", env: {
"HOST" => "secondary.sub.domain.com",
"action_dispatch.show_detailed_exceptions" => true
}
assert_response :forbidden
assert_match "Blocked host: secondary.sub.domain.com", response.body
end

I'm not entirely sure why it prevents sub-sub-domains - the CVE report doesn't explicitly mention them but this issue is a duplicate of #43953, so can you please close it and comment there if you wish.

@r7kamura
Copy link
Contributor Author

@pixeltrix Indeed, looking at that test, this change seems intentional. I'll close this issue. Thanks for letting me know 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pixeltrix @r7kamura