ADVISORIES

• OSVDB-132234
• Vendor Advisory

GEM

rack-attack

PATCHED VERSIONS

• >= 4.3.1

DESCRIPTION

When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path "/login/" becomes "/login" by the time you're in ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action.

RELATED

• https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1
• https://github.com/rack/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977
• https://security.snyk.io/vuln/SNYK-RUBY-RACKATTACK-20246
• https://github.com/rack/rack-attack/blob/main/CHANGELOG.md