RubySec

Providing security resources for the Ruby community

OSVDB-132234 (rack-attack): rack-attack Gem for Ruby missing normalization before request path processing

ADVISORIES

GEM

rack-attack

PATCHED VERSIONS

  • >= 4.3.1

DESCRIPTION

When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path “/login/” becomes “/login” by the time you’re in ActionController.

Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected.

E.g., a throttle:

throttle('logins', ...) {|req| req.path == "/login" }

would not match a request to ‘/login/’, though Rails would route ‘/login/’ to the same ‘/login’ action.