Commit ada64d0
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
Update dependency rack to v3.2.5 [SECURITY] (#762)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [rack](https://redirect.github.com/rack/rack)
([changelog](https://redirect.github.com/rack/rack/blob/main/CHANGELOG.md))
| `3.2.4` → `3.2.5` |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-22860](https://redirect.github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh)
## Summary
`Rack::Directory`’s path check used a string prefix match on the
expanded path. A request like `/../root_example/` can escape the
configured root if the target path starts with the root string, allowing
directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root,
path_info)).start_with?(root)` does not enforce a path boundary. If the
server root is `/var/www/root`, a path like `/var/www/root_backup`
passes the check because it shares the same prefix, so `Rack::Directory`
will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root
when `Rack::Directory` is exposed to untrusted clients and a directory
shares the root prefix (e.g., `public2`, `www_backup`).
## Mitigation
* Update to a patched version of Rack that correctly checks the root
prefix.
* Don't name directories with the same prefix as one which is exposed
via `Rack::Directory`.
---
### Release Notes
<details>
<summary>rack/rack (rack)</summary>
###
[`v3.2.5`](https://redirect.github.com/rack/rack/compare/v3.2.4...v3.2.5)
[Compare
Source](https://redirect.github.com/rack/rack/compare/v3.2.4...v3.2.5)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Asia/Tokyo, Automerge -
At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/line/line-bot-sdk-ruby).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMi4wIiwidXBkYXRlZEluVmVyIjoiNDMuMjIuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmN5IHVwZ3JhZGUiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 8a12a87 commit ada64d0
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
58 | 58 | | |
59 | 59 | | |
60 | 60 | | |
61 | | - | |
| 61 | + | |
62 | 62 | | |
63 | 63 | | |
64 | 64 | | |
| |||
0 commit comments