rubygem-actionpack/CVE-2022-23633-test.patch

From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Fri, 11 Feb 2022 13:09:30 +0100
Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`

Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request.

[CVE-2022-23633]
---
diff --git a/actionpack/test/dispatch/executor_test.rb b/actionpack/test/dispatch/executor_test.rb
index 5b8be39b6d..d0bf574009 100644
--- a/actionpack/test/dispatch/executor_test.rb
+++ b/actionpack/test/dispatch/executor_test.rb
@@ -119,6 +119,27 @@ def test_callbacks_execute_in_shared_context
     assert_not defined?(@in_shared_context) # it's not in the test itself
   end
 
+  def test_body_abandonned
+    total = 0
+    ran = 0
+    completed = 0
+
+    executor.to_run { total += 1; ran += 1 }
+    executor.to_complete { total += 1; completed += 1}
+
+    stack = middleware(proc { [200, {}, "response"] })
+
+    requests_count = 5
+
+    requests_count.times do
+      stack.call({})
+    end
+
+    assert_equal (requests_count * 2) - 1, total
+    assert_equal requests_count, ran
+    assert_equal requests_count - 1, completed
+  end
+
   private
     def call_and_return_body(&block)
       app = middleware(block || proc { [200, {}, "response"] })
 
-- 
2.25.1
fix CVE-2022-23633 (cherry picked from commit 420d1637518c6edf2af9b6a23f3f0338517cebb6) 2024-06-12 04:20:06 +08:00			`From 07d9600172a18b45791c89e95a642e13fc367545 Mon Sep 17 00:00:00 2001`
			`From: Jean Boussier <jean.boussier@gmail.com>`
			`Date: Fri, 11 Feb 2022 13:09:30 +0100`
			Subject: [PATCH] ActionDispatch::Executor don't fully trust `body#close`

			`Under certain circumstances, the middleware isn't informed that the`
			`response body has been fully closed which result in request state not`
			`being fully reset before the next request.`

			`[CVE-2022-23633]`
			`---`
			`diff --git a/actionpack/test/dispatch/executor_test.rb b/actionpack/test/dispatch/executor_test.rb`
			`index 5b8be39b6d..d0bf574009 100644`
			`--- a/actionpack/test/dispatch/executor_test.rb`
			`+++ b/actionpack/test/dispatch/executor_test.rb`
			`@@ -119,6 +119,27 @@ def test_callbacks_execute_in_shared_context`
			`assert_not defined?(@in_shared_context) # it's not in the test itself`
			`end`

			`+ def test_body_abandonned`
			`+ total = 0`
			`+ ran = 0`
			`+ completed = 0`
			`+`
			`+ executor.to_run { total += 1; ran += 1 }`
			`+ executor.to_complete { total += 1; completed += 1}`
			`+`
			`+ stack = middleware(proc { [200, {}, "response"] })`
			`+`
			`+ requests_count = 5`
			`+`
			`+ requests_count.times do`
			`+ stack.call({})`
			`+ end`
			`+`
			`+ assert_equal (requests_count * 2) - 1, total`
			`+ assert_equal requests_count, ran`
			`+ assert_equal requests_count - 1, completed`
			`+ end`
			`+`
			`private`
			`def call_and_return_body(&block)`
			`app = middleware(block \|\| proc { [200, {}, "response"] })`

			`--`
			`2.25.1`