Workaround for CVE-2020 8184 (#4394)

* Add workaround from rails security team for CVE-2020-8184 * Moved patch to autoloaded directory * Fix a few rubocop minor issues, punt on others since this patch was supplied through security mailing list
department-of-veterans-affairs · Jun 22, 2020 · 498fd14 · 498fd14
1 parent 4480339
commit 498fd14
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/config/initializers/rack-CVE-2020-8184.rb b/config/initializers/rack-CVE-2020-8184.rb
@@ -0,0 +1,20 @@
+# rubocop:disable all
+# frozen_string_literal: true
+
+module Rack
+  module Utils
+    module_function def parse_cookies_header(header)
+      Rails.logger.info 'SECURITY: Loaded CVE-2020-8184 patch for rack gem'
+
+      return {} unless header
+
+      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
+        next if cookie.empty?
+
+        key, value = cookie.split('=', 2)
+        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
+      end
+    end
+  end
+end
+# rubocop:enable all