Escape allow list hosts correctly

tenderlove · tenderlove · commit 1439db505813 · 2021-05-04T15:34:53.000-07:00
[CVE-2021-22903]
diff --git a/actionpack/lib/action_dispatch/middleware/host_authorization.rb b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
@@ -53,7 +53,7 @@ def sanitize_string(host)
           if host.start_with?(".")
             /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            /\A#{host}\z/i
+            /\A#{Regexp.escape host}\z/i
           end
         end
     end
diff --git a/actionpack/test/dispatch/host_authorization_test.rb b/actionpack/test/dispatch/host_authorization_test.rb
@@ -232,6 +232,17 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
     assert_match "Blocked host: example.com#sub.example.com", response.body
   end
 
+  test "blocks requests to similar host" do
+    @app = ActionDispatch::HostAuthorization.new(App, "sub.example.com")
+
+    get "/", env: {
+      "HOST" => "sub-example.com",
+    }
+
+    assert_response :forbidden
+    assert_match "Blocked host: sub-example.com", response.body
+  end
+
   test "config setting action_dispatch.hosts_response_app is deprecated" do
     assert_deprecated do
       ActionDispatch::HostAuthorization.new(App, "example.com", ->(env) { true })
