CVE-2022-23633 The Response Body is not closed in cases of AJAX, API, and other web requests.
This middleware will cause a close to be sent to any application responses. To install it, add the following line to your application's Gemfile: ```ruby gem 'action_pack/close_notifier' ``` Further instructions on installing middleware can be found in the Gem documentation. If you are using a version of Rails prior to 7.0.2.1, 6.1.4.5, 6.0.4.5, or 5.2.6.1, you can use the workaround described below. This issue occurs if the following conditions are met: - You are using `ActionDispatch::Remotely or ActionDispatch::Http - You are using the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` method. - You are not running your application through a reverse proxy such as nginx. - You are using an older version of Ruby than the one listed below. This issue will only occur when you have the following setup: - Your application is running through an HTTP server such as Puma, Grape, Unicorn, or Phusion Passenger. - Your application is running through a reverse proxy server such as nginx. - You are using the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` methods. - Your application is using an older
Issue: Middleware causes a Rails application to crash on initial request
This issue will only occur when you have the following setup: - Your application is running through an HTTP server such as Puma, Grape, Unicorn, or Phusion Passenger. - Your application is running through a reverse proxy server such as nginx. - You are using the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` methods. - Your application is using an older version of Ruby than the one listed below.
Please note that this workaround has been tested on Rails versions before 7.0.2 and 6.1.4 and 5.2.6
How do I fix this issue?
The issue can be fixed by updating your application to use the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` methods.
You can also bypass this issue by running your application through a reverse proxy such as nginx.
How to fix strong parameters
If you're seeing this error, it may be caused by a strong parameter hash in your application. You can fix this issue by including a double underscore at the end of each `?_parameters` key when using the `ActionController::Parameters#find_all` method.
How to fix it
For this issue to be fixed, you need to upgrade to a newer version of Ruby. The specific versions of Ruby that are affected are listed below: - Rails 5.2.2 or older - Rails 5.1.4 or older - Rails 5.0.7 or older
Timeline
Published on: 02/11/2022 21:15:00 UTC
Last modified on: 02/22/2022 21:47:00 UTC