fix(security): harden Puma against HTTP Request Smuggling (CVE)#86
Open
AjayPAnand wants to merge 1 commit intothoth-tech:10.0.xfrom
Open
fix(security): harden Puma against HTTP Request Smuggling (CVE)#86AjayPAnand wants to merge 1 commit intothoth-tech:10.0.xfrom
AjayPAnand wants to merge 1 commit intothoth-tech:10.0.xfrom
Conversation
- Bump Puma to >= 6.4.3 in Gemfile for hardened HTTP parsing - Add raise_exception_on_sigterm! to config/puma.rb to prevent request queue poisoning on SIGTERM Severity: SIGNIFICANT Ref: FIX 2 — HTTP Request Smuggling
Author
|
Before fix: 
After fix: 
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Severity: SIGNIFICANT
Ref: FIX 2 — HTTP Request Smuggling
Description
This PR addresses a significant security vulnerability, HTTP Request Smuggling - by hardening the Puma web server configuration in the doubtfire-api service.
HTTP Request Smuggling occurs when a front-end proxy (e.g. Nginx) and a back-end server (Puma) disagree on where one HTTP request ends and the next begins. Attackers can exploit this to poison request queues, bypass access controls, hijack sessions, or perform cache poisoning.
Changes made:
Bumped Puma to >= 6.4.3 in Gemfile - this version includes hardened HTTP/1.1 request parsing that rejects ambiguous Content-Length / Transfer-Encoding header combinations used in smuggling attacks
Added raise_exception_on_sigterm! to config/puma.rb; ensures Puma raises an exception on SIGTERM rather than draining its queue, preventing in-flight poisoned requests from being processed during graceful shutdown
Type of change
Bug fix (non-breaking change which fixes an issue)
Please delete options that are not relevant.
How Has This Been Tested?
The configuration changes were verified as follows:
Test A - Confirmed Puma starts successfully with the new puma.rb settings in the development environment (rails server / puma -C config/puma.rb) with no errors or warnings
Test B - Confirmed bundle update puma resolves to a version >= 6.4.3 and bundle install completes without dependency conflicts
To reproduce: Run bundle exec puma -C config/puma.rb and verify the server starts cleanly. Check bundle list | grep puma to confirm the resolved version.
Checklist:
My code follows the style guidelines of this project
I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation if appropriate
My changes generate no new warnings
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules