Escape allow list hosts correctly

[CVE-2021-22903]
rails · May 5, 2021 · ef97441 · ef97441
1 parent 98a0a12
commit ef97441
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/actionpack/lib/action_dispatch/middleware/host_authorization.rb b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
@@ -48,7 +48,7 @@ def sanitize_string(host)
           if host.start_with?(".")
             /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            /\A#{host}\z/i
+            /\A#{Regexp.escape host}\z/i
           end
         end
     end

diff --git a/actionpack/test/dispatch/host_authorization_test.rb b/actionpack/test/dispatch/host_authorization_test.rb
@@ -213,4 +213,15 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
     assert_response :forbidden
     assert_match "Blocked host: example.com#sub.example.com", response.body
   end
+
+  test "blocks requests to similar host" do
+    @app = ActionDispatch::HostAuthorization.new(App, "sub.example.com")
+
+    get "/", env: {
+      "HOST" => "sub-example.com",
+    }
+
+    assert_response :forbidden
+    assert_match "Blocked host: sub-example.com", response.body
+  end
 end