From 010309d1084d5ac54d9f62eefa7ef100721fd1c8 Mon Sep 17 00:00:00 2001 From: David Taylor Date: Wed, 20 Oct 2021 22:20:52 +0100 Subject: [PATCH] SECURITY: Improve validation of SNS subscription confirm (#14671) An upstream validation bug in the aws-sdk-sns library could enable RCE under certain circumstances. This commit updates the upstream gem, and adds additional validation to provide defense-in-depth. --- Gemfile.lock | 10 +++++----- app/jobs/regular/confirm_sns_subscription.rb | 9 +++++++-- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 8c013d0d801..0e759362774 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -53,8 +53,8 @@ GEM rake (>= 10.4, < 14.0) ast (2.4.2) aws-eventstream (1.2.0) - aws-partitions (1.432.0) - aws-sdk-core (3.112.1) + aws-partitions (1.516.0) + aws-sdk-core (3.121.2) aws-eventstream (~> 1, >= 1.0.2) aws-partitions (~> 1, >= 1.239.0) aws-sigv4 (~> 1.1) @@ -66,10 +66,10 @@ GEM aws-sdk-core (~> 3, >= 3.112.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.1) - aws-sdk-sns (1.38.0) - aws-sdk-core (~> 3, >= 3.112.0) + aws-sdk-sns (1.46.0) + aws-sdk-core (~> 3, >= 3.121.2) aws-sigv4 (~> 1.1) - aws-sigv4 (1.2.3) + aws-sigv4 (1.4.0) aws-eventstream (~> 1, >= 1.0.2) barber (0.12.2) ember-source (>= 1.0, < 3.1) diff --git a/app/jobs/regular/confirm_sns_subscription.rb b/app/jobs/regular/confirm_sns_subscription.rb index 073747067b5..f68588f89cb 100644 --- a/app/jobs/regular/confirm_sns_subscription.rb +++ b/app/jobs/regular/confirm_sns_subscription.rb @@ -13,8 +13,13 @@ module Jobs require "aws-sdk-sns" return unless Aws::SNS::MessageVerifier.new.authentic?(raw) - # confirm subscription by visiting the URL - open(subscribe_url) + uri = begin + URI.parse(subscribe_url) + rescue URI::Error + return + end + + Net::HTTP.get(uri) end end