SECURITY: Improve validation of SNS subscription confirm (#14671)

An upstream validation bug in the aws-sdk-sns library could enable RCE under certain circumstances. This commit updates the upstream gem, and adds additional validation to provide defense-in-depth.

Gemfile.lock

@@ -53,8 +53,8 @@ GEM
       rake (>= 10.4, < 14.0)
     ast (2.4.2)
     aws-eventstream (1.2.0)
-    aws-partitions (1.432.0)
+    aws-partitions (1.516.0)
-    aws-sdk-core (3.112.1)
+    aws-sdk-core (3.121.2)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
@@ -66,10 +66,10 @@ GEM
       aws-sdk-core (~> 3, >= 3.112.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-sns (1.38.0)
+    aws-sdk-sns (1.46.0)
-      aws-sdk-core (~> 3, >= 3.112.0)
+      aws-sdk-core (~> 3, >= 3.121.2)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.3)
+    aws-sigv4 (1.4.0)
       aws-eventstream (~> 1, >= 1.0.2)
     barber (0.12.2)
       ember-source (>= 1.0, < 3.1)

app/jobs/regular/confirm_sns_subscription.rb

@@ -13,8 +13,13 @@ module Jobs
       require "aws-sdk-sns"
       return unless Aws::SNS::MessageVerifier.new.authentic?(raw)
 
-      # confirm subscription by visiting the URL
+      uri = begin
-      open(subscribe_url)
+        URI.parse(subscribe_url)
+      rescue URI::Error
+        return
+      end
+
+      Net::HTTP.get(uri)
     end
 
   end