Upgrade Sinatra and Rack to fix vulnerability

The security alert says: > [sinatra is] vulnerable to Reliance on Untrusted Inputs in a Security > Decision via the X-Forwarded-Host (XFH) header. When making a request to > a method with redirect applied, it is possible to trigger an Open > Redirect Attack by inserting an arbitrary address into this header. If > used for caching purposes, such as with servers like Nginx, or as a > reverse proxy, without handling the X-Forwarded-Host header, attackers > can potentially exploit Cache Poisoning or Routing-based SSRF. See https://github.com/gma/nesta/security/dependabot/30 for details.
gma · Nov 19, 2024 · 1ac482c · 1ac482c
1 parent 80b1b5e
commit 1ac482c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.18.0 (Unreleased)
+
+* Update Sinatra to 4.1, to fix a vulnerability. (Graham Ashton)
+
 ## 0.17.0 (6 November 2024)
 
  * Update Sinatra to verion 4.0, to fix a vulnerability. This has also

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -44,6 +44,7 @@ GEM
       rb-fsevent (>= 0.9.3)
       rb-inotify (>= 0.9)
       rb-kqueue (>= 0.2)
+    logger (1.6.1)
     mini_mime (1.1.5)
     mini_portile2 (2.8.7)
     minitest (5.25.1)
@@ -65,8 +66,9 @@ GEM
     public_suffix (6.0.1)
     racc (1.8.1)
     rack (3.1.8)
-    rack-protection (4.0.0)
+    rack-protection (4.1.0)
       base64 (>= 0.1.0)
+      logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
     rack-session (2.0.0)
       rack (>= 3.0.0)
@@ -85,10 +87,11 @@ GEM
     sass-embedded (1.80.6)
       google-protobuf (~> 4.28)
       rake (>= 13)
-    sinatra (4.0.0)
+    sinatra (4.1.0)
+      logger (>= 1.6.0)
       mustermann (~> 3.0)
       rack (>= 3.0.0, < 4)
-      rack-protection (= 4.0.0)
+      rack-protection (= 4.1.0)
       rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
     temple (0.10.3)