Merge branch '5-1-1'

tenderlove · tenderlove · commit 71f349ade11c · 2020-05-05T15:19:34.000-07:00
* 5-1-1:
  bump version
  Updating the changelog
  Properly encode ID parameters to avoid possible information leak
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 *   Fix railtie logic that adds Active Job serialization support.
 
+## Active Resource 5.1.1 (May 5, 2020) ##
+
+*   Properly encode ID parameters to avoid possible information leak [CVE-2020-8151]
+
 ## Active Resource 5.1.0 (Nov 2, 2018) ##
 
 *   Improve support of Active Resource objects inside fibers.
diff --git a/lib/active_resource/base.rb b/lib/active_resource/base.rb
@@ -774,7 +774,7 @@ def element_path(id, prefix_options = {}, query_options = nil)
         check_prefix_options(prefix_options)
 
         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
-        "#{prefix(prefix_options)}#{collection_name}/#{URI.parser.escape id.to_s}#{format_extension}#{query_string(query_options)}"
+        "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
       end
 
       # Gets the element url for the given ID in +id+. If the +query_options+ parameter is omitted, Rails
diff --git a/lib/active_resource/version.rb b/lib/active_resource/version.rb
@@ -4,7 +4,7 @@ module ActiveResource
   module VERSION #:nodoc:
     MAJOR = 5
     MINOR = 1
-    TINY  = 0
+    TINY  = 1
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
diff --git a/test/cases/base_test.rb b/test/cases/base_test.rb
@@ -688,7 +688,7 @@ def test_custom_element_path
     assert_equal "/people/1/addresses/1.json", StreetAddress.element_path(1, person_id: 1)
     assert_equal "/people/1/addresses/1.json", StreetAddress.element_path(1, "person_id" => 1)
     assert_equal "/people/Greg/addresses/1.json", StreetAddress.element_path(1, "person_id" => "Greg")
-    assert_equal "/people/ann%20mary/addresses/ann%20mary.json", StreetAddress.element_path(:'ann mary', "person_id" => "ann mary")
+    assert_equal "/people/ann%20mary/addresses/ann+mary.json", StreetAddress.element_path(:'ann mary', "person_id" => "ann mary")
   end
 
   def test_custom_element_path_without_required_prefix_param
diff --git a/test/cases/finder_test.rb b/test/cases/finder_test.rb
@@ -172,4 +172,20 @@ def test_find_single_by_symbol_from
     david = Person.find(:one, from: :leader)
     assert_equal "David", david.name
   end
+
+  def test_find_identifier_encoding
+    ActiveResource::HttpMock.respond_to { |m| m.get "/people/%3F.json", {}, @david }
+
+    david = Person.find("?")
+
+    assert_equal "David", david.name
+  end
+
+  def test_find_identifier_encoding_for_path_traversal
+    ActiveResource::HttpMock.respond_to { |m| m.get "/people/..%2F.json", {}, @david }
+
+    david = Person.find("../")
+
+    assert_equal "David", david.name
+  end
 end
