CVE-2022-23633 The Response Body is not closed in cases of AJAX, API, and other web requests.

This middleware will cause a close to be sent to any application responses. To install it, add the following line to your application's Gemfile: ```ruby gem 'action_pack/close_notifier' ``` Further instructions on installing middleware can be found in the ​Gem documentation. If you are using a version of Rails prior to 7.0.2.1, 6.1.4.5, 6.0.4.5, or 5.2.6.1, you can use the workaround described below. This issue occurs if the following conditions are met: - You are using `ActionDispatch::Remotely or ActionDispatch::Http - You are using the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` method. - You are not running your application through a reverse proxy such as nginx. - You are using an older version of Ruby than the one listed below. This issue will only occur when you have the following setup: - Your application is running through an HTTP server such as Puma, Grape, Unicorn, or Phusion Passenger. - Your application is running through a reverse proxy server such as nginx. - You are using the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` methods. - Your application is using an older

Issue: Middleware causes a Rails application to crash on initial request

This issue will only occur when you have the following setup: - Your application is running through an HTTP server such as Puma, Grape, Unicorn, or Phusion Passenger. - Your application is running through a reverse proxy server such as nginx. - You are using the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` methods. - Your application is using an older version of Ruby than the one listed below.
Please note that this workaround has been tested on Rails versions before 7.0.2 and 6.1.4 and 5.2.6

How do I fix this issue?

The issue can be fixed by updating your application to use the `Application#render_not_needed_rails_view` or `Application#render_not_needed_action_pack_view` methods.
You can also bypass this issue by running your application through a reverse proxy such as nginx.

How to fix strong parameters

If you're seeing this error, it may be caused by a strong parameter hash in your application. You can fix this issue by including a double underscore at the end of each `?_parameters` key when using the `ActionController::Parameters#find_all` method.

How to fix it

For this issue to be fixed, you need to upgrade to a newer version of Ruby. The specific versions of Ruby that are affected are listed below: - Rails 5.2.2 or older - Rails 5.1.4 or older - Rails 5.0.7 or older

Timeline

Published on: 02/11/2022 21:15:00 UTC
Last modified on: 02/22/2022 21:47:00 UTC

References

• https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
• https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
• http://www.openwall.com/lists/oss-security/2022/02/11/5
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23633