From 5d04a78bbfd3d8b3ec96eb906db64e540acc0045 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 24 2018 07:16:52 +0000
Subject: import rh-ror42-rubygem-sprockets-3.2.0-5.el7


---

diff --git a/SOURCES/rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch b/SOURCES/rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch
new file mode 100644
index 0000000..9b7533c
--- /dev/null
+++ b/SOURCES/rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch
@@ -0,0 +1,38 @@
+From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001
+From: schneems <richard.schneeman+foo@gmail.com>
+Date: Tue, 24 Apr 2018 16:32:22 -0500
+Subject: [PATCH] Do not respond to http requests asking for a `file://`
+
+Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.
+
+A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:
+
+```ruby
+config.assets.compile = true # Your app is vulnerable
+```
+
+It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.
+
+This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server.
+---
+ test/test_server.rb     | 7 +++++++
+ 1 file changed, 7 insertions(+), 0 deletion(-)
+
+diff --git a/test/test_server.rb b/test/test_server.rb
+index 66429533..19921e19 100644
+--- a/test/test_server.rb
++++ b/test/test_server.rb
+@@ -320,6 +320,13 @@ def app
+     assert_equal 403, last_response.status
+   end
+ 
++  test "illegal access of a file asset" do
++    absolute_path = fixture_path("server/app/javascripts")
++
++    get "assets/file:%2f%2f//#{absolute_path}/foo.js"
++    assert_equal 403, last_response.status
++  end
++
+   test "add new source to tree" do
+     filename = fixture_path("server/app/javascripts/baz.js")
+ 
diff --git a/SOURCES/rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch b/SOURCES/rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch
new file mode 100644
index 0000000..15dc782
--- /dev/null
+++ b/SOURCES/rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch
@@ -0,0 +1,33 @@
+From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001
+From: schneems <richard.schneeman+foo@gmail.com>
+Date: Tue, 24 Apr 2018 16:32:22 -0500
+Subject: [PATCH] Do not respond to http requests asking for a `file://`
+
+Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed.
+
+A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to:
+
+```ruby
+config.assets.compile = true # Your app is vulnerable
+```
+
+It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`.
+
+This patch mitigates the issue, but explicitly disallowing any requests to any URI resources via the server.
+---
+ lib/sprockets/server.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
+index 795bdec7..2ad2c9ab 100644
+--- a/lib/sprockets/server.rb
++++ b/lib/sprockets/server.rb
+@@ -115,7 +115,7 @@ def forbidden_request?(path)
+         #
+         #     http://example.org/assets/../../../etc/passwd
+         #
+-        path.include?("..") || absolute_path?(path)
++        path.include?("..") || absolute_path?(path) || path.include?("://")
+       end
+ 
+       # Returns a 200 OK response tuple
diff --git a/SPECS/rubygem-sprockets.spec b/SPECS/rubygem-sprockets.spec
index 7b09834..fe22dd2 100644
--- a/SPECS/rubygem-sprockets.spec
+++ b/SPECS/rubygem-sprockets.spec
@@ -11,7 +11,7 @@
 
 Name: %{?scl_prefix}rubygem-%{gem_name}
 Version: 3.2.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Rack-based asset packaging system
 Group: Development/Languages
 License: MIT
@@ -22,6 +22,12 @@ Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
 # git checkout v3.2.0 && tar czf sprockets-3.2.0-tests.tgz test/
 Source1: sprockets-%{version}-tests.tgz
 
+# Fix CVE-2018-3760: Path traversal in sprockets/server.rb:forbidden_request?()
+# https://bugzilla.redhat.com/show_bug.cgi?id=1595901
+# https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441
+Patch0: rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server.patch
+Patch1: rubygem-sprockets-2.12.4-CVE-2018-3760-Fix-Path-traversal-in-sprockets-server-tests.patch
+
 Requires: %{?scl_prefix_ruby}ruby(release)
 Requires: %{?scl_prefix_ruby}ruby(rubygems)
 Requires: %{?scl_prefix}rubygem(rack) > 1
@@ -41,6 +47,9 @@ BuildRequires: %{?scl_prefix}rubygem(uglifier)
 BuildArch: noarch
 Provides: %{?scl_prefix}rubygem(%{gem_name}) = %{version}
 
+# Explicitly require runtime subpackage, as long as older scl-utils do not generate it
+Requires: %{?scl_prefix}runtime
+
 BuildRequires: %{?scl_prefix_nodejs}nodejs
 
 %description
@@ -62,6 +71,10 @@ Documentation for %{pkg_name}.
 %gem_install -n %{SOURCE0}
 %{?scl:EOF}
 
+pushd .%{gem_instdir}
+%patch0 -p1
+popd
+
 %build
 
 %install
@@ -82,6 +95,8 @@ find %{buildroot}%{gem_instdir}/bin -type f | xargs chmod a+x
 pushd .%{gem_instdir}
 tar xzf %{SOURCE1}
 
+cat %{PATCH1} | patch -p1 -F 0
+
 # We don't have rubygem(closure-compiler) yet.
 # https://bugzilla.redhat.com/show_bug.cgi?id=725733
 mv test/test_closure_compressor.rb{,.disabled}
@@ -112,7 +127,7 @@ popd
 %files
 %dir %{gem_instdir}
 %{_bindir}/sprockets
-%license %{gem_instdir}/LICENSE
+%{gem_instdir}/LICENSE
 %{gem_instdir}/bin
 %{gem_libdir}
 %exclude %{gem_cache}
@@ -123,6 +138,11 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
+* Tue Jul 03 2018 Pavel Valena <pvalena@redhat.com> - 3.2.0-5
+- Fix: Path traversal in sprockets server
+Resolves: rhbz#1595901
+Resolves: CVE-2018-3760
+
 * Wed Feb 17 2016 Pavel Valena <pvalena@redhat.com> - 3.2.0-4
 - Update to 3.2.0