SECURITY: Improve validation of SNS subscription confirm (#14671)

An upstream validation bug in the aws-sdk-sns library could enable RCE under certain circumstances. This commit updates the upstream gem, and adds additional validation to provide defense-in-depth.
2024-11-23 01:47:22 +08:00 · 2021-10-20 22:20:52 +01:00 · 2021-10-20 22:20:52 +01:00 · 010309d108
commit 010309d108
parent 8fb823c30f
2 changed files with 12 additions and 7 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -53,8 +53,8 @@ GEM
      rake (>= 10.4, < 14.0)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.432.0)
-    aws-sdk-core (3.112.1)
+    aws-partitions (1.516.0)
+    aws-sdk-core (3.121.2)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
@ -66,10 +66,10 @@ GEM
      aws-sdk-core (~> 3, >= 3.112.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sdk-sns (1.38.0)
-      aws-sdk-core (~> 3, >= 3.112.0)
+    aws-sdk-sns (1.46.0)
+      aws-sdk-core (~> 3, >= 3.121.2)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.3)
+    aws-sigv4 (1.4.0)
      aws-eventstream (~> 1, >= 1.0.2)
    barber (0.12.2)
      ember-source (>= 1.0, < 3.1)
--- a/app/jobs/regular/confirm_sns_subscription.rb
+++ b/app/jobs/regular/confirm_sns_subscription.rb
@ -13,8 +13,13 @@ module Jobs
      require "aws-sdk-sns"
      return unless Aws::SNS::MessageVerifier.new.authentic?(raw)

-      # confirm subscription by visiting the URL
-      open(subscribe_url)
+      uri = begin
+        URI.parse(subscribe_url)
+      rescue URI::Error
+        return
+      end
+
+      Net::HTTP.get(uri)
    end

  end