🚨 [security] Update devise 5.0.3 → 5.0.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ devise (5.0.3 → 5.0.4) · Repo · Changelog

Security Advisories 🚨

🚨 Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler

Summary

When the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected.

Details

The vulnerable code is in lib/devise/failure_app.rb:

def redirect_url
  if warden_message == :timeout
    flash[:timedout] = true if is_flashing_format?
<span class="pl-s1">path</span> <span class="pl-c1">=</span> <span class="pl-k">if</span> <span class="pl-en">request</span><span class="pl-kos">.</span><span class="pl-en">get?</span>
  <span class="pl-en">attempted_path</span>          <span class="pl-c"># safe: server-side value from warden options</span>
<span class="pl-k">else</span>
  <span class="pl-en">request</span><span class="pl-kos">.</span><span class="pl-en">referrer</span>        <span class="pl-c"># UNSAFE: HTTP Referer header, attacker-controlled</span>
<span class="pl-k">end</span>

<span class="pl-s1">path</span> || <span class="pl-en">scope_url</span>

else

scope_url

end

end

This is passed directly to redirect_to:

def redirect
  store_location!
  # ...
  redirect_to redirect_url   # redirect_url may be an external attacker URL
end

The GET timeout path uses attempted_path, which is set server-side by Warden and cannot be influenced by the client. The store_location! method also only runs for GET requests, so no session-based protection is applied on POST timeouts.

By contrast, Devise's store_location_for method (used elsewhere) correctly sanitizes URLs via extract_path_from_location, which strips the scheme and host.

Impact

• Victims with expired sessions who click any attacker-crafted link or visit an attacker page with an auto-submitting form are redirected to an arbitrary external URL.
• The redirect happens transparently via a trusted domain (the target app's domain), bypassing browser phishing warnings.
• An attacker can redirect victims to a fake login page to harvest credentials (phishing), or to malicious download sites.

Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it.

Patches

This is patched in Devise v5.0.4. Users should upgrade as soon as possible.

Workaround

None beyond upgrading. If an upgrade is not immediately possible, the same changes from the patch commit can be applied as a monkey-patch in a Rails initializer (Devise::FailureApp#redirect_url and Devise::Controllers::StoreLocation#extract_path_from_location). Remove the monkey-patch after upgrading.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Release v5.0.4 with sec fix for timeoutable
• Merge commit from fork
• Add GHSA link to the v5.0.3 sec fix changelog entry [ci skip]
• Update links to https [ci skip]
• Bundle update
• Cleanup old Rails.version check for db migration path
• Fix Gemfile for Rails 7.2, incorrectly testing against 7.1

↗️ bigdecimal (indirect, 4.1.0 → 4.1.2) · Repo · Changelog

Release Notes

4.1.2

What's Changed

• Optimize BigDecimal#to_s by @byroot in #519
• Fix calloc-transposed-args warning by @nobu in #520
• Use '0'+n for converting single digit to char by @tompng in #521
• Revert "Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits" by @tompng in #522
• BigMath.exp overflow/underflow check by @tompng in #523
• Fix unary minus on unsigned type warning by @tompng in #525
• Update dtoa to version from Ruby 4.0 by @jhawthorn in #528
• Bump version to v4.1.2 by @tompng in #529

New Contributors

• @jhawthorn made their first contribution in #528

Full Changelog: v4.1.1...v4.1.2

4.1.1

What's Changed

• Define test as the default rake task by @byroot in #509
• Add changelog for 4.1.0. by @simi in #508
• Make BigDecimal object embedded by @byroot in #507
• Remove unused minitest from Gemfile by @byroot in #510
• Multiplication with 8-decdig batch by @tompng in #501
• Increase VpMult batch size by @tompng in #511
• Update to cover change in Bundler by @brandonzylstra in #512
• tiny grammar fix in README.md by @brandonzylstra in #513
• Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits by @tompng in #514
• Bump version to v4.1.1 by @tompng in #516

New Contributors

• @byroot made their first contribution in #509
• @simi made their first contribution in #508
• @brandonzylstra made their first contribution in #512

Full Changelog: v4.1.0...v4.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

• Bump version to v4.1.2 (#529)
• Update dtoa to version from Ruby 4.0 (#528)
• Merge pull request #526 from ruby/dependabot/github_actions/step-security/harden-runner-2.17.0
• Bump step-security/harden-runner from 2.16.1 to 2.17.0
• Fix unary minus on unsigned type warning (#525)
• BigMath.exp overflow/underflow check (#523)
• Revert "Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits (#514)" (#522)
• Use '0'+n for converting single digit to char (#521)
• Merge pull request #517 from ruby/dependabot/github_actions/rubygems/release-gem-1.2.0
• Merge pull request #518 from ruby/dependabot/github_actions/step-security/harden-runner-2.16.1
• Fix calloc-transposed-args warning (#520)
• Optimize BigDecimal#to_s (#519)
• Bump step-security/harden-runner from 2.16.0 to 2.16.1
• Bump rubygems/release-gem from 1.1.4 to 1.2.0
• Bump version to v4.1.1 (#516)
• Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits (#514)
• tiny grammar fix in README.md (#513)
• Update to cover change in Bundler (#512)
• Increase VpMult batch size (#511)
• Multiplication with 8-decdig batch (#501)
• Remove unused minitest from Gemfile (#510)
• Make BigDecimal object embedded (#507)
• Add changelog for 4.1.0. (#508)
• Define `test` as the default rake task (#509)

↗️ irb (indirect, 1.17.0 → 1.18.0) · Repo · Changelog

Release Notes

1.18.0

What's Changed

✨ Enhancements

• Completely migrate to prism by @tompng in #1160
• Suppress error highlight for some incomplete code by @tompng in #1173
• Display command description in doc dialog on tab completion by @st0012 in #1180
• Add startup banner with Ruby logo, version info, and tips by @st0012 in #1183
• Highlight the method name in method calls by @shugo in #1189
• Add --nobanner option to suppress startup banner by @st0012 in #1200

🐛 Bug Fixes

• Make ls command work for BasicObjects by @eikes in #1177
• Fix IRB crash when typing string literal with control/meta sequence by @tompng in #1182
• Wait for pager to terminate by @tompng in #1192
• Fix incorrect dash in startup message by @st0012 in #1206
• Colorize KEYWORD_DO_BLOCK (added in head Prism) by @tompng in #1207

🛠 Other Changes

• Silence default_external warning in tests by @Earlopain in #1172
• Ruby >= 4.1.0 allows trailing comma in method signature by @eikes in #1178
• Fix display_document test fails in tty environment by @tompng in #1185
• Use Prism::ParseResult#continuable? if possible by @tompng in #1184
• Do not open nesting for character literals by @shugo in #1190
• Fix random EPIPE failure in SIGINT restore tests by @k0kubun in #1191
• Bump version to 1.18.0 by @st0012 in #1208

New Contributors

• @Earlopain made their first contribution in #1172
• @eikes made their first contribution in #1178
• @shugo made their first contribution in #1190

Full Changelog: v1.17.0...v1.18.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

• Bump version to 1.18.0 (#1208)
• Colorize KEYWORD_DO_BLOCK (added in head Prism) (#1207)
• Fix incorrect dash in startup message (#1206)
• Add --nobanner option to suppress startup banner (#1200)
• Bump rubygems/release-gem from 1.1.4 to 1.2.0
• Bump actions/upload-pages-artifact from 4 to 5
• Bump step-security/harden-runner from 2.16.0 to 2.17.0
• Highlight the method name in method calls (#1189)
• Bump actions/configure-pages from 5 to 6
• Bump actions/deploy-pages from 4 to 5
• Wait for pager to terminate (#1192)
• Fix random EPIPE failure in SIGINT restore tests (#1191)
• Do not open nesting for character literals (#1190)
• Bump rubygems/release-gem from 1.1.2 to 1.1.4
• Bump step-security/harden-runner from 2.15.1 to 2.16.0
• Add startup banner with Ruby logo, version info, and rotating tips (#1183)
• Use Prism::ParseResult#continuable? if possible (#1184)
• Fix display_document test fails in tty environment (#1185)
• Display command description in doc dialog on tab completion (#1180)
• Fix IRB crash when typing string literal with control/meta sequence (#1182)
• Bump step-security/harden-runner from 2.15.0 to 2.15.1
• Make ls command work for BasicObjects (#1177)
• Bump step-security/harden-runner from 2.14.2 to 2.15.0
• Ruby / Prism >= 4.1.0 allows trailing comma in method definition (#1178)
• Suppress error highlight for some incomplete code (#1173)
• Completely migrate to prism (#1160)
• Silence default_external warning in tests (#1172)
• Bump actions/checkout from 6.0.1 to 6.0.2
• Bump step-security/harden-runner from 2.14.0 to 2.14.2

↗️ minitest (indirect, 6.0.2 → 6.0.6) · Repo · Changelog

Release Notes

6.0.6 (from changelog)

• 2 bug fixes:

  • Fix using assert_equal/same/nil w/ BasicObject by comparing w/ ‘nil == exp`. (mtasaka)

  • Removed private Assertions#_where as it is no longer used.

6.0.5 (from changelog)

• 2 bug fixes:

  • Avoid circular requires in lib/minitest/server_plugin.rb.

  • Raise TypeError if assert_raises is passed anything but modules/classes.

6.0.4 (from changelog)

• 1 bug fix:

  • Fixed refute_predicate to call assert_respond_to w/ include_all:true like assert_predicate does. (jparker)

6.0.3 (from changelog)

• 1 bug fix:

  • assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (paddor)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• prepped for release
• - Removed private Assertions#_where as it is no longer used.
• - Fix using assert_equal/same/nil w/ BasicObject by comparing w/ `nil == exp`. (mtasaka)
• Branching minitest to version 6.0.5
• - Raise TypeError if assert_raises is passed anything but modules/classes.
• - Avoid circular requires in lib/minitest/server_plugin.rb.
• prepped for release
• - Fixed refute_predicate to call assert_respond_to w/ include_all:true like assert_predicate does. (jparker)
• prepped for release
• - assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (paddor)

↗️ rake (indirect, 13.3.1 → 13.4.2) · Repo · Changelog

Release Notes

13.4.2

What's Changed

• Preserve ENV["TESTOPTS"] when verbose is enabled by @hsbt in #723

Full Changelog: v13.4.1...v13.4.2

13.4.1

What's Changed

• Add lib/rake/options.rb to gemspec by @hsbt in #721

Full Changelog: v13.4.0...v13.4.1

13.4.0

What's Changed

• refactor: fix ambiguous regexp / assertion in one of the tests by @pvdb in #667
• Fix RDoc formatting in doc/command_line_usage.rdoc by @hsbt in #693
• Document implicit file tasks by @hsbt in #692
• Show chdir option as a command by @nobu in #552
• Verbose console by @kaiquekandykoga in #394
• Align example with text by @henrebotha in #632
• Allow accept multiple files to TEST env var by @Yegorov in #712
• Replace Rake's Win32-specific logic with a 100% equivalent, pure-Ruby implementation by @pvdb in #669
• Add Options class and switch Application to use it instead of anonymous Struct by @hsbt in #694
• Accept Pathname object as rule's prerequisite by @gemmaro in #528
• Dedupe and simplify standard_system_dir by @pvdb in #713

New Contributors

• @kaiquekandykoga made their first contribution in #394
• @henrebotha made their first contribution in #632
• @Yegorov made their first contribution in #712

Full Changelog: v13.3.1...v13.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)