From b41469a3fab67bb651c027385a629af37e0d0f8c Mon Sep 17 00:00:00 2001 From: Hector Medina-Fetterman Date: Wed, 9 Oct 2024 21:26:51 +0200 Subject: [PATCH] Check for invalid byte sequence when testing a session_id --- .../session/active_record_store.rb | 2 +- test/action_controller_test.rb | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/action_dispatch/session/active_record_store.rb b/lib/action_dispatch/session/active_record_store.rb index ae21d70..920ab0a 100644 --- a/lib/action_dispatch/session/active_record_store.rb +++ b/lib/action_dispatch/session/active_record_store.rb @@ -133,7 +133,7 @@ def get_session_model(request, id) end def get_session_with_fallback(sid) - if sid && !self.class.private_session_id?(sid.public_id) + if sid && sid.public_id.valid_encoding? && !self.class.private_session_id?(sid.public_id) if (secure_session = session_class.find_by_session_id(sid.private_id)) secure_session elsif (insecure_session = session_class.find_by_session_id(sid.public_id)) diff --git a/test/action_controller_test.rb b/test/action_controller_test.rb index 306bd40..1b5cb42 100644 --- a/test/action_controller_test.rb +++ b/test/action_controller_test.rb @@ -237,6 +237,22 @@ def test_incoming_invalid_session_id_via_cookie_should_be_ignored end end + def test_incorrectly_encoded_session_id_via_cookie_should_be_ignored + with_test_route_set do + open_session do |sess| + incorrectly_encoded_id = "\xAA\xAA".force_encoding('UTF-8') + sess.cookies['_session_id'] = incorrectly_encoded_id + sess.get '/set_session_value' + new_session_id = sess.cookies['_session_id'] + assert_not_equal incorrectly_encoded_id, new_session_id + + sess.get '/get_session_value' + new_session_id_2 = sess.cookies['_session_id'] + assert_equal new_session_id, new_session_id_2 + end + end + end + def test_incoming_invalid_session_id_via_parameter_should_be_ignored with_test_route_set(:cookie_only => false) do open_session do |sess|