I reviewed ruby-rack-session 2.1.1-0maysync1 as checked into questing. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability. This code base has already been reviewed as part of
ruby-rack before it was split into ruby-rack-session.
ruby-rack-session is a session management implementation for Rack.
- CVE History
- CVE-2025-46336
- This seems to be an authentication vulnerability, allowing
unauthenticated attackers to occupy deleted rack sessions.
- In this particular case, the attacker would have to first somehow
acquire the session cookie, which would allow the attacker to trigger
a long running request and maintain the session even after the user
has attempted to log out. It would be a big issue for an attacker to
acquire a session cookie in the first place.
- This vulnerability was fixed in 2.1.1
- The project was a part of ruby-rack before version 3, however, the CVEs
that affected ruby-rack did not seem to affect the session code.
- Build-Depends
- ruby-rack, as well as standard ruby packaging/testing. No issues here.
- pre/post inst/rm scripts
- None
- init scripts
- None
- systemd units
- None
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- None
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Runs unit tests on build time. No autopkgtests.
- cron jobs
- None
- Build logs
- Seem normal.
- Processes spawned
- The library itself does not seem to spawn processes or do
multithreading. This could be changed by the application implementing
this library. There are some thread safety options present in
./lib/rack/session/abstract/id.rb that currently raise not implemented
errors.
- The library also seems to support multithreading in .../pool.rb, by
allowing the usage of mutex options.
- Memory management
- N/A
- File IO
- None
- Logging
- Seems to have normal logging.
- Environment variable usage
- None, apart from tests.
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- Uses the openssl library. The library itself has an implementation that
utilizes encryption for session cookie tokens. The encryption
implementation seems to be "aes-256-ctr", and the application utilizes
HMAC encoding for cryptography over Marshal serialized data (or JSON,
depending on what the application specifies).
- The application seems to allow no encoding or custom encoding. If no
encoding is used, the application will display a security warning,
with a deprecation warning that in a future version this will not be
allowed.
- The application implementing the library would also need to supply
its own randomly generated secret keys to pass to the library for
cookie encryption.
- The HMAC implementation is HMAC-SHA-256, unless the legacy option is
supplied by the application using the library, in which case the
implementation is HMAC-SHA1 (which is not recommended, but the
application would have to consciously make that decision to use
the legacy option).
- Overall, the library seems to handle encryption and encoding properly,
utilizing good encryption implementation options. The library also
makes it clear for the applications implementing the library as to how
to use these options to ensure encryption is handled correctly. It is
up to the application using the library, however, to properly utilize
these options for proper security.
- Use of temp files
- None
- Use of networking
- Does not seem to handle networking itself, as it is a middleware, and
therefore relies on another implementation to handle networking.
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant Coverity results
- None
- Any significant shellcheck results
- None
- Any significant Semgrep results
- None
The code seems clean and maintainable, with proper comments and coding
practices throughout. The code includes proper unit tests, and as seen by
upstream of handing a security issue, they handle security incidents
properly, while providing a corresponding unit test to ensure that the
vulnerability is indeed not present.
The code base is also relatively small (around ~2,000 lines of ruby code),
and while the project itself does not have as much traction, the team
behind the project seems to have a good track record from ruby-rack.
Security team ACK for promoting ruby-rack-session to main.
** Changed in: ruby-rack-session (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: ruby-rack-session (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2106774
Title:
[MIR] ruby-rack-session
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby-rack-session/+bug/2106774/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
