diff --git a/CHANGELOG.md b/CHANGELOG.md index 253c89f90..44ac1ec5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,28 @@ # API Umbrella Change Log +## 0.11.1 (2016-04-14) + +This is a small update that fixes a couple bugs (one important one if you use the HTTP cache), makes a couple small tweaks, and updates some dependencies for security purposes. Upgrading is recommended. + +### Upgrade Instructions + +If you're upgrading a previous API Umbrella version, you may upgrade the `api-umbrella` package using your package manager. + +### Changed + +* **Upgrade bundled software dependencies:** + * OpenResty 1.9.7.1 -> 1.9.7.4 (Security updates: CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747) + * Rails 3.2.22 -> 3.2.22.2 (Security updates: CVE-2015-7576, CVE-2016-0751, CVE-2015-7577, CVE-2016-0752, CVE-2016-0753, CVE-2015-7581, CVE-2016-2097, and CVE-2016-2098) + * Rebuild Mora and Heka with Go 1.5.4 (Security update: CVE-2016-3959) +* **Remove empty "Dashboard" link from the admin:** The "Dashboard" link has never had any content, so we've removed it from the admin navigation. ([api.data.gov#323](https://github.com/18F/api.data.gov/issues/323)) +* **Make the optional public metrics API more configurable:** If enabled, the public metrics API's filters are now more easily configurable. ([api.data.gov#313](https://github.com/18F/api.data.gov/issues/313)) + +### Fixed + +* **Resolve possible HTTP cache conflicts:** If API Umbrella is configured with multiple API backends that utilize the same frontend host and same backend URL path prefix, then if either API backend returned cacheable responses, then it's possible the responses would get mixed up. Upgrading is highly recommended if you utilize the HTTP cache and have multiple API backends utilizing the same URL path prefix. ([api.data.gov#322](https://github.com/18F/api.data.gov/issues/322)) +* **Don't require API key roles for accessing admin APIs if admin token is used:** If accessing the administrative APIs using an admin authentication token, then the API key no longer needs any special roles assigned. This was a regression that ocurred in API Umbrella v0.9.0. ([#217](https://github.com/NREL/api-umbrella/issues/217)) +* **Fix potential mail security issue:** OSVDB-131677. + ## 0.11.0 (2016-01-20) This is a small update that fixes a few bugs, adds a couple small new features, and updates some dependencies for security purposes. Upgrading is recommended. diff --git a/Makefile b/Makefile index 3099cfc20..4cb94206c 100644 --- a/Makefile +++ b/Makefile @@ -71,11 +71,11 @@ GLIDE_CHECKSUM:=7ba5bc7407dab2d463d12659450cdea8 GLIDE_URL:=https://github.com/Masterminds/glide/archive/$(GLIDE_VERSION).tar.gz GLIDE_INSTALL_MARKER:=$(GLIDE_NAME)$(VERSION_SEP)$(GLIDE_VERSION) -GOLANG_VERSION:=1.5.3 +GOLANG_VERSION:=1.5.4 GOLANG_NAME:=golang GOLANG:=$(GOLANG_NAME)-$(GOLANG_VERSION) GOLANG_DIGEST:=sha256 -GOLANG_CHECKSUM:=43afe0c5017e502630b1aea4d44b8a7f059bf60d7f29dfd58db454d4e4e0ae53 +GOLANG_CHECKSUM:=a3358721210787dc1e06f5ea1460ae0564f22a0fbd91be9dcd947fb1d19b9560 GOLANG_URL:=https://storage.googleapis.com/golang/go$(GOLANG_VERSION).linux-amd64.tar.gz GOLANG_INSTALL_MARKER:=$(GOLANG_NAME)$(VERSION_SEP)$(GOLANG_VERSION) @@ -193,13 +193,13 @@ NGX_DYUPS_CHECKSUM:=3e5580abad9cc45f52c2e2ccc3c35e48 NGX_DYUPS_URL:=https://github.com/yzprofile/ngx_http_dyups_module/archive/$(NGX_DYUPS_VERSION).tar.gz NGX_DYUPS_INSTALL_MARKER:=$(NGX_DYUPS_NAME)$(VERSION_SEP)$(NGX_DYUPS_VERSION) -OPENRESTY_VERSION:=1.9.7.1 +OPENRESTY_VERSION:=1.9.7.4 OPENRESTY_BUILD_REVISION:=1 OPENRESTY_NAME:=openresty OPENRESTY:=$(OPENRESTY_NAME)-$(OPENRESTY_VERSION)-$(OPENRESTY_BUILD_REVISION) OPENRESTY_DIGEST:=md5 -OPENRESTY_CHECKSUM:=7bc29aa81af962c610f0d07656df85d9 -OPENRESTY_URL:=http://openresty.org/download/ngx_openresty-$(OPENRESTY_VERSION).tar.gz +OPENRESTY_CHECKSUM:=6e2d4a39c530524111ea50e3de67043a +OPENRESTY_URL:=http://openresty.org/download/openresty-$(OPENRESTY_VERSION).tar.gz OPENRESTY_INSTALL_MARKER:=$(OPENRESTY_NAME)$(VERSION_SEP)$(OPENRESTY_VERSION) PCRE_VERSION:=8.38 @@ -486,7 +486,14 @@ $(STAGE_MARKERS_DIR)/$(ELASTICSEARCH_INSTALL_MARKER): $(DEPS_DIR)/$(ELASTICSEARC # GeoLiteCityv6.dat $(DEPS_DIR)/GeoLiteCityv6.dat.gz: | $(DEPS_DIR) - curl -L -o $@ https://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz + # FIXME: The 20160412 version of the GeoLiteCityv6.dat file is corrupt. This + # replaces it with the 20160405 version that we happened to still have a copy + # of. See https://github.com/18F/api.data.gov/issues/327 + # + # This isn't ideal, and this doesn't fix the auto-updater, but this at least + # lets us build packages that won't be broken on initial run. We've contacted + # MaxMind, so hopefully the next release will be fixed. + curl -L -o $@ https://www.dropbox.com/s/h23d5ef9chulgxf/GeoLiteCityv6.dat.gz?dl=0 touch $@ $(DEPS_DIR)/GeoLiteCityv6.dat: $(DEPS_DIR)/GeoLiteCityv6.dat.gz diff --git a/docs/conf.py b/docs/conf.py index 610643e9e..b8b5fac45 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -57,9 +57,9 @@ # built documents. # # The short X.Y version. -version = '0.11.0' +version = '0.11.1' # The full version, including alpha/beta/rc tags. -release = '0.11.0' +release = '0.11.1' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/docs/developer/compiling-from-source.md b/docs/developer/compiling-from-source.md index 1130b1863..5de01e9d6 100644 --- a/docs/developer/compiling-from-source.md +++ b/docs/developer/compiling-from-source.md @@ -79,9 +79,9 @@ Installing from a [binary package](../getting-started.html#installation) is reco ## Compiling & Installing ```sh -$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.11.0.tar.gz -$ tar -xvf api-umbrella-0.11.0.tar.gz -$ cd api-umbrella-0.11.0 +$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.11.1.tar.gz +$ tar -xvf api-umbrella-0.11.1.tar.gz +$ cd api-umbrella-0.11.1 $ make $ sudo make install ``` diff --git a/src/api-umbrella/version.sh b/src/api-umbrella/version.sh index 2378edc2f..15c8889bb 100644 --- a/src/api-umbrella/version.sh +++ b/src/api-umbrella/version.sh @@ -1,4 +1,4 @@ -API_UMBRELLA_VERSION_BASE="0.11.0" +API_UMBRELLA_VERSION_BASE="0.11.1" API_UMBRELLA_VERSION_PRE="" # pre1, pre2, etc. API_UMBRELLA_VERSION_PACKAGE_ITERATION="1" diff --git a/src/api-umbrella/web-app/.bundlerauditignore b/src/api-umbrella/web-app/.bundlerauditignore new file mode 100644 index 000000000..f9ad0a4fa --- /dev/null +++ b/src/api-umbrella/web-app/.bundlerauditignore @@ -0,0 +1,18 @@ +# Documenting gem security issues reported by bundler-audit that are tricky to +# upgrade, but we've manually verified we're not vulnerable to. +# +# Support for this .bundlerauditignore when using bundle-audit currently +# requires this patch: https://github.com/rubysec/bundler-audit/pull/122 + +# devise: Not relevant since we're not using Remember Me cookies. +CVE-2015-8314 + +# handlebars: We're not vulnerable since we don't have any unquoted variables +# (eg, attr={{val}} instead of attr="{{value}}"). But it would still be good to +# address, which we'll do whenever we upgrade to a newer version of Ember +# (https://github.com/NREL/api-umbrella/tree/admin-upgrade). +OSVDB-131671 + +# mail: Can't upgrade due to Rails 3.2, but our lib/mail_sanitizer.rb addresses +# the underlying issue by raising errors for problematic addresses. +OSVDB-131677 diff --git a/src/api-umbrella/web-app/Gemfile b/src/api-umbrella/web-app/Gemfile index 8157bbfd0..e18c5d29a 100644 --- a/src/api-umbrella/web-app/Gemfile +++ b/src/api-umbrella/web-app/Gemfile @@ -1,7 +1,7 @@ source "https://rubygems.org" source "https://rails-assets.org" -gem "rails", "~> 3.2.22" +gem "rails", "~> 3.2.22.2" # Rails app server gem "puma", "~> 2.11.3" diff --git a/src/api-umbrella/web-app/Gemfile.lock b/src/api-umbrella/web-app/Gemfile.lock index 646b8e073..2a9a4cf42 100644 --- a/src/api-umbrella/web-app/Gemfile.lock +++ b/src/api-umbrella/web-app/Gemfile.lock @@ -55,12 +55,12 @@ GEM remote: https://rubygems.org/ remote: https://rails-assets.org/ specs: - actionmailer (3.2.22) - actionpack (= 3.2.22) + actionmailer (3.2.22.2) + actionpack (= 3.2.22.2) mail (~> 2.5.4) - actionpack (3.2.22) - activemodel (= 3.2.22) - activesupport (= 3.2.22) + actionpack (3.2.22.2) + activemodel (= 3.2.22.2) + activesupport (= 3.2.22.2) builder (~> 3.0.0) erubis (~> 2.7.0) journey (~> 1.0.4) @@ -70,18 +70,18 @@ GEM sprockets (~> 2.2.1) active_model_serializers (0.9.0) activemodel (>= 3.2) - activemodel (3.2.22) - activesupport (= 3.2.22) + activemodel (3.2.22.2) + activesupport (= 3.2.22.2) builder (~> 3.0.0) - activerecord (3.2.22) - activemodel (= 3.2.22) - activesupport (= 3.2.22) + activerecord (3.2.22.2) + activemodel (= 3.2.22.2) + activesupport (= 3.2.22.2) arel (~> 3.0.2) tzinfo (~> 0.3.29) - activeresource (3.2.22) - activemodel (= 3.2.22) - activesupport (= 3.2.22) - activesupport (3.2.22) + activeresource (3.2.22.2) + activemodel (= 3.2.22.2) + activesupport (= 3.2.22.2) + activesupport (3.2.22.2) i18n (~> 0.6, >= 0.6.4) multi_json (~> 1.0) addressable (2.3.8) @@ -339,7 +339,7 @@ GEM rabl (0.11.6) activesupport (>= 2.3.14) rack (1.4.7) - rack-cache (1.5.1) + rack-cache (1.6.1) rack (>= 0.4) rack-proxy (0.5.17) rack @@ -348,14 +348,14 @@ GEM rack-test (0.6.3) rack (>= 1.0) rack-timeout (0.0.4) - rails (3.2.22) - actionmailer (= 3.2.22) - actionpack (= 3.2.22) - activerecord (= 3.2.22) - activeresource (= 3.2.22) - activesupport (= 3.2.22) + rails (3.2.22.2) + actionmailer (= 3.2.22.2) + actionpack (= 3.2.22.2) + activerecord (= 3.2.22.2) + activeresource (= 3.2.22.2) + activesupport (= 3.2.22.2) bundler (~> 1.0) - railties (= 3.2.22) + railties (= 3.2.22.2) rails-assets-ace-builds (1.1.9) rails-assets-bootbox (3.3.0) rails-assets-bootstrap-daterangepicker (1.3.17) @@ -404,15 +404,15 @@ GEM rails_config (0.4.2) activesupport (>= 3.0) rails_stdout_logging (0.0.3) - railties (3.2.22) - actionpack (= 3.2.22) - activesupport (= 3.2.22) + railties (3.2.22.2) + actionpack (= 3.2.22.2) + activesupport (= 3.2.22.2) rack-ssl (~> 1.3.2) rake (>= 0.8.7) rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) rainbow (2.0.0) - rake (10.5.0) + rake (11.1.2) rdoc (3.12.2) json (~> 1.4) ref (2.0.0) @@ -497,7 +497,7 @@ GEM turbo-sprockets-rails3 (0.3.13) railties (> 3.2.8, < 4.0.0) sprockets (>= 2.2.0) - tzinfo (0.3.44) + tzinfo (0.3.48) uglifier (2.7.2) execjs (>= 0.3.0) json (>= 1.8.0) @@ -584,7 +584,7 @@ DEPENDENCIES rabl (~> 0.11.5) rack-proxy (~> 0.5.17) rack-timeout (~> 0.0.4) - rails (~> 3.2.22) + rails (~> 3.2.22.2) rails-assets-ace-builds (~> 1.1.7) rails-assets-bootbox (~> 3.3.0) rails-assets-bootstrap-daterangepicker (~> 1.3.12) @@ -631,4 +631,4 @@ DEPENDENCIES webmock (~> 1.21.0) BUNDLED WITH - 1.10.6 + 1.11.2 diff --git a/src/api-umbrella/web-app/app/mailers/api_user_mailer.rb b/src/api-umbrella/web-app/app/mailers/api_user_mailer.rb index e75481b95..469b6cfeb 100644 --- a/src/api-umbrella/web-app/app/mailers/api_user_mailer.rb +++ b/src/api-umbrella/web-app/app/mailers/api_user_mailer.rb @@ -1,3 +1,5 @@ +require "mail_sanitizer" + class ApiUserMailer < ActionMailer::Base default :from => "noreply@#{ApiUmbrellaConfig[:default_host]}" @@ -18,7 +20,7 @@ def signup_email(user, options) end mail :subject => "Your #{site_name} API key", - :from => from, - :to => user.email + :from => MailSanitizer.sanitize_address(from), + :to => MailSanitizer.sanitize_address(user.email) end end diff --git a/src/api-umbrella/web-app/app/mailers/contact_mailer.rb b/src/api-umbrella/web-app/app/mailers/contact_mailer.rb index 904a37b92..d6a4554b2 100644 --- a/src/api-umbrella/web-app/app/mailers/contact_mailer.rb +++ b/src/api-umbrella/web-app/app/mailers/contact_mailer.rb @@ -1,11 +1,13 @@ +require "mail_sanitizer" + class ContactMailer < ActionMailer::Base default :from => "noreply@#{ApiUmbrellaConfig[:default_host]}" def contact_email(contact) @contact = contact - mail :reply_to => contact.email, + mail :reply_to => MailSanitizer.sanitize_address(contact.email), :subject => "#{ApiUmbrellaConfig[:site_name]} Contact Message from #{contact.email}", - :to => ApiUmbrellaConfig[:web][:contact_form_email] + :to => MailSanitizer.sanitize_address(ApiUmbrellaConfig[:web][:contact_form_email]) end end diff --git a/src/api-umbrella/web-app/lib/mail_sanitizer.rb b/src/api-umbrella/web-app/lib/mail_sanitizer.rb new file mode 100644 index 000000000..41baaad39 --- /dev/null +++ b/src/api-umbrella/web-app/lib/mail_sanitizer.rb @@ -0,0 +1,32 @@ +class MailSanitizer + class InvalidAddress < StandardError + end + + # A workaround to address OSVDB-131677 that is patched in the mail 2.6 gem, + # but since we're still on Rails 3.2, we can't upgrade yet. + # + # If the fixes get backported (https://github.com/mikel/mail/issues/944), + # then we could get rid of this, but in the meantime, this is a quick fix to + # address the underlying issues related to newlines and lengths. + # + # See: + # http://rubysec.com/advisories/OSVDB-131677/ + # http://www.mbsd.jp/Whitepaper/smtpi.pdf + def self.sanitize_address(address) + if(address) + # Ensure no linebreaks are in the address. + if(address =~ /[\r\n]/) + raise InvalidAddress, "E-mail address cannot contain newlines" + end + + # Ensure the address doesn't exceed 500 chars to prevent some servers + # from wrapping the content, introducing line breaks (technically, longer + # should work, but 500 seems like enough for our simple purposes). + if(address.length > 500) + raise InvalidAddress, "E-mail address cannot exceed 500 characters" + end + end + + address + end +end diff --git a/src/api-umbrella/web-app/spec/mailers/api_user_mailer_spec.rb b/src/api-umbrella/web-app/spec/mailers/api_user_mailer_spec.rb new file mode 100644 index 000000000..c4280e873 --- /dev/null +++ b/src/api-umbrella/web-app/spec/mailers/api_user_mailer_spec.rb @@ -0,0 +1,88 @@ +require "spec_helper" + +describe ApiUserMailer do + describe "OSVDB-131677 security" do + it "accepts recipients without newlines" do + expect do + api_user = FactoryGirl.create(:api_user, :email => "foo@example.com") + ApiUserMailer.signup_email(api_user, {}).deliver + end.to change { ActionMailer::Base.deliveries.count }.by(1) + end + + it "rejects recipients with newlines" do + expect do + expect do + api_user = FactoryGirl.create(:api_user, :email => "foo@example.com\nfoo") + ApiUserMailer.signup_email(api_user, {}).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "rejects recipients with carriage returns" do + expect do + expect do + api_user = FactoryGirl.create(:api_user, :email => "foo@example.com\rfoo") + ApiUserMailer.signup_email(api_user, {}).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "accepts recipients 500 chars or less" do + expect do + api_user = FactoryGirl.create(:api_user, :email => "#{"o" * 488}@example.com") + ApiUserMailer.signup_email(api_user, {}).deliver + end.to change { ActionMailer::Base.deliveries.count }.by(1) + end + + it "rejects recipients greater than 500 chars" do + expect do + expect do + api_user = FactoryGirl.create(:api_user, :email => "#{"o" * 489}@example.com") + ApiUserMailer.signup_email(api_user, {}).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "accepts from addresses without newlines" do + expect do + api_user = FactoryGirl.create(:api_user) + ApiUserMailer.signup_email(api_user, { :email_from_address => "foo@example.com" }).deliver + end.to change { ActionMailer::Base.deliveries.count }.by(1) + end + + it "rejects from addresses with newlines" do + expect do + expect do + api_user = FactoryGirl.create(:api_user) + ApiUserMailer.signup_email(api_user, { :email_from_address => "foo@example.com\nfoo" }).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "rejects from addresses with carriage returns" do + expect do + expect do + api_user = FactoryGirl.create(:api_user) + ApiUserMailer.signup_email(api_user, { :email_from_address => "foo@example.com\rfoo" }).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "accepts from addresses 500 chars or less" do + expect do + api_user = FactoryGirl.create(:api_user) + ApiUserMailer.signup_email(api_user, { :email_from_address => "#{"o" * 488}@example.com" }).deliver + end.to change { ActionMailer::Base.deliveries.count }.by(1) + end + + it "rejects from addresses greater than 500 chars" do + expect do + expect do + api_user = FactoryGirl.create(:api_user) + ApiUserMailer.signup_email(api_user, { :email_from_address => "#{"o" * 489}@example.com" }).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + end +end diff --git a/src/api-umbrella/web-app/spec/mailers/contact_mailer_spec.rb b/src/api-umbrella/web-app/spec/mailers/contact_mailer_spec.rb new file mode 100644 index 000000000..9cf741222 --- /dev/null +++ b/src/api-umbrella/web-app/spec/mailers/contact_mailer_spec.rb @@ -0,0 +1,56 @@ +require "spec_helper" + +describe ContactMailer do + describe "OSVDB-131677 security" do + before(:each) do + ApiUmbrellaConfig[:web][:contact_form_email] = "test@example.com" + @contact = Contact.new({ + :name => "John Doe", + :api => "Foo", + :subject => "Bar", + :message => "Hello, World", + }) + end + + it "accepts addresses without newlines" do + expect do + @contact.email = "foo@example.com" + ContactMailer.contact_email(@contact).deliver + end.to change { ActionMailer::Base.deliveries.count }.by(1) + end + + it "rejects addresses with newlines" do + expect do + expect do + @contact.email = "foo@example.com\nfoo" + ContactMailer.contact_email(@contact).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "rejects addresses with carriage returns" do + expect do + expect do + @contact.email = "foo@example.com\rfoo" + ContactMailer.contact_email(@contact).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + + it "accepts addresses 500 chars or less" do + expect do + @contact.email = "#{"o" * 488}@example.com" + ContactMailer.contact_email(@contact).deliver + end.to change { ActionMailer::Base.deliveries.count }.by(1) + end + + it "rejects addresses greater than 500 chars" do + expect do + expect do + @contact.email = "#{"o" * 489}@example.com" + ContactMailer.contact_email(@contact).deliver + end.to raise_error(MailSanitizer::InvalidAddress) + end.to change { ActionMailer::Base.deliveries.count }.by(0) + end + end +end diff --git a/website/source/index.html.erb b/website/source/index.html.erb index 026cbe8ca..b9405eaff 100644 --- a/website/source/index.html.erb +++ b/website/source/index.html.erb @@ -19,7 +19,7 @@ title: API Umbrella - Open Source API Management <%= link_to(%(), "/docs/architecture.html", :relative => true) %>