mirror of
https://github.com/chatwoot/chatwoot.git
synced 2026-06-04 21:02:35 +08:00
ffbf40c720
Hardens Active Storage handling on Rails 7.1 by filtering internal direct-upload metadata keys and limiting proxy range requests, while keeping audio playback on redirect URLs so large recordings are not routed through the proxy limiter. Closes - CVE-2026-33173 - CVE-2026-33174 - CVE-2026-33658 Why Rails 7.1 does not currently have patched releases for these Active Storage advisories, and Chatwoot exposes Active Storage direct-upload endpoints and media URLs. This keeps the Rails dependency unchanged while adding small local mitigations until Rails can be upgraded to 7.2.3.1+. What changed - Filters `identified`, `analyzed`, and `composed` from direct-upload blob metadata. - Limits Active Storage proxy range requests to one range under 100 MB. - Uses redirect URLs for inline audio attachments so normal playback of large recordings avoids the proxy streaming path. - Adds scoped bundle-audit ignores for the locally mitigated Active Storage advisories and the remaining Rails advisories that are not reachable through current Chatwoot usage. How to test - Upload an attachment from the dashboard reply composer and confirm it sends successfully. - Upload an attachment from the website widget and confirm it appears in the conversation. - POST a direct-upload request with `blob.metadata.identified`, `blob.metadata.analyzed`, and `blob.metadata.composed`; confirm those keys are not persisted while custom metadata remains. - Play an audio/call-recording attachment and confirm the audio URL loads through Active Storage redirect rather than proxy. - Run `bundle exec bundle audit check -v`. --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com> |
||
|---|---|---|
| .. | ||
| monkey_patches | ||
| 00_init.rb | ||
| 01_inject_enterprise_edition_module.rb | ||
| 01_redis.rb | ||
| actioncable.rb | ||
| active_record_query_trace.rb | ||
| active_storage.rb | ||
| acts_as_taggable_on.rb | ||
| ai_agents.rb | ||
| application_controller_renderer.rb | ||
| assets.rb | ||
| audited.rb | ||
| backtrace_silencers.rb | ||
| content_security_policy.rb | ||
| cookies_serializer.rb | ||
| cors.rb | ||
| custom_error_codes.rb | ||
| datadog.rb | ||
| devise_token_auth.rb | ||
| devise.rb | ||
| event_handlers.rb | ||
| facebook_messenger.rb | ||
| feature_policy.rb | ||
| filter_parameter_logging.rb | ||
| geocoder.rb | ||
| git_sha.rb | ||
| i18n_pluralization.rb | ||
| inflections.rb | ||
| languages.rb | ||
| liquid_handler.rb | ||
| lograge.rb | ||
| mailer.rb | ||
| mime_types.rb | ||
| omniauth.rb | ||
| permissions_policy.rb | ||
| rack_attack.rb | ||
| rack_profiler.rb | ||
| rack_timeout.rb | ||
| searchkick.rb | ||
| secure_password.rb | ||
| sentry.rb | ||
| session_store.rb | ||
| sidekiq.rb | ||
| stripe.rb | ||
| warden_hooks.rb | ||
| wrap_parameters.rb | ||