🚨 Older releases of better_errors open to Cross-Site Request Forgery attack

Impact

better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks.

As a developer tool, better_errors documentation strongly recommends addition only to the development bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the development group (or the non-Rails equivalent).

Patches

Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3".

Workarounds

There are no known workarounds to mitigate the risk of using older releases of better_errors.

References

• Chris Moberly provided an example attack that uses a now-patched vulnerability of webpack-dev-server in conjunction with Better Errors

For more information

If you have any questions or comments about this advisory, please

• Add to the discussion in better_errors
• Open an issue in better_errors

2.10.0

• fix typo (@wonda-tea-coffee) #504
• Switch to Rouge for syntax highlighting and add dark syntax-highlighting theme (@RobinDaugherty) #500
• Syntax highlighter uses classes, style-src locked down (@RobinDaugherty) #499
• Use SASS to build CSS (@RobinDaugherty) #498
• Add Content Security Policy (@RobinDaugherty) #497
• Add Rails 6.1 to CI matrix (@RobinDaugherty) #493

2.9.1

• Fix setting editor with symbol #492

2.9.0

• Mention path in text response #487
• Use Github Actions for CI #489
• Exception Hints #302
• Hide "live shell" hint after console has been used #490
• Improve editor support for virtual environments #488
• Fix "live shell" hint reappearing when frame changed #491

2.8.3

• Fix 'uninitialized constant BetterErrors::Middleware::VERSION' #480
• Fix CSRF_TOKEN_COOKIE_NAME wrong reference to VERSION constant #481

2.8.2

• Fix path of CSRF Token cookie #478

2.8.1

• Show real cause of ActionView::Template::Error with Rails 6 #477
• Add TruffleRuby to CI builds #473

2.8.0

• Support for Rails ActionableError #465
• Allow editor links to work inside an iframe or with CSP that prohibits other protocols #440
• Add CSRF protection to internal requests #474
• Validate internal request method names #475

2.7.1

• Show location of error in ActionView template error #463

2.7.0

• Fix various specs that were passing incorrectly #453 (@RobinDaugherty)
• CI tests for Ruby 2.6, 2.7; Rails 6.0 #452 (@RobinDaugherty)
• CI: Drop unused sudo: false directive #457 (@olleolleolle)
• Add editor preset for VSCodium #456 (@jaredmoody)
• Show the last-raised error, not its "cause" #459 (@RobinDaugherty)
• Fix warning: FILE in eval may not return location in binding #458 (@yuuu)
• Allow skipping variable inspection by class name #449 (@felixbuenemann)

2.6.0

• Specify older kramdown and i18n for older ruby versions #437
• Fix NoMethodError when variables cannot be retrieved from the stack frame #430
• Allow passing IPAddrs to allow_ip #444
• Update CI Ruby to fix Travis CI failures #450

2.5.1

• Add rubygems metadata #427 (@viraptor)
• Fall back to older rubygems on Ruby 2.2 and Rails 4.2 in CI #433 (@RobinDaugherty)
• Add simplecov as a development dependency #434 (@cerdiogenes)
• Fix exception when large object's class is anonymous #435 (@cerdiogenes and @inopinatus)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.1.3

Diff: v1.1.2...v1.1.3

• Tokens: Ensure Ruby 2.6 compatibility. [#233, thanks to Jun Aruga]
• SQL scanner: Add numeric data type. [#223, thanks to m16a1]
• Java scanner: Add var as type. [#229, thanks to Davide Angelocola]
• Gem: Fix deprecation warning. [#246, thanks to David Rodríguez]

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 56 commits:

• bump version
• like this?
• trying to fix tests for 1.9.3
• add changelog
• Merge pull request #246 from deivid-rodriguez/fix_rubygems_deprecation
• Fix rubygems deprecation
• don't load simplecov on Ruby 1.8.7
• Merge branch 'extend-specs'
• merge coverage
• Merge pull request #243 from rubychan/extend-specs
• add simple spec for CodeRay.scan
• disable specs for Ruby 1.8.7
• maybe like this?
• reorder gems
• also test with 2.7.0-preview3
• also disable for Ruby 1.8.7
• actually, we only need to disable SimpleCov
• fix tests for Ruby 2.3
• add spec for CodeRay.coderay_path
• fix tests for Ruby Enterprise Edition?
• add SimpleCov
• still not loaded?
• fix load path
• run specs on rake test
• add RSpec
• enforce UselessAccessModifier
• fix spaces around operators (RuboCop)
• fix spaces in JSONEncoderTest
• tunr off maintainability checks
• enforce RuboCop version
• tweaks to RuboCop config
• enfore SpaceAroundOperators
• try setting up code climate test coverage
• Update README.markdown
• not available on CodeClimate
• start using RuboCop
• reorder gems
• fix heredoc indentation
• remove .codeclimate.yml
• add CodeClimate config
• apparently, 1.8.7 fails on Travis?
• update changelog
• Merge branch 'master' of github.com:rubychan/coderay
• Merge pull request #229 from dfa1/java10-support
• remove defunct Gemnasium badge
• add numeric to SQL types
• Merge pull request #227 from junaruga/hotfix/not-reached-statement
• Merge pull request #233 from junaruga/hotfix/ruby26-expression-enumerator
• Add Ruby 2.6 fixing issues
• support for special type 'var'
• Remove the statement that is not always reached.
• tweak list of rubies to test
• test with ruby 2.5, too
• trying to fix tests for Ruby 2.4
• backport .gitignore from dsl branch
• port a few tweaks from dsl branch

2.2.7

What's Changed

• Correct the year number in the changelog by @kimulab in #2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @jeremyevans in #2071

New Contributors

• @kimulab made their first contribution in #2015

Full Changelog: v2.2.6.4...v2.2.7

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 3 commits:

• Bump patch version.
• Support underscore in host names for Rack 2.2 (Fixes #2070) (#2071)
• Merge branch '2-2-sec' into 2-2-stable

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)