ADVISORIES
GEM
SEVERITY
CVSS v3.x: 5.9 (Medium)
PATCHED VERSIONS
- >= 3.3.0
DESCRIPTION
Impact
When using the derivation_endpoint plugin, it’s possible for the attacker to use a timing attack
to guess the signature of the derivation URL.
Patches
The problem has been fixed by comparing sent and calculated signature in constant time, using
Rack::Utils.secure_compare. Users using the derivation_endpoint plugin are urged to upgrade
to Shrine 3.3.0 or greater.
Workarounds
Users of older Shrine versions can apply the following monkey-patch after loading the derivation_endpoint plugin:
class Shrine
class UrlSigner
def verify_signature(string, signature)
if signature.nil?
fail InvalidSignature, "missing \"signature\" param"
elsif !Rack::Utils.secure_compare(signature, generate_signature(string))
fail InvalidSignature, "provided signature does not match the calculated signature"
end
end
end
end
References
You can read more about timing attacks here.