From f0ff62998b2b52ed27c6f8a6eaed77e43114760a Mon Sep 17 00:00:00 2001
From: Graham Ashton <graham@effectif.com>
Date: Tue, 5 Nov 2024 19:30:39 +0000
Subject: [PATCH] Upgrade Sinatra and Rack to fix vulnerability

The security alert says:

> [sinatra is] vulnerable to Reliance on Untrusted Inputs in a Security
> Decision via the X-Forwarded-Host (XFH) header. When making a request to
> a method with redirect applied, it is possible to trigger an Open
> Redirect Attack by inserting an arbitrary address into this header. If
> used for caching purposes, such as with servers like Nginx, or as a
> reverse proxy, without handling the X-Forwarded-Host header, attackers
> can potentially exploit Cache Poisoning or Routing-based SSRF.

See https://github.com/gma/nesta/security/dependabot/28 for details.
---
 CHANGELOG.md  |  3 +++
 Gemfile.lock  | 19 +++++++++++--------
 nesta.gemspec |  4 ++--
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4fb00980..e98dcec3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## 0.17.0 (Unreleased)
 
+ * Update Sinatra to verion 4.0, to fix a vulnerability. This has also
+   required a jump to Rack 3. (Graham Ashton)
+
  * Update Sass parser to sass-embedded 1.80, which (due to changes in CSS 4)
    deprecates the global colour functions and the @import statement. Any Sass
    code that uses these features will need updating before Dart Sass 3.0 is
diff --git a/Gemfile.lock b/Gemfile.lock
index 0d3af19b..719ded1e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -5,11 +5,11 @@ PATH
       RedCloth (~> 4.2)
       haml (>= 3.1, < 6.0)
       haml-contrib (>= 1.0)
-      rack (~> 2)
+      rack (~> 3)
       rake
       rdiscount (~> 2.1)
       sass-embedded (~> 1.58)
-      sinatra (~> 3.1)
+      sinatra (~> 4.0)
       tilt (~> 2.1)
 
 GEM
@@ -64,10 +64,12 @@ GEM
       racc (~> 1.4)
     public_suffix (6.0.1)
     racc (1.8.1)
-    rack (2.2.10)
-    rack-protection (3.2.0)
+    rack (3.1.8)
+    rack-protection (4.0.0)
       base64 (>= 0.1.0)
-      rack (~> 2.2, >= 2.2.4)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
     raindrops (0.20.1)
@@ -83,10 +85,11 @@ GEM
     sass-embedded (1.80.6)
       google-protobuf (~> 4.28)
       rake (>= 13)
-    sinatra (3.2.0)
+    sinatra (4.0.0)
       mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.2.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.0.0)
+      rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
     temple (0.10.3)
     tilt (2.4.0)
diff --git a/nesta.gemspec b/nesta.gemspec
index 11b87a08..a751f9db 100644
--- a/nesta.gemspec
+++ b/nesta.gemspec
@@ -31,12 +31,12 @@ EOF
 
   s.add_dependency('haml', '>= 3.1', '< 6.0')
   s.add_dependency('haml-contrib', '>= 1.0')
-  s.add_dependency('rack', '~> 2')
+  s.add_dependency('rack', '~> 3')
   s.add_dependency('rake')
   s.add_dependency('rdiscount', '~> 2.1')
   s.add_dependency('RedCloth', '~> 4.2')
   s.add_dependency('sass-embedded', '~> 1.58')
-  s.add_dependency('sinatra', '~> 3.1')
+  s.add_dependency('sinatra', '~> 4.0')
   s.add_dependency('tilt', '~> 2.1')
 
   # Useful in development