Lowercase response header keys for Rack 3 compatibility#2
Merged
Conversation
|
This pull request contains a high-severity finding: the has_path_traversal? method in lib/rack-security-middleware/block_path_traversal.rb only replaces "%2e" with a dot and fails to normalize or properly decode paths, leaving it vulnerable to bypass via URL-encoded slashes, backslashes, double-encoding, and other encodings (e.g., ..%2f..%2fetc%2fpasswd or ..%5c..%5cwindows%5cwin.ini). Fixes should fully normalize and safely decode input paths (handle %2f, %5c, double-encoding, backslashes, etc.) before checking for traversal sequences.
🟠 Incomplete Path Traversal Filtering in
|
| Vulnerability | Incomplete Path Traversal Filtering |
|---|---|
| Description | The has_path_traversal? method in lib/rack-security-middleware/block_path_traversal.rb only performs a very limited sanitization by replacing %2e with a dot. This is insufficient to detect path traversal attempts using other encoding techniques, such as URL-encoded slashes (%2f, %5c), backslashes, or double URL encoding. Furthermore, it does not normalize the input path, which is critical for preventing bypasses in web applications that handle various path representations. An attacker can easily bypass this check using payloads like ..%2f..%2fetc%2fpasswd or ..%5c..%5cwindows%5cwin.ini, which the current implementation fails to identify. |
All finding details can be found in the DryRun Security Dashboard.
Karlotcha
previously approved these changes
Mar 25, 2026
Rack 3 requires all response header keys to be lowercase. This change is backwards-compatible with Rack 2. Bumps version to 0.0.2. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
dkisselev
force-pushed
the
dkisselev/lowercase-headers
branch
from
44fc6d5 to
abef514
Compare
Karlotcha
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BlockPathTraversalmiddleware for Rack 3 compatibility (Rack 3 requires lowercase header keys)Test plan
🤖 Generated with Claude Code