Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack. This vulnerability has been assigned the CVE
identifier CVE-2021-22881.

Versions Affected: >= 6.0.0
Not affected: < 6.0.0
Fixed Versions: 6.1.2.1, 6.0.3.5

Impact

Specially crafted “Host” headers in combination with certain “allowed host”
formats can cause the Host Authorization middleware in Action Pack to redirect
users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For
example, configuration files that look like this:

config.hosts <<  '.tkte.ch'

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be used
in an initializer:

module ActionDispatch
  class HostAuthorization
    private
      def authorized?(request)
        valid_host = /
          \A
          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
          (:\d+)?
          \z
        /x

        origin_host = valid_host.match(
          request.get_header("HTTP_HOST").to_s.downcase)
        forwarded_host = valid_host.match(
          request.x_forwarded_host.to_s.split(/,\s?/).last)

        origin_host && @permissions.allows?(origin_host[:host]) && (
          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
      end
  end
end