chore(deps): update dependency webrick to v1.8.2 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webrick	1.8.1 -> 1.8.2

---

HTTP Request Smuggling in ruby webrick

CVE-2024-47220 / GHSA-6f62-3596-g6w7

More information

Details

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-47220
• https://github.com/ruby/webrick/issues/145
• https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841
• https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7
• https://github.com/ruby/webrick

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ruby/webrick (webrick)

v1.8.2

Compare Source

What's Changed

• Drop commented-out line by @​olleolleolle in https://github.com/ruby/webrick/pull/108
• Add Ruby 3.1 & 3.2 to CI matrix by @​tricknotes in https://github.com/ruby/webrick/pull/109
• Fix/redos by @​ooooooo-q in https://github.com/ruby/webrick/pull/114
• Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by @​jeremyevans in https://github.com/ruby/webrick/pull/120
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/ruby/webrick/pull/121
• Improve CI by @​hsbt in https://github.com/ruby/webrick/pull/123
• Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by @​KJTsanaktsidis in https://github.com/ruby/webrick/pull/128
• Fix bug chunk extension detection by @​jeremyevans in https://github.com/ruby/webrick/pull/125
• Fix CI. by @​ioquatix in https://github.com/ruby/webrick/pull/131
• Merge multiple cookie headers, preserving semantic correctness. by @​ioquatix in https://github.com/ruby/webrick/pull/130
• Test on macos-latest by @​byroot in https://github.com/ruby/webrick/pull/132
• Require CRLF line endings in request line and headers by @​jeremyevans in https://github.com/ruby/webrick/pull/138
• Prefer squigly heredocs. by @​ioquatix in https://github.com/ruby/webrick/pull/143
• Only strip space and horizontal tab in headers by @​jeremyevans in https://github.com/ruby/webrick/pull/141
• Treat missing CRLF separator after headers as an EOFError by @​jeremyevans in https://github.com/ruby/webrick/pull/142
• Return 400 response for chunked requests with unexpected data after chunk by @​jeremyevans in https://github.com/ruby/webrick/pull/136
• Fix reference to URI::REGEXP::PATTERN::HOST by @​casperisfine in https://github.com/ruby/webrick/pull/144
• Prevent request smuggling by @​jeremyevans in https://github.com/ruby/webrick/pull/146

New Contributors

• @​tricknotes made their first contribution in https://github.com/ruby/webrick/pull/109
• @​ooooooo-q made their first contribution in https://github.com/ruby/webrick/pull/114
• @​KJTsanaktsidis made their first contribution in https://github.com/ruby/webrick/pull/128
• @​byroot made their first contribution in https://github.com/ruby/webrick/pull/132
• @​casperisfine made their first contribution in https://github.com/ruby/webrick/pull/144

Full Changelog: ruby/webrick@v1.8.1...v1.8.2

---

Configuration

📅 Schedule: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.39%. Comparing base (1cde7f4) to head (6306953).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1270   +/-   ##
=======================================
  Coverage   68.38%   68.39%           
=======================================
  Files         175      175           
  Lines       16784    16784           
=======================================
+ Hits        11478    11479    +1     
+ Misses       4676     4675    -1     
  Partials      630      630           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.