Merge pull request #231 from NREL/0.11.1-release

v0.11.1 release

CHANGELOG.md

@@ -1,5 +1,28 @@
 # API Umbrella Change Log
 
+## 0.11.1 (2016-04-14)
+
+This is a small update that fixes a couple bugs (one important one if you use the HTTP cache), makes a couple small tweaks, and updates some dependencies for security purposes. Upgrading is recommended.
+
+### Upgrade Instructions
+
+If you're upgrading a previous API Umbrella version, you may upgrade the `api-umbrella` package using your package manager.
+
+### Changed
+
+* **Upgrade bundled software dependencies:**
+  * OpenResty 1.9.7.1 -> 1.9.7.4 (Security updates: CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747)
+  * Rails 3.2.22 -> 3.2.22.2 (Security updates: CVE-2015-7576, CVE-2016-0751, CVE-2015-7577, CVE-2016-0752, CVE-2016-0753, CVE-2015-7581, CVE-2016-2097, and CVE-2016-2098)
+  * Rebuild Mora and Heka with Go 1.5.4 (Security update: CVE-2016-3959)
+* **Remove empty "Dashboard" link from the admin:** The "Dashboard" link has never had any content, so we've removed it from the admin navigation. ([api.data.gov#323](https://github.com/18F/api.data.gov/issues/323))
+* **Make the optional public metrics API more configurable:** If enabled, the public metrics API's filters are now more easily configurable. ([api.data.gov#313](https://github.com/18F/api.data.gov/issues/313))
+
+### Fixed
+
+* **Resolve possible HTTP cache conflicts:** If API Umbrella is configured with multiple API backends that utilize the same frontend host and same backend URL path prefix, then if either API backend returned cacheable responses, then it's possible the responses would get mixed up. Upgrading is highly recommended if you utilize the HTTP cache and have multiple API backends utilizing the same URL path prefix. ([api.data.gov#322](https://github.com/18F/api.data.gov/issues/322))
+* **Don't require API key roles for accessing admin APIs if admin token is used:** If accessing the administrative APIs using an admin authentication token, then the API key no longer needs any special roles assigned. This was a regression that ocurred in API Umbrella v0.9.0. ([#217](https://github.com/NREL/api-umbrella/issues/217))
+* **Fix potential mail security issue:** OSVDB-131677.
+
 ## 0.11.0 (2016-01-20)
 
 This is a small update that fixes a few bugs, adds a couple small new features, and updates some dependencies for security purposes. Upgrading is recommended.

Makefile

@@ -71,11 +71,11 @@ GLIDE_CHECKSUM:=7ba5bc7407dab2d463d12659450cdea8
 GLIDE_URL:=https://github.com/Masterminds/glide/archive/$(GLIDE_VERSION).tar.gz
 GLIDE_INSTALL_MARKER:=$(GLIDE_NAME)$(VERSION_SEP)$(GLIDE_VERSION)
 
-GOLANG_VERSION:=1.5.3
+GOLANG_VERSION:=1.5.4
 GOLANG_NAME:=golang
 GOLANG:=$(GOLANG_NAME)-$(GOLANG_VERSION)
 GOLANG_DIGEST:=sha256
-GOLANG_CHECKSUM:=43afe0c5017e502630b1aea4d44b8a7f059bf60d7f29dfd58db454d4e4e0ae53
+GOLANG_CHECKSUM:=a3358721210787dc1e06f5ea1460ae0564f22a0fbd91be9dcd947fb1d19b9560
 GOLANG_URL:=https://storage.googleapis.com/golang/go$(GOLANG_VERSION).linux-amd64.tar.gz
 GOLANG_INSTALL_MARKER:=$(GOLANG_NAME)$(VERSION_SEP)$(GOLANG_VERSION)
 
@@ -193,13 +193,13 @@ NGX_DYUPS_CHECKSUM:=3e5580abad9cc45f52c2e2ccc3c35e48
 NGX_DYUPS_URL:=https://github.com/yzprofile/ngx_http_dyups_module/archive/$(NGX_DYUPS_VERSION).tar.gz
 NGX_DYUPS_INSTALL_MARKER:=$(NGX_DYUPS_NAME)$(VERSION_SEP)$(NGX_DYUPS_VERSION)
 
-OPENRESTY_VERSION:=1.9.7.1
+OPENRESTY_VERSION:=1.9.7.4
 OPENRESTY_BUILD_REVISION:=1
 OPENRESTY_NAME:=openresty
 OPENRESTY:=$(OPENRESTY_NAME)-$(OPENRESTY_VERSION)-$(OPENRESTY_BUILD_REVISION)
 OPENRESTY_DIGEST:=md5
-OPENRESTY_CHECKSUM:=7bc29aa81af962c610f0d07656df85d9
-OPENRESTY_URL:=http://openresty.org/download/ngx_openresty-$(OPENRESTY_VERSION).tar.gz
+OPENRESTY_CHECKSUM:=6e2d4a39c530524111ea50e3de67043a
+OPENRESTY_URL:=http://openresty.org/download/openresty-$(OPENRESTY_VERSION).tar.gz
 OPENRESTY_INSTALL_MARKER:=$(OPENRESTY_NAME)$(VERSION_SEP)$(OPENRESTY_VERSION)
 
 PCRE_VERSION:=8.38
@@ -486,7 +486,14 @@ $(STAGE_MARKERS_DIR)/$(ELASTICSEARCH_INSTALL_MARKER): $(DEPS_DIR)/$(ELASTICSEARC
 
 # GeoLiteCityv6.dat
 $(DEPS_DIR)/GeoLiteCityv6.dat.gz: | $(DEPS_DIR)
-	curl -L -o $@ https://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz
+	# FIXME: The 20160412 version of the GeoLiteCityv6.dat file is corrupt. This
+	# replaces it with the 20160405 version that we happened to still have a copy
+	# of. See https://github.com/18F/api.data.gov/issues/327
+	#
+	# This isn't ideal, and this doesn't fix the auto-updater, but this at least
+	# lets us build packages that won't be broken on initial run. We've contacted
+	# MaxMind, so hopefully the next release will be fixed.
+	curl -L -o $@ https://www.dropbox.com/s/h23d5ef9chulgxf/GeoLiteCityv6.dat.gz?dl=0
 	touch $@
 
 $(DEPS_DIR)/GeoLiteCityv6.dat: $(DEPS_DIR)/GeoLiteCityv6.dat.gz

docs/conf.py

@@ -57,9 +57,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.11.0'
+version = '0.11.1'
 # The full version, including alpha/beta/rc tags.
-release = '0.11.0'
+release = '0.11.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/developer/compiling-from-source.md

@@ -79,9 +79,9 @@ Installing from a [binary package](../getting-started.html#installation) is reco
 ## Compiling & Installing
 
 ```sh
-$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.11.0.tar.gz
-$ tar -xvf api-umbrella-0.11.0.tar.gz
-$ cd api-umbrella-0.11.0
+$ curl -OLJ https://github.com/NREL/api-umbrella/archive/v0.11.1.tar.gz
+$ tar -xvf api-umbrella-0.11.1.tar.gz
+$ cd api-umbrella-0.11.1
 $ make
 $ sudo make install
 ```

src/api-umbrella/version.sh

@@ -1,4 +1,4 @@
-API_UMBRELLA_VERSION_BASE="0.11.0"
+API_UMBRELLA_VERSION_BASE="0.11.1"
 API_UMBRELLA_VERSION_PRE="" # pre1, pre2, etc.
 API_UMBRELLA_VERSION_PACKAGE_ITERATION="1"
 

src/api-umbrella/web-app/.bundlerauditignore

@@ -0,0 +1,18 @@
+# Documenting gem security issues reported by bundler-audit that are tricky to
+# upgrade, but we've manually verified we're not vulnerable to.
+#
+# Support for this .bundlerauditignore when using bundle-audit currently
+# requires this patch: https://github.com/rubysec/bundler-audit/pull/122
+
+# devise: Not relevant since we're not using Remember Me cookies.
+CVE-2015-8314
+
+# handlebars: We're not vulnerable since we don't have any unquoted variables
+# (eg, attr={{val}} instead of attr="{{value}}"). But it would still be good to
+# address, which we'll do whenever we upgrade to a newer version of Ember
+# (https://github.com/NREL/api-umbrella/tree/admin-upgrade).
+OSVDB-131671
+
+# mail: Can't upgrade due to Rails 3.2, but our lib/mail_sanitizer.rb addresses
+# the underlying issue by raising errors for problematic addresses.
+OSVDB-131677

src/api-umbrella/web-app/Gemfile

@@ -1,7 +1,7 @@
 source "https://rubygems.org"
 source "https://rails-assets.org"
 
-gem "rails", "~> 3.2.22"
+gem "rails", "~> 3.2.22.2"
 
 # Rails app server
 gem "puma", "~> 2.11.3"

src/api-umbrella/web-app/Gemfile.lock

@@ -55,12 +55,12 @@ GEM
   remote: https://rubygems.org/
   remote: https://rails-assets.org/
   specs:
-    actionmailer (3.2.22)
-      actionpack (= 3.2.22)
+    actionmailer (3.2.22.2)
+      actionpack (= 3.2.22.2)
       mail (~> 2.5.4)
-    actionpack (3.2.22)
-      activemodel (= 3.2.22)
-      activesupport (= 3.2.22)
+    actionpack (3.2.22.2)
+      activemodel (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -70,18 +70,18 @@ GEM
       sprockets (~> 2.2.1)
     active_model_serializers (0.9.0)
       activemodel (>= 3.2)
-    activemodel (3.2.22)
-      activesupport (= 3.2.22)
+    activemodel (3.2.22.2)
+      activesupport (= 3.2.22.2)
       builder (~> 3.0.0)
-    activerecord (3.2.22)
-      activemodel (= 3.2.22)
-      activesupport (= 3.2.22)
+    activerecord (3.2.22.2)
+      activemodel (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.22)
-      activemodel (= 3.2.22)
-      activesupport (= 3.2.22)
-    activesupport (3.2.22)
+    activeresource (3.2.22.2)
+      activemodel (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
+    activesupport (3.2.22.2)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     addressable (2.3.8)
@@ -339,7 +339,7 @@ GEM
     rabl (0.11.6)
       activesupport (>= 2.3.14)
     rack (1.4.7)
-    rack-cache (1.5.1)
+    rack-cache (1.6.1)
       rack (>= 0.4)
     rack-proxy (0.5.17)
       rack
@@ -348,14 +348,14 @@ GEM
     rack-test (0.6.3)
       rack (>= 1.0)
     rack-timeout (0.0.4)
-    rails (3.2.22)
-      actionmailer (= 3.2.22)
-      actionpack (= 3.2.22)
-      activerecord (= 3.2.22)
-      activeresource (= 3.2.22)
-      activesupport (= 3.2.22)
+    rails (3.2.22.2)
+      actionmailer (= 3.2.22.2)
+      actionpack (= 3.2.22.2)
+      activerecord (= 3.2.22.2)
+      activeresource (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       bundler (~> 1.0)
-      railties (= 3.2.22)
+      railties (= 3.2.22.2)
     rails-assets-ace-builds (1.1.9)
     rails-assets-bootbox (3.3.0)
     rails-assets-bootstrap-daterangepicker (1.3.17)
@@ -404,15 +404,15 @@ GEM
     rails_config (0.4.2)
       activesupport (>= 3.0)
     rails_stdout_logging (0.0.3)
-    railties (3.2.22)
-      actionpack (= 3.2.22)
-      activesupport (= 3.2.22)
+    railties (3.2.22.2)
+      actionpack (= 3.2.22.2)
+      activesupport (= 3.2.22.2)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
     rainbow (2.0.0)
-    rake (10.5.0)
+    rake (11.1.2)
     rdoc (3.12.2)
       json (~> 1.4)
     ref (2.0.0)
@@ -497,7 +497,7 @@ GEM
     turbo-sprockets-rails3 (0.3.13)
       railties (> 3.2.8, < 4.0.0)
       sprockets (>= 2.2.0)
-    tzinfo (0.3.44)
+    tzinfo (0.3.48)
     uglifier (2.7.2)
       execjs (>= 0.3.0)
       json (>= 1.8.0)
@@ -584,7 +584,7 @@ DEPENDENCIES
   rabl (~> 0.11.5)
   rack-proxy (~> 0.5.17)
   rack-timeout (~> 0.0.4)
-  rails (~> 3.2.22)
+  rails (~> 3.2.22.2)
   rails-assets-ace-builds (~> 1.1.7)
   rails-assets-bootbox (~> 3.3.0)
   rails-assets-bootstrap-daterangepicker (~> 1.3.12)
@@ -631,4 +631,4 @@ DEPENDENCIES
   webmock (~> 1.21.0)
 
 BUNDLED WITH
-   1.10.6
+   1.11.2

src/api-umbrella/web-app/app/mailers/api_user_mailer.rb

@@ -1,3 +1,5 @@
+require "mail_sanitizer"
+
 class ApiUserMailer < ActionMailer::Base
   default :from => "noreply@#{ApiUmbrellaConfig[:default_host]}"
 
@@ -18,7 +20,7 @@ def signup_email(user, options)
     end
 
     mail :subject => "Your #{site_name} API key",
-      :from => from,
-      :to => user.email
+      :from => MailSanitizer.sanitize_address(from),
+      :to => MailSanitizer.sanitize_address(user.email)
   end
 end

src/api-umbrella/web-app/app/mailers/contact_mailer.rb

@@ -1,11 +1,13 @@
+require "mail_sanitizer"
+
 class ContactMailer < ActionMailer::Base
   default :from => "noreply@#{ApiUmbrellaConfig[:default_host]}"
 
   def contact_email(contact)
     @contact = contact
 
-    mail :reply_to => contact.email,
+    mail :reply_to => MailSanitizer.sanitize_address(contact.email),
       :subject => "#{ApiUmbrellaConfig[:site_name]} Contact Message from #{contact.email}",
-      :to => ApiUmbrellaConfig[:web][:contact_form_email]
+      :to => MailSanitizer.sanitize_address(ApiUmbrellaConfig[:web][:contact_form_email])
   end
 end

src/api-umbrella/web-app/lib/mail_sanitizer.rb

@@ -0,0 +1,32 @@
+class MailSanitizer
+  class InvalidAddress < StandardError
+  end
+
+  # A workaround to address OSVDB-131677 that is patched in the mail 2.6 gem,
+  # but since we're still on Rails 3.2, we can't upgrade yet.
+  #
+  # If the fixes get backported (https://github.com/mikel/mail/issues/944),
+  # then we could get rid of this, but in the meantime, this is a quick fix to
+  # address the underlying issues related to newlines and lengths.
+  #
+  # See:
+  # http://rubysec.com/advisories/OSVDB-131677/
+  # http://www.mbsd.jp/Whitepaper/smtpi.pdf
+  def self.sanitize_address(address)
+    if(address)
+      # Ensure no linebreaks are in the address.
+      if(address =~ /[\r\n]/)
+        raise InvalidAddress, "E-mail address cannot contain newlines"
+      end
+
+      # Ensure the address doesn't exceed 500 chars to prevent some servers
+      # from wrapping the content, introducing line breaks (technically, longer
+      # should work, but 500 seems like enough for our simple purposes).
+      if(address.length > 500)
+        raise InvalidAddress, "E-mail address cannot exceed 500 characters"
+      end
+    end
+
+    address
+  end
+end