excon: Need help debugging test failures with CVE-2019-16779 patch

Hi,

Debian Jessie has 0.33.0 version of excon and I mean to patch CVE-2019-16779 with the help of https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29.

Now, whilst doing so, I am using the following patch:

--- a/lib/excon/connection.rb
+++ b/lib/excon/connection.rb
@@ -261,6 +261,11 @@
 
       datum[:connection] = self
 
+      # cleanup data left behind on persistent connection after interrupt
+      if datum[:persistent] && !@persistent_socket_reusable
+        reset
+      end
+
       datum[:stack] = datum[:middlewares].map do |middleware|
         lambda {|stack| middleware.new(stack)}
       end.reverse.inject(self) do |middlewares, middleware|
@@ -269,7 +274,9 @@
       datum = datum[:stack].request_call(datum)
 
       unless datum[:pipeline]
+        @persistent_socket_reusable = false
         datum = response(datum)
+        @persistent_socket_reusable = true
 
         if datum[:persistent]
           if key = datum[:response][:headers].keys.detect {|k| k.casecmp('Connection') == 0 }
@@ -324,6 +331,7 @@
       if old_socket = sockets.delete(@socket_key)
         old_socket.close rescue nil
       end
+      @persistent_socket_reusable = true
     end
 
     # Generate HTTP request verb methods
--- a/tests/basic_tests.rb
+++ b/tests/basic_tests.rb
@@ -15,6 +15,29 @@
         response[:status]
       end
     end
+
+    tests("persistent connections") do
+      connection = Excon.new('http://127.0.0.1:9292', persistent: true)
+
+      response_body = connection.request(path: '/foo', method: 'get').body
+      test("successful uninterrupted request") do
+        connection.request(path: '/foo', method: 'get').body == 'foo'
+      end
+
+      begin
+        # simulate an interrupted connection which leaves data behind
+        Timeout::timeout(0.0000000001) do
+          connection.request(path: '/foo', method: 'get')
+        end
+      rescue Timeout::Error
+        nil
+      end
+
+      test("resets connection after interrupt") do
+        response = connection.request(path: '/bar', method: 'get')
+        response.body == 'bar'
+      end
+    end
   end
 end
 
--- a/tests/rackups/basic.rb
+++ b/tests/rackups/basic.rb
@@ -26,6 +26,14 @@
     echo
   end
 
+  get('/foo') do
+    'foo'
+  end
+
+  get('/bar') do
+    'bar'
+  end
+
   private
 
   def echo

Whilst building, I am getting the following build errors: https://gist.github.com/utkarsh2102/7fbaaed9ef57ea6bba0f36968e361ac8

I am not sure how to patch these? Am I missing something? As I see, some of them could be fixed by using the right certificates. But I am unsure really.

Could you please help with the same? 😃

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 21 (9 by maintainers)

Most upvoted comments

Awesome, glad we were finally able to find our way through the fix and get that updated. Happy to help!

+1
geemus on Jan 20, 2020
Read more comments on GitHub
← excon: Intermittent "broken pipe" errors
excon: Resolv.rb issues - threads hanging →