Background
Grape PR #2789 addresses two security issues:
-
HTML escaping bypass in Grape::Middleware::Error#rack_response. The existing code only escaped when content-type was exactly text/html, but text/html; charset=utf-8 skipped escaping. The fix compares the media type only.
-
Auth bypass on mounted bare Rack apps. Bare Rack apps mounted with mount bypass the endpoint middleware stack. The fix adds a compile-time warning.
Impact
Scout instruments Grape's middleware stack. The change to rack_response modifies how error responses are constructed. If Scout hooks into this method, the new media-type comparison could change observed behavior.
Suggested Action
- Test Scout Grape instrumentation against a Grape version with PR #2789
- Check if Scout hooks into
Grape::Middleware::Error#rack_response
- Confirm Scout's middleware insertion point is not affected by the mounted-app warning logic
References
Filed by marketing pipeline.
Background
Grape PR #2789 addresses two security issues:
HTML escaping bypass in
Grape::Middleware::Error#rack_response. The existing code only escaped when content-type was exactlytext/html, buttext/html; charset=utf-8skipped escaping. The fix compares the media type only.Auth bypass on mounted bare Rack apps. Bare Rack apps mounted with
mountbypass the endpoint middleware stack. The fix adds a compile-time warning.Impact
Scout instruments Grape's middleware stack. The change to
rack_responsemodifies how error responses are constructed. If Scout hooks into this method, the new media-type comparison could change observed behavior.Suggested Action
Grape::Middleware::Error#rack_responseReferences
Filed by marketing pipeline.