Information disclosure via leak of request/state during middleware stack initialization

MEDIUM

rails/rails

Commit: de345feb08eb

Affected: 8.1.0 - 8.1.2 (prior to the fix; 8.1.3 includes the fix)

2026-04-05 12:33 UTC

Description

The patch targets a potential information disclosure during middleware stack construction by altering how the Flash middleware attaches its request methods. It moves the inclusion of Flash::RequestMethods behind an ActiveSupport.on_load(:action_dispatch_request) callback and removes an eager require of action_dispatch/request/session. This lazy-loading approach prevents early exposure or leakage of request/state objects while the middleware stack is being built, reducing the risk of information leaking across requests via the request object.

Commit Details

Author: Gannon McGibbon

Date: 2025-12-12 01:16 UTC

Message:

Merge pull request #56349 from Shopify/fix_request_leak

Fix request load leak when building middleware stack

Triage Assessment

Vulnerability Type: Information disclosure

Confidence: MEDIUM

Reasoning:

Commit caption mentions fixing a 'request load leak' when building the middleware stack, and the code changes adjust how the Flash request methods are loaded and remove an unavailable require which could affect request/state leakage between middleware. This indicates a fix to prevent information leakage via the request object during middleware setup.

Verification Assessment

Vulnerability Type: Information disclosure via leak of request/state during middleware stack initialization

Confidence: MEDIUM

Affected Versions: 8.1.0 - 8.1.2 (prior to the fix; 8.1.3 includes the fix)

Code Diff

diff --git a/actionpack/lib/action_dispatch/middleware/flash.rb b/actionpack/lib/action_dispatch/middleware/flash.rb
index 6b64295709d31..a2fa837cfe261 100644
--- a/actionpack/lib/action_dispatch/middleware/flash.rb
+++ b/actionpack/lib/action_dispatch/middleware/flash.rb
@@ -312,7 +312,7 @@ def stringify_array(array) # :doc:
     def self.new(app) app; end
   end
 
-  class Request
+  ActiveSupport.on_load(:action_dispatch_request) do
     prepend Flash::RequestMethods
   end
 end

diff --git a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
index 39614fadcac1b..bea38110d6055 100644
--- a/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -6,7 +6,6 @@
 require "rack/request"
 require "rack/session/abstract/id"
 require "action_dispatch/middleware/cookies"
-require "action_dispatch/request/session"
 
 module ActionDispatch
   module Session

← Back to Alerts View on GitHub →