Update dependency sinatra to "~>2.2.3" [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
sinatra (source, changelog)	"~>2.0.2" -> "~>2.2.3"

GitHub Vulnerability Alerts

CVE-2022-29970

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

CVE-2022-45442

Description

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

References

• https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
• GHSA-8x94-hmjh-97hq

---

Release Notes

sinatra/sinatra (sinatra)

v2.2.3

Compare Source

• Fix: Escape filename in the Content-Disposition header. #​1841 by Kunpei Sakai

• Fix: fixed ReDoS for Rack::Protection::IPSpoofing. #​1823 by @​ooooooo-q

v2.2.2

Compare Source

• Update mustermann dependency to version 2.

v2.2.1

Compare Source

• Fix JRuby regression by using ruby2_keywords for delegation. #​1750 by Patrik Ragnarsson

• Add JRuby to CI. #​1755 by Karol Bucek

v2.2.0

Compare Source

• Breaking change: Add #select, #reject and #compact methods to Sinatra::IndifferentHash. If hash keys need to be converted to symbols, call #to_h to get a Hash instance first. #​1711 by Olivier Bellone

• Handle EOFError raised by Rack and return Bad Request 400 status. #​1743 by tamazon

• Minor refactors in base.rb. #​1640 by ceclinux

• Add escaping to the static 404 page. #​1645 by Chris Gavin

• Remove detect_rack_handler method. #​1652 by ceclinux

• Respect content type set in superclass before filter. Fixes #​1647 #​1649 by Jordan Owens

• Revert "Use prepend instead of include for helpers. #​1662 by namusyaka

• Fix usage of inherited Sinatra::Base classes keyword arguments. Fixes #​1669 #​1670 by Cadu Ribeiro

• Reduce RDoc generation time by not including every README. Fixes #​1578 #​1671 by Eloy Pérez

• Add support for per form csrf tokens. Fixes #​1616 #​1653 by Jordan Owens

• Update MAINTENANCE.md with the stable branch status. #​1681 by Fredrik Rubensson

• Validate expanded path matches public_dir when serving static files. #​1683 by cji-stripe

• Fix Delegator to pass keyword arguments for Ruby 3.0. #​1684 by andrewtblake

• Fix use with keyword arguments for Ruby 3.0. #​1701 by Robin Wallin

• Fix memory leaks for proc template. Fixes #​1704 #​1719 by Slevin

• Remove unnecessary test_files from the gemspec. #​1712 by Masataka Pocke Kuwabara

• Docs: Spanish documentation: Update README.es.md with removal of Thin. #​1630 by Espartaco Palma

• Docs: German documentation: Fixed typos in German README.md. #​1648 by Juri

• Docs: Japanese documentation: Update README.ja.md with removal of Thin. #​1629 by Ryuichi KAWAMATA

• Docs: English documentation: Various minor fixes to README.md. #​1663 by Yanis Zafirópulos

• Docs: English documentation: Document when dump_errors is enabled. Fixes #​1664 #​1665 by Patrik Ragnarsson

• Docs: Brazilian Portuguese documentation: Update README.pt-br.md with translation fixes. #​1668 by Vitor Oliveira

CI

• Use latest JRuby 9.2.16.0 on CI. #​1682 by Olle Jonsson

• Switch CI from travis to GitHub Actions. #​1691 by namusyaka

• Skip the Slack action if secrets.SLACK_WEBHOOK is not set. #​1705 by Robin Wallin

• Small CI improvements. #​1703 by Robin Wallin

• Drop auto-generated boilerplate comments from CI configuration file. #​1728 by Olle Jonsson

sinatra-contrib

• Do not raise when key is an enumerable. #​1619 by Ulysse Buonomo

Rack protection

• Fix broken origin_whitelist option. Fixes #​1641 #​1642 by Takeshi YASHIRO

v2.1.0

Compare Source

• Fix additional Ruby 2.7 keyword warnings #​1586 by Stefan Sundin

• Drop Ruby 2.2 support #​1455 by Eloy Pérez

• Add Rack::Protection::ReferrerPolicy #​1291 by Stefan Sundin

• Add default_content_type setting. Fixes #​1238 #​1239 by Mike Pastore

• Allow set :<engine> in sinatra-namespace #​1255 by Christian Höppner

• Use prepend instead of include for helpers. Fixes #​1213 #​1214 by Mike Pastore

• Fix issue with passed routes and provides Fixes #​1095 #​1606 by Mike Pastore, Jordan Owens

• Add QuietLogger that excludes pathes from Rack::CommonLogger 1250 by Christoph Wagner

• Sinatra::Contrib dependency updates. Fixes #​1207 #​1411 by Mike Pastore

• Allow CSP to fallback to default-src. Fixes #​1484 #​1490 by Jordan Owens

• Replace origin_whitelist with permitted_origins. Closes #​1620 #​1625 by rhymes

• Use Rainbows instead of thin for async/stream features. Closes #​1624 #​1627 by Ryuichi KAWAMATA

• Enable EscapedParams if passed via settings. Closes #​1615 #​1632 by Anders Bälter

• Support for parameters in mime types. Fixes #​1141 by John Hope

• Handle null byte when serving static files #​1574 by Kush Fanikiso

• Improve development support and documentation and source code by Olle Jonsson, Pierre-Adrien Buisson, Shota Iguchi

v2.0.8.1

Compare Source

• Allow multiple hashes to be passed in merge and merge! for Sinatra::IndifferentHash #​1572 by Shota Iguchi

v2.0.8

Compare Source

• Allow multiple hashes to be passed in merge and merge! for Sinatra::IndifferentHash #​1572 by Shota Iguchi

v2.0.7

Compare Source

• Fix a regression #​1560 by Kunpei Sakai

v2.0.6

Compare Source

• Fix an issue setting environment from command line option #​1547, #​1554 by Jordan Owens, Kunpei Sakai

• Support pandoc as a new markdown renderer #​1533 by Vasiliy

• Remove outdated code for tilt 1.x #​1532 by Vasiliy

• Remove an extra logic for force_encoding #​1527 by Jordan Owens

• Avoid multiple errors even if params contains special values #​1526 by Kunpei Sakai

• Support bundler/inline with require 'sinatra' integration #​1520 by Kunpei Sakai

• Avoid TypeError when params contain a key without a value on Ruby < 2.4 #​1516 by Samuel Giddins

• Improve development support and documentation and source code by Olle Jonsson, Basavanagowda Kanur, Yuki MINAMIYA

v2.0.5

Compare Source

• Avoid FrozenError when params contains frozen value #​1506 by Kunpei Sakai

• Add support for Erubi #​1494 by @​tkmru

• IndifferentHash monkeypatch warning improvements #​1477 by Mike Pastore

• Improve development support and documentation and source code by Anusree Prakash, Jordan Owens, @​ceclinux and @​krororo.

sinatra-contrib

• Add flush option to content_for #​1225 by Shota Iguchi

• Drop activesupport dependency from sinatra-contrib #​1448

• Update yield_content to append default to ERB template buffer #​1500 by Jordan Owens

rack-protection

• Don't track the Accept-Language header by default #​1504 by Artem Chistyakov

v2.0.4

Compare Source

• Don't blow up when passing frozen string to send_file disposition #​1137 by Andrew Selder

• Fix ubygems LoadError #​1436 by Pavel Rosický

• Unescape regex captures #​1446 by Jordan Owens

• Slight performance improvements for IndifferentHash #​1427 by Mike Pastore

• Improve development support and documentation and source code by Will Yang, Jake Craige, Grey Baker and Guilherme Goettems Schneider

v2.0.3

Compare Source

• Fix the backports gem regression #​1442 by Marc-André Lafortune

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.