The error is caused by the addition of explicit Host Authorization handling in Sinatra 4.1.0. It is implemented as a Rack middleware, bundled with rack-protection, but not exposed as a default nor opt-in protection:
sinatra:main ← dentarg:host_authorization
opened 05:24PM - 05 Nov 24 UTC
The Sinatra project received a security report with the following details:
> … Title: Reliance on Untrusted Inputs in a Security Decision
> CWE ID: CWE-807
> CVE ID: CVE-2024-21510
> Credit: t0rchwo0d
> Description: The sinatra package is vulnerable to Reliance on Untrusted
> Inputs in a Security Decision via the `X-Forwarded-Host (XFH)` header.
> When making a request to a method with redirect applied, it is possible
> to trigger an Open Redirect Attack by inserting an arbitrary address
> into this header. If used for caching purposes, such as with servers
> like Nginx, or as a reverse proxy, without handling the
> `X-Forwarded-Host` header, attackers can potentially exploit Cache
> Poisoning or Routing-based SSRF.
The vulnerable code was introduced in fae7c011. Sinatra can not know whether the header value can be trusted or not without input from the app creator. This change introduce the `host_authorization` settings for that.
It is implemented as a Rack middleware, bundled with rack-protection, but not exposed as a default nor opt-in protection. It is meant to be used by itself, as sharing reaction with other protections is not ideal (see https://github.com/sinatra/sinatra/issues/2012).
Settings to be tweaked:
Classy web-development dressed in a DSL (official / canonical repo)
And an example:
opened 09:28PM - 18 Nov 24 UTC
closed 02:30PM - 19 Nov 24 UTC
question
With the introduction of https://github.com/sinatra/sinatra/pull/2053, it seems … there is no way to disable/configure the HostAuthorization middleware for development.
We don't run our apps on localhost for dev, and so the default hardcoded `permitted_hosts` do not work for us.
I saw that there is a handy allow `allow_if` proc, so I thought I could do:
```
use Rack::Protection::HostAuthorization, allow_if: ->(_env) { true }
```
but that just results in the middleware being mounted twice, once with my settings and once with the default settings, and so it still results in "Host not permitted" errors.
There needs to be a way to configure/disable this in dev mode.