Riskweline

**Name of the Vulnerable Software and Affected Versions** unpoly-rails versions prior to 2.7.2.2 **Description** The issue is related to a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem. This affects Rails applications operating as an upstream of a load balancer that uses passive health checks. The unpoly-rails gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs, an attacker can cause unpoly-rails to write a large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group, making the application instance unavailable until a configured timeout is reached or until an active healthcheck succeeds. **Recommendations** To resolve the issue, upgrade to version 2.7.2.2 or later. If unable to upgrade, consider the following workarounds: - Configure the load balancer to use active health checks by periodically requesting a route with a known response that indicates healthiness. - Configure the load balancer so the maximum size of response headers is at least twice the maximum size of a URL. - Configure the Rails application to delete redundant `X-Up-Location` headers set by unpoly-rails by adding the following code to the ApplicationController: ```ruby after action :remove redundant up location header private def remove redundant up location header if request.original url == response.headers['X-Up-Location'] response.headers.delete('X-Up-Location') end end ```