diff --git a/.github/workflows/shared_gem_verify_rails.yml b/.github/workflows/shared_gem_verify_rails.yml index 52eff703a4aea..1056ad5c51b76 100644 --- a/.github/workflows/shared_gem_verify_rails.yml +++ b/.github/workflows/shared_gem_verify_rails.yml @@ -30,7 +30,7 @@ jobs: - name: Build Rails version matrix id: merge_rails_versions run: | - default_rails_versions='["~> 7.0.0","~> 7.1.0","~> 7.2.0"]' + default_rails_versions='["~> 7.0.0","~> 7.1.0","~> 7.2.0","~> 8.0.0"]' additional_rails_versions='${{ inputs.additional_rails_versions }}' rails_versions=$(jq -cn \ diff --git a/Gemfile.lock b/Gemfile.lock index a03fc33b654e7..6c0f6ba40efa4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -4,9 +4,9 @@ PATH metasploit-framework (6.4.128) aarch64 abbrev - actionpack (~> 7.2.0) - activerecord (~> 7.2.0) - activesupport (~> 7.2.0) + actionpack (~> 8.0.0) + activerecord (~> 8.0.0) + activesupport (~> 8.0.0) aws-sdk-ec2 aws-sdk-ec2instanceconnect aws-sdk-iam @@ -43,11 +43,11 @@ PATH json lru_redux metasm - metasploit-concern - metasploit-credential (>= 6.0.21) - metasploit-model + metasploit-concern (~> 5.0, >= 5.0.6) + metasploit-credential (~> 6.0, >= 6.0.22) + metasploit-model (~> 5.0, >= 5.0.5) metasploit-payloads (= 2.0.245) - metasploit_data_models (>= 6.0.15) + metasploit_data_models (~> 6.0, >= 6.0.16) metasploit_payloads-mettle (= 1.0.46) mqtt msgpack (~> 1.6.0) @@ -72,7 +72,7 @@ PATH pdf-reader pg puma - rack (~> 2.2) + rack (>= 3.0) railties rasn1 (= 0.14.0) rb-readline @@ -105,13 +105,12 @@ PATH ruby_smb (~> 3.3.17) rubyntlm rubyzip - sinatra (~> 3.2) + sinatra (~> 4.0) sqlite3 (= 1.7.3) sshkey stringio (= 3.1.1) swagger-blocks syslog - thin (~> 1.x) tzinfo tzinfo-data unix-crypt @@ -130,30 +129,29 @@ GEM aarch64 (2.1.0) racc (~> 1.6) abbrev (0.1.2) - actionpack (7.2.2.2) - actionview (= 7.2.2.2) - activesupport (= 7.2.2.2) + actionpack (8.0.5) + actionview (= 8.0.5) + activesupport (= 8.0.5) nokogiri (>= 1.8.5) - racc - rack (>= 2.2.4, < 3.2) + rack (>= 2.2.4) rack-session (>= 1.0.1) rack-test (>= 0.6.3) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) useragent (~> 0.16) - actionview (7.2.2.2) - activesupport (= 7.2.2.2) + actionview (8.0.5) + activesupport (= 8.0.5) builder (~> 3.1) erubi (~> 1.11) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) - activemodel (7.2.2.2) - activesupport (= 7.2.2.2) - activerecord (7.2.2.2) - activemodel (= 7.2.2.2) - activesupport (= 7.2.2.2) + activemodel (8.0.5) + activesupport (= 8.0.5) + activerecord (8.0.5) + activemodel (= 8.0.5) + activesupport (= 8.0.5) timeout (>= 0.4.0) - activesupport (7.2.2.2) + activesupport (8.0.5) base64 benchmark (>= 0.3) bigdecimal @@ -165,6 +163,7 @@ GEM minitest (>= 5.1) securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) + uri (>= 0.13.1) addressable (2.8.7) public_suffix (>= 2.0.2, < 7.0) afm (0.2.2) @@ -175,8 +174,8 @@ GEM mime-types (>= 3.3, < 4) require_all (>= 2, < 4) rspec-expectations (~> 3.12) - arel-helpers (2.16.0) - activerecord (>= 3.1.0, < 8.1) + arel-helpers (2.17.0) + activerecord (>= 3.1.0) ast (2.4.3) aws-eventstream (1.3.2) aws-partitions (1.1065.0) @@ -225,7 +224,6 @@ GEM cookiejar (0.3.4) crass (1.0.6) csv (3.3.2) - daemons (1.4.1) date (3.4.1) debug (1.11.0) irb (~> 1.10) @@ -324,14 +322,14 @@ GEM lru_redux (1.1.0) memory_profiler (1.1.0) metasm (1.0.5) - metasploit-concern (5.0.5) - activemodel (~> 7.0) - activesupport (~> 7.0) + metasploit-concern (5.0.6) + activemodel (>= 7.0, < 8.1) + activesupport (>= 7.0, < 8.1) drb mutex_m - railties (~> 7.0) + railties (>= 7.0, < 8.1) zeitwerk - metasploit-credential (6.0.21) + metasploit-credential (6.0.22) bigdecimal csv drb @@ -345,25 +343,25 @@ GEM rex-socket rubyntlm rubyzip (< 3.0.0) - metasploit-model (5.0.4) - activemodel (~> 7.0) - activesupport (~> 7.0) + metasploit-model (5.0.5) + activemodel (>= 7.0, < 8.1) + activesupport (>= 7.0, < 8.1) bigdecimal drb mutex_m - railties (~> 7.0) + railties (>= 7.0, < 8.1) metasploit-payloads (2.0.245) - metasploit_data_models (6.0.15) - activerecord (~> 7.0) - activesupport (~> 7.0) + metasploit_data_models (6.0.16) + activerecord (>= 7.0, < 8.1) + activesupport (>= 7.0, < 8.1) arel-helpers bigdecimal drb metasploit-concern - metasploit-model (~> 5.0.4) + metasploit-model (>= 5.0.4) mutex_m pg - railties (~> 7.0) + railties (>= 7.0, < 8.1) recog webrick metasploit_payloads-mettle (1.0.46) @@ -435,24 +433,25 @@ GEM pry-byebug (3.11.0) byebug (~> 12.0) pry (>= 0.13, < 0.16) - psych (5.2.6) + psych (5.3.1) date stringio public_suffix (6.0.2) puma (6.6.0) nio4r (~> 2.0) racc (1.8.1) - rack (2.2.19) - rack-protection (3.2.0) + rack (3.2.6) + rack-protection (4.2.1) base64 (>= 0.1.0) - rack (~> 2.2, >= 2.2.4) - rack-session (1.0.2) - rack (< 3) + logger (>= 1.6.0) + rack (>= 3.0.0, < 4) + rack-session (2.1.2) + base64 (>= 0.1.0) + rack (>= 3.0.0) rack-test (2.2.0) rack (>= 1.3) - rackup (1.0.1) - rack (< 3) - webrick + rackup (2.3.1) + rack (>= 3) rails-dom-testing (2.3.0) activesupport (>= 5.0.0) minitest @@ -460,13 +459,14 @@ GEM rails-html-sanitizer (1.6.2) loofah (~> 2.21) nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0) - railties (7.2.2.2) - actionpack (= 7.2.2.2) - activesupport (= 7.2.2.2) + railties (8.0.5) + actionpack (= 8.0.5) + activesupport (= 8.0.5) irb (~> 1.13) rackup (>= 1.0.0) rake (>= 12.2) thor (~> 1.0, >= 1.2.2) + tsort (>= 0.2) zeitwerk (~> 2.6) rainbow (3.1.1) rake (13.3.0) @@ -611,10 +611,12 @@ GEM simplecov-html (~> 0.11) simplecov-html (0.13.1) simpleidn (0.2.3) - sinatra (3.2.0) + sinatra (4.2.1) + logger (>= 1.6.0) mustermann (~> 3.0) - rack (~> 2.2, >= 2.2.4) - rack-protection (= 3.2.0) + rack (>= 3.0.0, < 4) + rack-protection (= 4.2.1) + rack-session (>= 2.0.0, < 3) tilt (~> 2.0) sqlite3 (1.7.3) mini_portile2 (~> 2.8.0) @@ -625,10 +627,6 @@ GEM syslog (0.3.0) logger test-prof (1.4.4) - thin (1.8.2) - daemons (~> 1.0, >= 1.0.9) - eventmachine (~> 1.0, >= 1.0.4) - rack (>= 1, < 3) thor (1.4.0) tilt (2.6.0) timecop (0.9.10) @@ -646,6 +644,7 @@ GEM unicode-emoji (~> 4.1) unicode-emoji (4.1.0) unix-crypt (1.3.1) + uri (1.1.1) useragent (0.16.11) warden (1.2.9) rack (>= 2.0.9) @@ -667,9 +666,9 @@ GEM rexml (~> 3.0) rubyntlm (~> 0.6.0, >= 0.6.3) with_env (1.1.0) - xdr (3.0.3) - activemodel (>= 4.2, < 8.0) - activesupport (>= 4.2, < 8.0) + xdr (3.0.1) + activemodel (>= 5.2.0) + activesupport (>= 5.2.0) xml-simple (1.1.9) rexml xmlrpc (0.3.3) diff --git a/config/application.rb b/config/application.rb index f3a00df46bca0..3f5c423441239 100644 --- a/config/application.rb +++ b/config/application.rb @@ -5,20 +5,30 @@ require File.expand_path('../boot', __FILE__) require 'action_view' -# Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51 -# Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1 -raise unless ActionView::VERSION::STRING == '7.2.2.2' # A developer will need to ensure this is still required when bumping rails -module ActionView::Helpers::TagHelper - class TagBuilder - def self.define_element(name, code_generator:, method_name: name.to_s.underscore) - code_generator.define_cached_method(method_name, namespace: :tag_builder) do |batch| - # Fixing a bug introduced by Metasploit's global Kernel patch: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79 - # which fails when using the below 'instance_methods.include?(method_name.to_sym)' check - batch.push(<<~RUBY) # unless instance_methods.include?(method_name.to_sym) - def #{method_name}(content = nil, escape: true, **options, &block) - tag_string("#{name}", content, options, escape: escape, &block) - end - RUBY +# Monkey patch for ActionView::Helpers::TagHelper::TagBuilder.define_element +# +# Metasploit's global Kernel patch (lib/rex.rb) overrides Kernel#select and Kernel#sleep. +# ActionView's define_element checks whether a method already exists before defining HTML +# element helpers (e.g. :select). Because Kernel#select is in the ancestor chain, the check +# returns true and the :select element helper is never defined, breaking tag.select(). +# +# Rails 7.2.x uses `instance_methods.include?(method_name.to_sym)` — affected. +# Rails 8.0.x uses `return if method_defined?(name)` — also affected, since method_defined? +# checks the ancestor chain including Kernel. +# +# See: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79 +if ActionView::VERSION::MAJOR == 8 + # Rails 8.0.x patch: override define_element to skip the method_defined? guard + # https://github.com/rails/rails/blob/v8.0.5/actionview/lib/action_view/helpers/tag_helper.rb#L51 + module ActionView::Helpers::TagHelper + class TagBuilder + def self.define_element(name, code_generator:, method_name: name) + code_generator.class_eval do |batch| + batch << "\n" << + "def #{method_name}(content = nil, escape: true, **options, &block)" << + " tag_string(#{name.inspect}, content, options, escape: escape, &block)" << + "end" + end end end end @@ -59,9 +69,15 @@ class Application < Rails::Application config.paths['log'] = "#{Msf::Config.log_directory}/#{Rails.env}.log" config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)] - config.autoloader = :zeitwerk - config.load_defaults 7.2 + # Rails 8.0 upgrade: changed from 'config.load_defaults 7.2'. + # Activates Rails 8.0 framework defaults including: + # - config.active_support.to_time_preserves_timezone = :zone + # - config.active_record.default_column_serializer = nil + # - config.active_record.run_after_transaction_callbacks_in_order_defined = true + # The config.autoloader = :zeitwerk line was also removed here because + # Zeitwerk is the only autoloader in Rails 8 — the setting no longer exists. + config.load_defaults 8.0 config.eager_load = false end diff --git a/db/schema.rb b/db/schema.rb index 7ef2a2ef85e93..358636fd07941 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -10,9 +10,9 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema[7.2].define(version: 2026_01_30_124052) do +ActiveRecord::Schema[8.0].define(version: 2026_01_30_124052) do # These are extensions that must be enabled in order to support this database - enable_extension "plpgsql" + enable_extension "pg_catalog.plpgsql" create_table "api_keys", id: :serial, force: :cascade do |t| t.text "token" diff --git a/lib/metasploit/framework/rails_version_constraint.rb b/lib/metasploit/framework/rails_version_constraint.rb index 54766b44370bd..e6df0dbd28e0d 100644 --- a/lib/metasploit/framework/rails_version_constraint.rb +++ b/lib/metasploit/framework/rails_version_constraint.rb @@ -3,7 +3,11 @@ module Metasploit module Framework module RailsVersionConstraint - RAILS_VERSION = '~> 7.2.0' + # Rails 8.0 upgrade: changed from '~> 7.2.0' to '~> 8.0.0'. + # This constant is used in metasploit-framework.gemspec to pin activerecord, + # activesupport, and actionpack. Rails 8.0 requires Rack 3.x and Zeitwerk-only + # autoloading, which drove the broader upgrade across all supporting gems. + RAILS_VERSION = '~> 8.0.0' end end end diff --git a/lib/msf/core/exploit/remote/cert_request.rb b/lib/msf/core/exploit/remote/cert_request.rb index 5888db7ee0cce..c75cd13f1a6b0 100644 --- a/lib/msf/core/exploit/remote/cert_request.rb +++ b/lib/msf/core/exploit/remote/cert_request.rb @@ -244,7 +244,8 @@ def get_cert_policy_oids(cert) # @param [OpenSSL::X509::Certificate] cert # @return [String, nil] The SID if it was found, otherwise nil. def get_cert_msext_sid(cert) - ext = cert.extensions.find { |e| e.oid == Rex::Proto::X509::OID_NTDS_CA_SECURITY_EXT } + # OpenSSL 3.6+ resolves this OID to its registered short name instead of the dotted string + ext = cert.extensions.find { |e| [Rex::Proto::X509::OID_NTDS_CA_SECURITY_EXT, 'ms-ntds-sec-ext'].include?(e.oid) } return unless ext ntds_ca_security_ext = Rex::Proto::CryptoAsn1::NtdsCaSecurityExt.parse(ext.value_der) diff --git a/lib/msf/core/web_services/http_db_manager_service.rb b/lib/msf/core/web_services/http_db_manager_service.rb index 90ebf1457cfd2..76a09dc33055b 100644 --- a/lib/msf/core/web_services/http_db_manager_service.rb +++ b/lib/msf/core/web_services/http_db_manager_service.rb @@ -1,4 +1,8 @@ require 'rack' +# Rails 8.0 upgrade: migrated from Rack::Handler::Thin to Rack::Handler::Puma. +# Thin only supports Rack 2.x and cannot run under Rack 3.x (required by Rails 8). +# Puma was already a runtime dependency and is Rack 3-compatible. +require 'rack/handler/puma' require 'metasploit/framework/parsed_options/remote_db' # TODO: This functionality isn't fully used currently, it should be integrated and called from the top level msfdb.rb file @@ -23,19 +27,37 @@ def start(opts) private + # Rails 8.0 upgrade: replaced Thin server startup with Puma. + # Thin configured SSL via server.ssl / server.ssl_options in a block callback. + # Puma uses a URI-based SSL config (ssl://host:port?key=...&cert=...&verify_mode=...) + # passed through the Host option, so the SSL setup was rewritten accordingly. def start_http_server(opts) + host = opts[:Host] || '0.0.0.0' + port = opts[:Port] || 8080 - Rack::Handler::Thin.run(Msf::WebServices::MetasploitApiApp, **opts) do |server| + puma_opts = { + Host: host, + Port: port, + Threads: '0:16', + Verbose: false, + Silent: opts[:Silent] || false + } - if opts[:ssl] && opts[:ssl] = true - print_good('SSL Enabled') - server.ssl = true - server.ssl_options = opts[:ssl_opts] - else - print_warning('SSL Disabled') - end - server.threaded = true + if opts[:ssl] + print_good('SSL Enabled') + ssl_opts = opts[:ssl_opts] || {} + key = ssl_opts[:private_key_file] + cert = ssl_opts[:cert_chain_file] + verify = ssl_opts[:verify_peer] ? 'peer' : 'none' + + ssl_uri = "ssl://#{host}:#{port}?key=#{key}&cert=#{cert}&verify_mode=#{verify}" + puma_opts[:Host] = ssl_uri + puma_opts.delete(:Port) + else + print_warning('SSL Disabled') end + + Rack::Handler::Puma.run(Msf::WebServices::MetasploitApiApp, **puma_opts) end def init_db diff --git a/lib/msf/core/web_services/json_rpc_app.rb b/lib/msf/core/web_services/json_rpc_app.rb index 6a416764c4b81..0e5ef755d0334 100644 --- a/lib/msf/core/web_services/json_rpc_app.rb +++ b/lib/msf/core/web_services/json_rpc_app.rb @@ -26,6 +26,12 @@ class JsonRpcApp < Sinatra::Base # Disables Sinatra HTML Error Responses set :show_exceptions, false + # Sinatra 4.1+ enables Rack::Protection::HostAuthorization by default, + # which rejects requests from unrecognized hosts. Metasploit's web + # services bind to user-configured addresses and handle their own auth + # via Warden, so disable the host check. + set :host_authorization, permitted_hosts: [] + set :sessions, {key: 'msf-ws.session', expire_after: 300} set :session_secret, ENV.fetch('MSF_WS_SESSION_SECRET', SecureRandom.hex(32)) set :api_token, ENV.fetch('MSF_WS_JSON_RPC_API_TOKEN', nil) diff --git a/lib/msf/core/web_services/json_rpc_exception_handling.rb b/lib/msf/core/web_services/json_rpc_exception_handling.rb index 26d031174dd23..dc093dfde6169 100644 --- a/lib/msf/core/web_services/json_rpc_exception_handling.rb +++ b/lib/msf/core/web_services/json_rpc_exception_handling.rb @@ -40,7 +40,7 @@ def get_response(err, request) Rack::Response.new( response.to_json, 500, - {'Content-type' => 'application/json'} + {'content-type' => 'application/json'} ).finish end diff --git a/lib/msf/core/web_services/metasploit_api_app.rb b/lib/msf/core/web_services/metasploit_api_app.rb index be832fb0e33c0..aca359a33f162 100644 --- a/lib/msf/core/web_services/metasploit_api_app.rb +++ b/lib/msf/core/web_services/metasploit_api_app.rb @@ -33,6 +33,12 @@ class Msf::WebServices::MetasploitApiApp < Sinatra::Base register Msf::WebServices::RouteServlet configure do + # Sinatra 4.1+ enables Rack::Protection::HostAuthorization by default, + # which rejects requests from unrecognized hosts. Metasploit's web + # services bind to user-configured addresses and handle their own auth + # via Warden, so disable the host check. + set :host_authorization, permitted_hosts: [] + set :sessions, {key: 'msf-ws.session', expire_after: 300} set :session_secret, ENV.fetch('MSF_WS_SESSION_SECRET') { SecureRandom.hex(32) } end diff --git a/lib/msf/core/web_services/servlet_helper.rb b/lib/msf/core/web_services/servlet_helper.rb index 6f95bc49bf13d..e0d6bbea3ef7b 100644 --- a/lib/msf/core/web_services/servlet_helper.rb +++ b/lib/msf/core/web_services/servlet_helper.rb @@ -8,7 +8,7 @@ module Msf::WebServices::ServletHelper def set_error_on_response(error) print_error "Error handling request: #{error.message}", error - headers = {'Content-Type' => 'text/plain'} + headers = {'content-type' => 'text/plain'} [500, headers, error.message] end @@ -17,12 +17,12 @@ def set_empty_response end def set_raw_response(data, code: 200) - headers = { 'Content-Type' => 'application/json' } + headers = { 'content-type' => 'application/json' } [code, headers, data] end def set_json_response(data, includes = nil, code = 200) - headers = { 'Content-Type' => 'application/json' } + headers = { 'content-type' => 'application/json' } [code, headers, to_json(data, includes)] end @@ -37,7 +37,7 @@ def set_json_error_response(response:, code:) end def set_html_response(data) - headers = {'Content-Type' => 'text/html'} + headers = {'content-type' => 'text/html'} [200, headers, data] end diff --git a/lib/rex/proto/x509/request.rb b/lib/rex/proto/x509/request.rb index 0a6325a5c5797..bf4e77146e5eb 100644 --- a/lib/rex/proto/x509/request.rb +++ b/lib/rex/proto/x509/request.rb @@ -15,6 +15,8 @@ module Rex::Proto::X509 class Request def self.create_csr(private_key, cn, algorithm = 'SHA256') request = OpenSSL::X509::Request.new + # OpenSSL 3.6 leaves version unset (-1) by default and rejects verify() on such CSRs. + request.version = 0 request.subject = OpenSSL::X509::Name.new([ ['CN', cn, OpenSSL::ASN1::UTF8STRING] ]) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index cdc8ab16286b8..ba72a974f3130 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -65,14 +65,17 @@ Gem::Specification.new do |spec| # Needed for aarch64 assembler support - as Metasm does not currently support Aarch64 fully spec.add_runtime_dependency 'aarch64' # Metasploit::Concern hooks - spec.add_runtime_dependency 'metasploit-concern' + # Pinned to 5.0.6+ which supports activemodel >= 7.0, < 8.1 (Rails 8.0 compatible) + spec.add_runtime_dependency 'metasploit-concern', '~> 5.0', '>= 5.0.6' # Metasploit::Credential database models - spec.add_runtime_dependency 'metasploit-credential', '>= 6.0.21' + spec.add_runtime_dependency 'metasploit-credential', '~> 6.0', '>= 6.0.22' # Database models shared between framework and Pro. - spec.add_runtime_dependency 'metasploit_data_models', '>= 6.0.15' + # Pinned to 6.0.16+ which supports activerecord >= 7.0, < 8.1 (Rails 8.0 compatible) + spec.add_runtime_dependency 'metasploit_data_models', '~> 6.0', '>= 6.0.16' # Things that would normally be part of the database model, but which # are needed when there's no database - spec.add_runtime_dependency 'metasploit-model' + # Pinned to 5.0.5+ which supports activemodel >= 7.0, < 8.1 (Rails 8.0 compatible) + spec.add_runtime_dependency 'metasploit-model', '~> 5.0', '>= 5.0.5' # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '2.0.245' # Needed for the next-generation POSIX Meterpreter @@ -107,12 +110,14 @@ Gem::Specification.new do |spec| # Required for Metasploit Web Services spec.add_runtime_dependency 'puma' spec.add_runtime_dependency 'ruby-mysql' - # webserver - pinned due to: https://github.com/github/secure_headers/issues/514 - spec.add_runtime_dependency 'thin', '~> 1.x' - # rack pinned due to authlogic warnings when setting cookie keys with a / char present: https://github.com/binarylogic/authlogic/issues/779 - spec.add_runtime_dependency 'rack', '~> 2.2' - # 4.x needs tested and verified for JSON RPC service - spec.add_runtime_dependency 'sinatra', '~> 3.2' + # Rails 8.0 requires Rack 3.x; changed from '~> 2.2' which blocked resolution. + # Thin was removed as a dependency because it only supports Rack 2.x. + # Puma (already a runtime dep above) is the Rack 3-compatible replacement. + spec.add_runtime_dependency 'rack', '>= 3.0' + # Sinatra 4.x is required for Rack 3.x compatibility — Sinatra 3.x only supports + # Rack 2.x. Changed from '~> 3.2'. The JSON-RPC and web service apps + # (MetasploitApiApp, JsonRpcApp) are Sinatra-based and need this for Rack 3. + spec.add_runtime_dependency 'sinatra', '~> 4.0' spec.add_runtime_dependency 'warden' spec.add_runtime_dependency 'swagger-blocks' # Required for JSON-RPC client diff --git a/spec/api/json_rpc_spec.rb b/spec/api/json_rpc_spec.rb index 0fe415bf40bec..70dfa6fe9afa1 100644 --- a/spec/api/json_rpc_spec.rb +++ b/spec/api/json_rpc_spec.rb @@ -30,6 +30,10 @@ app.settings.dispatchers.clear end + def json_rpc_headers + { 'CONTENT_TYPE' => 'application/json' } + end + def report_host(host) post rpc_url, { jsonrpc: '2.0', @@ -38,7 +42,7 @@ def report_host(host) params: [ host ] - }.to_json + }.to_json, json_rpc_headers end def report_vuln(vuln) @@ -49,7 +53,7 @@ def report_vuln(vuln) params: [ vuln ] - }.to_json + }.to_json, json_rpc_headers end def analyze_host(host) @@ -60,7 +64,7 @@ def analyze_host(host) params: [ host ] - }.to_json + }.to_json, json_rpc_headers end def create_job @@ -75,7 +79,7 @@ def create_job RHOSTS: '192.0.2.0' } ] - }.to_json + }.to_json, json_rpc_headers end def get_job_results(uuid) @@ -86,7 +90,7 @@ def get_job_results(uuid) params: [ uuid ] - }.to_json + }.to_json, json_rpc_headers end def get_rpc_health_check @@ -95,7 +99,7 @@ def get_rpc_health_check method: 'health.check', id: 1, params: [] - }.to_json + }.to_json, json_rpc_headers end def get_rest_health_check