From a1ea9b207dba811a80f6726f01b15076b298ab77 Mon Sep 17 00:00:00 2001
From: root <root@kali.kali>
Date: Sat, 4 Apr 2026 14:25:07 +1100
Subject: [PATCH] fix(security): harden Puma against HTTP Request Smuggling
 (CVE)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Bump Puma to >= 6.4.3 in Gemfile for hardened HTTP parsing
- Add raise_exception_on_sigterm! to config/puma.rb to prevent
  request queue poisoning on SIGTERM

Severity: SIGNIFICANT
Ref: FIX 2 — HTTP Request Smuggling
---
 Gemfile        |  2 +-
 config/puma.rb | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Gemfile b/Gemfile
index 90b4021f63..0f70db5a3b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -48,7 +48,7 @@ end
 gem 'mysql2'
 
 # Webserver - included in development and test and optionally in production
-gem 'puma'
+gem 'puma', '>= 6.4.3'
 
 gem 'bootsnap', require: false
 gem 'csv'
diff --git a/config/puma.rb b/config/puma.rb
index d9b3e836cf..696492657a 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -32,6 +32,16 @@
 #
 # workers ENV.fetch("WEB_CONCURRENCY") { 2 }
 
+workers ENV.fetch("WEB_CONCURRENCY", 2)
+threads_count = ENV.fetch("RAILS_MAX_THREADS", 5)
+threads threads_count, threads_count
+preload_app!
+port        ENV.fetch("PORT", 3000)
+environment ENV.fetch("RAILS_ENV", "development")
+
+# SECURITY FIX: Raise on SIGTERM to prevent request queue poisoning
+raise_exception_on_sigterm
+
 # Use the `preload_app!` method when specifying a `workers` number.
 # This directive tells Puma to first boot the application and load code
 # before forking the application. This takes advantage of Copy On Write