There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Reference: https://groups.google.com/forum/#!msg/rubyonrails-security/PjU3946mreQ/Dn-6uLbAAQAJ
Created rubygem-activestorage tracking bugs for this issue: Affects: fedora-all [bug 1843006]
HackerOne Report: https://hackerone.com/reports/789579 GitHub Commit: https://github.com/rails/rails/commit/c0ab9a7d29b84a6ccb1ffa3e8ca1ce61f7a9fbb8
External References: https://groups.google.com/forum/#!msg/rubyonrails-security/PjU3946mreQ/Dn-6uLbAAQAJ