Fixing 'ArgumentError: Invalid Domain' After Upgrading to Ruby 2.7.7

December 19th, 2022 • filed under Programming

Recently I tasked myself with upgrading one of the apps I support as a part of my day job from Ruby version 2.7.6 to 2.7.7.

After doing so, I immediately started running into this issue, only while running tests, and only when those tests were run in CI:

       invalid domain: ".example.com"

Strange. None of the other apps I upgraded had this issue, and I’m not setting anything domain-specific like this in my app code, so the first thing I thought to do was go back to 2.7.6 to make sure I didn’t jack something up. Of course it worked fine so there had to be something special about this upgrade that was causing issues.

Skipping the part where RAILS_ENV=test && CI=true were really just a red herring, the head-desk-ing that took place therein, and knowing that the version bump was primarily due to CVE-2021-33621 caused by the cgi rubygem, I had what felt like an entirely random thought1 to check the cgi rubygem itself for this message.

Sure enough, it’s there, plain as day2.

Feeling like I was on a roll, my next thought was to check any open issues for that rubygem. I can’t imagine I’m the first to run into this, right?

Definitely not (tangentially, this PR). Turns out™, in the course of updating cgi, cookie logic was changed to disallow cookies with preceding periods, because who does that, anymore?

I guess I do. 🤷🏼‍♂️

Ok, so what’s the fix? Well, on its own, Ruby 2.7.7 still holds the version of cgi that disallows cookie domains with leading periods, so you’ve got two options:

  1. Stop using leading periods for your cookie domains
  2. Upgrade cgi by explicitly defining it in your Gemfile with gem 'cgi', '~> 0.3.6'

On the face of it, doing the more currently-appropriate thing is probably the right move, but I didn’t have a ton of time to make those changes and ensure nothing broke, so I took the second option. I’ll probably come back to this and do it the better3 way in the future.

Or not. If Ruby 2.7.next (and equivalent 3.x.next branches) pick up cgi 0.3.6 or a later version, I may never.

  1. I was on my last day before taking the rest of my parental leave, so I was willing to take a W from wherever I could, at this point. 

  2. entirely subjectively plain as day. 

  3. better insomuch as that depending on who you ask and how you interpret it, RFC 6265 says both yay and nay, but it was once entirely acceptable in in RFC 2109