Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1 #10173

Merged
merged 2 commits into from
Feb 28, 2024
Merged

Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1 #10173

merged 2 commits into from
Feb 28, 2024

Conversation

charleyf
Copy link
Contributor

@charleyf charleyf commented Feb 28, 2024
edited
Loading

🛠 Summary of changes

Right now all lint tasks are failing in main because there's a newly reported file permission vulnerability in rack-cors (link) version 2.0.1 (latest). This PR addresses that by locking our version to 2.0.0, the latest version of rack-cors without this vulnerability (link).

Presumably we'll be able to use 2.0.1 again once they've patched the problem.

The error:

--- bundler-audit ---
bundle exec bundler-audit check --update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:   875 advisories
  last updated: 2024-02-27 14:25:50 -0800
  commit:       1c7d5b5233d4c1ace4b6141bb949a2d54028d18e
Name: rack-cors
Version: 2.0.1
CVE: CVE-2024-27456
GHSA: GHSA-785g-282q-pwvx
Criticality: Unknown
URL: https://github.com/advisories/GHSA-785g-282q-pwvx
Title: Rack CORS Middleware has Insecure File Permissions
Solution: remove or disable this gem until a patch is available!

Vulnerabilities found!
make: *** [lint] Error 1

📜 Testing Plan

  • Run make lint in main notice the failure.
  • Run make lint in this branch, the failure is gone.

@charleyf charleyf changed the title Mitigate Permissions Concern in rack-cors by Locking Version Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0` Feb 28, 2024
@charleyf charleyf changed the title Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0` Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0 Feb 28, 2024
@charleyf charleyf changed the title Mitigate Vulnerability in rack-cors 2.0.1 by Locking Version to rack-cors 2.0.0 Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1 Feb 28, 2024
@charleyf charleyf merged commit 47713e1 into main Feb 28, 2024
2 checks passed
@charleyf charleyf deleted the charley/rack-cors branch February 28, 2024 18:39
jmax-gsa pushed a commit that referenced this pull request Feb 28, 2024
@charleyf @jmax-gsa
Lock to rack-cors 2.0.0 to avoid problem with rack-cors 2.0.1 (#1…
4c7aede 
…0173)

* Mitigate permissions concern in rack-cors by locking version

* changelog: Internal, Dependencies, Lock rack-cors to version 2.0.0 to avoid vulnerability in version 2.0.1
@charleyf charleyf mentioned this pull request Feb 29, 2024
Closed
@jmdembe jmdembe mentioned this pull request Feb 29, 2024
Merged
@charleyf charleyf mentioned this pull request Mar 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mitchellhenke mitchellhenke mitchellhenke approved these changes

@zachmargolis zachmargolis Awaiting requested review from zachmargolis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@charleyf @mitchellhenke