Merge pull request #2925 from cyberark/Update-puma

Update puma to version 6

CHANGELOG.md

@@ -49,6 +49,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   fail safe and the negative privilege statement (revoke, deny) is the final
   outcome
   [CONJSE-1785](https://ca-il-jira.il.cyber-ark.com:8443/browse/CONJSE-1785)
+- Update puma to 6.3.1 to address CVE-2023-40175.
+  [CNJR-2564](https://ca-il-jira.il.cyber-ark.com:8443/browse/CNJR-2564)
 
 ## [1.19.5] - 2023-06-29
 

Gemfile

@@ -19,7 +19,7 @@ gem 'http', '~> 4.2.0'
 gem 'iso8601'
 gem 'jbuilder', '~> 2.7.0'
 gem 'nokogiri', '>= 1.8.2'
-gem 'puma', '~> 5.6'
+gem 'puma', '~> 6'
 gem 'rack', '~> 2.2'
 gem 'rails', '~> 6.1', '>= 6.1.4.6'
 gem 'rake'
@@ -60,6 +60,9 @@ gem 'net-ldap'
 # for AWS rotator
 gem 'aws-sdk-iam', require: false
 
+# we need this version since any newer introduces braking change that causes issues with safe_yaml: https://github.com/ruby/psych/discussions/571
+gem 'psych', '=3.3.2'
+
 group :production do
   gem 'rails_12factor'
 end
@@ -70,7 +73,8 @@ gem 'kubeclient'
 gem 'websocket'
 
 # authn-oidc, gcp, azure, jwt
-gem 'jwt', '2.2.2' # version frozen due to authn-jwt requirements
+# gem 'jwt', '2.2.2' # version frozen due to authn-jwt requirements
+gem 'jwt', '2.7.1'
 # authn-oidc
 gem 'openid_connect', '~> 2.0'
 
@@ -88,6 +92,7 @@ group :development, :test do
   gem 'cucumber', '~> 7.1'
   gem 'database_cleaner', '~> 1.8'
   gem 'debase', '~> 0.2.5.beta2'
+  gem 'debase-ruby_core_source', '~> 3.2.1'
   gem 'json_spec', '~> 1.1'
   gem 'faye-websocket'
   gem 'net-ssh'
@@ -101,7 +106,7 @@ group :development, :test do
   gem 'rspec'
   gem 'rspec-core'
   gem 'rspec-rails'
-  gem 'ruby-debug-ide'
+  # gem 'ruby-debug-ide'
 
   # We use a post-coverage hook to sleep covered processes until we're ready to
   # collect the coverage reports in CI. Because of this, we don't want bundler

Gemfile.lock

@@ -176,7 +176,7 @@ GEM
     date (3.3.3)
     debase (0.2.5.beta2)
       debase-ruby_core_source (>= 0.10.12)
-    debase-ruby_core_source (0.10.13)
+    debase-ruby_core_source (3.2.1)
     deep_merge (1.2.2)
     diff-lcs (1.4.4)
     docile (1.4.0)
@@ -269,7 +269,7 @@ GEM
       rspec (>= 2.0, < 4.0)
     jsonpath (1.1.0)
       multi_json
-    jwt (2.2.2)
+    jwt (2.7.1)
     kubeclient (4.9.3)
       http (>= 3.0, < 5.0)
       jsonpath (~> 1.0)
@@ -342,8 +342,9 @@ GEM
       pry (~> 0.13.0)
     pry-rails (0.3.9)
       pry (>= 0.10.4)
+    psych (3.3.2)
     public_suffix (5.0.1)
-    puma (5.6.4)
+    puma (6.3.1)
       nio4r (~> 2.0)
     racc (1.7.1)
     rack (2.2.7)
@@ -444,8 +445,6 @@ GEM
       unicode-display_width (~> 1.0, >= 1.0.1)
     rubocop-checkstyle_formatter (0.4.0)
       rubocop (>= 0.35.1)
-    ruby-debug-ide (0.7.3)
-      rake (>= 0.8.1)
     ruby-next-core (0.14.0)
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.5)
@@ -544,6 +543,7 @@ DEPENDENCIES
   cucumber (~> 7.1)
   database_cleaner (~> 1.8)
   debase (~> 0.2.5.beta2)
+  debase-ruby_core_source (~> 3.2.1)
   dry-struct
   dry-types
   event_emitter
@@ -557,21 +557,22 @@ DEPENDENCIES
   jbuilder (~> 2.7.0)
   json_schemer
   json_spec (~> 1.1)
-  jwt (= 2.2.2)
+  jwt (= 2.7.1)
   kubeclient
   listen
   loofah (>= 2.2.3)
   net-ldap
   net-ssh
   nokogiri (>= 1.8.2)
-  openid_connect (= 2.2.0)
+  openid_connect (~> 2.0)
   parallel
   parallel_tests
   pg
   prometheus-client
   pry-byebug
   pry-rails
-  puma (~> 5.6)
+  psych (= 3.3.2)
+  puma (~> 6)
   rack (~> 2.2)
   rack-rewrite
   rails (~> 6.1, >= 6.1.4.6)
@@ -587,7 +588,6 @@ DEPENDENCIES
   rspec-rails
   rubocop (~> 0.58.0)
   rubocop-checkstyle_formatter
-  ruby-debug-ide
   sequel
   sequel-pg_advisory_locking
   sequel-postgres-schemata

NOTICES.txt

@@ -20,7 +20,7 @@ Section 3: BSD-3-Clause
 
 >>> https://rubygems.org/gems/base32-crockford/versions/0.1.0
 >>> https://rubygems.org/gems/ffi/versions/1.15.4
->>> https://rubygems.org/gems/puma/versions/5.6.4
+>>> https://rubygems.org/gems/puma/versions/6.3.1
 
 Section 4: MIT
 
@@ -37,13 +37,13 @@ Section 4: MIT
 >>> https://rubygems.org/gems/http/versions/4.2.0
 >>> https://rubygems.org/gems/iso8601/versions/0.13.0
 >>> https://rubygems.org/gems/jbuilder/versions/2.7.0
->>> https://rubygems.org/gems/jwt/versions/2.2.2
+>>> https://rubygems.org/gems/jwt/versions/2.7.1
 >>> https://rubygems.org/gems/kubeclient/versions/4.9.3
 >>> https://rubygems.org/gems/listen/versions/3.7.0
 >>> https://rubygems.org/gems/loofah/versions/2.20.0
 >>> https://rubygems.org/gems/net-ldap/versions/0.17.0
 >>> https://rubygems.org/gems/nokogiri/versions/1.14.3
->>> https://rubygems.org/gems/openid_connect/versions/1.3.0
+>>> https://rubygems.org/gems/openid_connect/versions/2.2.0
 >>> https://rubygems.org/gems/rack-rewrite/versions/1.5.1
 >>> https://rubygems.org/gems/rails/versions/6.1.7.3
 >>> https://rubygems.org/gems/rake/versions/13.0.6
@@ -214,7 +214,7 @@ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
->>> https://rubygems.org/gems/puma/versions/5.6.4
+>>> https://rubygems.org/gems/puma/versions/6.3.1
 
 Some code copyright (c) 2005, Zed Shaw
 Copyright (c) 2011, Evan Phoenix
@@ -546,7 +546,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/jwt/versions/2.2.2
+>>> https://rubygems.org/gems/jwt/versions/2.7.1
 
 Copyright (c) 2011 Jeff Lindsay
 
@@ -680,7 +680,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/openid_connect/versions/1.3.0
+>>> https://rubygems.org/gems/openid_connect/versions/2.2.0
 
 Copyright (c) 2011 nov matake
 

ci/shared.sh

@@ -185,7 +185,7 @@ _run_cucumber_tests() {
   # process to write the report. The container is kept alive using an infinite
   # sleep in the at_exit hook (see .simplecov).
   for parallel_service in "${parallel_services[@]}"; do
-    $COMPOSE exec -T "$parallel_service" bash -c "pkill -f 'puma 5'"
+    $COMPOSE exec -T "$parallel_service" bash -c "pkill -f 'puma 6'"
   done
 }
 

ci/test_suites/authenticators_k8s/test_gke_entrypoint.sh

@@ -57,7 +57,7 @@ function finish {
       echo "Killing conjur so that coverage report is written"
       # The container is kept alive using an infinite sleep in the at_exit hook
       # (see .simplecov) so that the kubectl cp below works.
-      kubectl exec "${conjur_pod_name}" -- bash -c "pkill -f 'puma 5'"
+      kubectl exec "${conjur_pod_name}" -- bash -c "pkill -f 'puma 6'"
 
       echo "Retrieving coverage report"
       kubectl cp \

config/puma.rb

@@ -65,7 +65,6 @@
 # available in this config file.
 preload_app!
 
-rackup      DefaultRackup
 port        ENV['PORT']     || 3000
 environment ENV['RACK_ENV'] || 'development'
 

cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature

@@ -365,7 +365,7 @@ Feature: JWT Authenticator - Check registered claim
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected incorrect.com, received http://jwks>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected ["incorrect.com"], received http://jwks>')>
     """
 
   @negative @acceptance
@@ -454,7 +454,7 @@ Feature: JWT Authenticator - Check registered claim
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected invalid-issuer, received valid-issuer>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::InvalidIssuerError: Invalid issuer. Expected ["invalid-issuer"], received valid-issuer>')>
     """
 
   @sanity

cucumber/authenticators_jwt/features/authn_jwt_fetch_signing_key.feature

@@ -550,7 +550,7 @@ Feature: JWT Authenticator - Fetch signing key
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')
     """
 
   @negative @acceptance
@@ -605,7 +605,7 @@ Feature: JWT Authenticator - Fetch signing key
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')
     """
 
   @negative @acceptance

cucumber/authenticators_jwt/features/authn_jwt_validate_and_decode.feature

@@ -77,7 +77,7 @@ Feature: JWT Authenticator - Validate And Decode
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')>
     """
 
   @negative @acceptance
@@ -102,5 +102,5 @@ Feature: JWT Authenticator - Validate And Decode
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification raised>')>
+    CONJ00035E Failed to decode token (3rdPartyError ='#<JWT::VerificationError: Signature verification failed>')>
     """