CVE-2022-30123 : rack (2.2.3)

[meten-natuurlijk]

Based on the Gemfile.lock I believe that simplecov-html makes use of rack version 2.2.3
That Rack version is has vulnerability CVE-2022-30123 (crafted requests that can cause shell escape sequences).
The solution is to rebuild using rack >= 2.2.3.1

This also fixes CVE-2022-30122.

[meten-natuurlijk]

I think a new release needs to be built in order to make this fix visible on rubygems.org ?

[william-kurosawa]

Can anyone take a look on this issue? It should be just a bump on rack version.
I guess Dependabot's PR supersedes the previous PR by @nishidayuya: #124

[nishidayuya]

#121 is older than #124, because when #121 was born, rack-2.2.6.4 (#124) was not exist in the world.

So, I'll close #121.

[amatsuda]

Ok, Ok, I just merged the dependabot PR (#124) since I even got a mention on the other issue, but please note that the "vulnerability" on rack gem here does not at all affect your applications' security.

Gems bundled here via Gemfile.lock in this repo is nothing but development dependencies that are used only for clones of this Git repo. Not your applications that depend on simplecov-html. Please check Gemfile.lock in your apps and confirm what I said.
Also, simplecov-html is a static site generator. This product is not a kind of software that runs a web server and processes web requests on your machine. Hence, even if you run simplecov with such "vulnerable" version of Rack, there's no way the attackers can attack your production server.

Again, I just merged the PR in order to calm you guys down, and also to show you that the project is not dead, but please learn that you generally need not to care about the content of Gemfile.lock in someone else's repo.

[william-kurosawa]

Thank you Matsuda-san! I totally agree and understand, sorry to bother the simplecov team for that.

My applications itself have requirements to use latest version of rack. What happens to my company (and possibly for some others) is that there are vulnerabilities checkers (AWS Inspector) that scan containers images, looks into package managers files and eventually find the rack version in the "Gemfile.lock".

I will look further on AWS Inspector if is possible to suppress this type of finding without suppressing real dependencies vulnerabilities.

[amatsuda]

@william-kurosawa Oh, thank you for the explanation! Now I understand the triggers and people's motivation for issues like this. Sounds fair enough actually!

[blombard]

I will look further on AWS Inspector if is possible to suppress this type of finding without suppressing real dependencies vulnerabilities.

I have the same problem. Could it be possible to bump this gem to 0.12.4 and also bump simplecov with the updated simplecov-html dependency?

If you don't have time to do that, how can I effectively fork simplecov/simplecov-html to make this work for me?

[william-kurosawa]

@blombard , just to inform you, I am also waiting for another release, but that might be out of Matsuda's hands as it needs to be published to Rubygems.
What I am doing at the moment is fetching directly from the specific commit on github with

  gem 'simplecov-html', git: 'https://github.com/simplecov-ruby/simplecov-html',
                        ref: 'ea52c023962c449156d9348a827666c981bd3831'

I am also trying to reach a AWS Inspector specialist to understand if they don't have a way around this alerts for code that is not even in the image, it's just a lock file inside a dependency with mention to another dependency..

[blombard]

@william-kurosawa Perfect, exactly what I needed for now 👌

[jordanbreen28]

@amatsuda is it possible to get a release of this change?