Skip to content

Commit 0739429

Browse files
mediafingermediafinger
committed
Make rake bundle:audit available to detect known security issues (CVEs)
It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5
1 parent 8dc218f commit 0739429

File tree

3 files changed

+23
-2
lines changed

3 files changed

+23
-2
lines changed

Diff for: Gemfile

+3-2
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,13 @@ gem 'rack-tracker'
2020
gem 'redcarpet'
2121

2222
group :development, :test do
23-
gem 'rspec-rails', '~> 3.6'
23+
gem 'bundler-audit'
24+
gem 'byebug'
2425
gem 'factory_bot_rails'
2526
gem 'guard-rails', require: false
2627
gem "guard-rspec"
2728
gem "guard"
28-
gem 'byebug'
29+
gem 'rspec-rails', '~> 3.6'
2930
end
3031

3132
group :production do

Diff for: Gemfile.lock

+4
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,9 @@ GEM
5252
execjs (~> 2.0)
5353
bindex (0.5.0)
5454
builder (3.2.3)
55+
bundler-audit (0.7.0.1)
56+
bundler (>= 1.2.0, < 3)
57+
thor (>= 0.18, < 2)
5558
byebug (9.1.0)
5659
carrierwave (1.2.1)
5760
activemodel (>= 4.0.0)
@@ -526,6 +529,7 @@ PLATFORMS
526529
ruby
527530

528531
DEPENDENCIES
532+
bundler-audit
529533
byebug
530534
carrierwave
531535
draper

Diff for: Rakefile

+16
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,19 @@
44
require File.expand_path('../config/application', __FILE__)
55

66
Rails.application.load_tasks
7+
8+
if %w[development test].include? Rails.env
9+
require 'bundler/audit/task'
10+
require 'rspec/core/rake_task'
11+
12+
# setup task bundle:audit
13+
Bundler::Audit::Task.new
14+
15+
# setup task rspec
16+
RSpec::Core::RakeTask.new(:rspec) do |t|
17+
# t.exclude_pattern = "**/{system}/**/*_spec.rb" # example, here how to skip integration specs
18+
end
19+
20+
desc 'Run the specs and bundle:audit'
21+
task ci: %w[rspec bundle:audit]
22+
end

0 commit comments

Comments
 (0)