Upgrade yard to version 0.9.11 or later #169
Labels
Comments
|
@krisquigley @ryantownsend can this be addressed please. |
|
@ryantownsend @krisquigley can this be prioritised please |
|
@ryantownsend @krisquigley Can this be prioritised asap please |
|
@emma5678 this isn't actually executed in production so it's not really a major issue - it's a tool that runs a server to generate documentation, but we don't actually use it. Still, we should address it – I'll get it on the wall. |
|
@ryantownsend Does it actually need to be there then? Can we remove it if its never used? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Yard vulnerability has been present in flex-commerce-api.gemspec since Dec 2017. We need to upgrade to 0.9.11 or later.
Issue also present in penthouse repo: shiftcommerce/penthouse#13
This needs to be complete by April 2019.
Due to time passed, I would suggest updating to the very latest version, if greater than 0.9.11, unless an issue is identified with doing so.
Vulnerability details:
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
The text was updated successfully, but these errors were encountered: