From 9046af75b0bf556dfb9ece353c858e468888fcdb Mon Sep 17 00:00:00 2001 From: Kevin Cooper Date: Thu, 30 Sep 2021 17:17:03 -0700 Subject: [PATCH] Use forked azure-storage-blob to address nokogiri vuln https://github.com/Azure/azure-storage-ruby/issues/194 --- Gemfile | 7 ++++--- Gemfile.lock | 30 ++++++++++++++++++------------ 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/Gemfile b/Gemfile index da800d2940..a496d22702 100644 --- a/Gemfile +++ b/Gemfile @@ -13,8 +13,6 @@ gem "eventmachine", "~> 1.2", platform: :ruby gem "exception_notification", "~> 4.2" gem "friendly_id", "~> 5.1" gem "phony", "~> 2.15" -# Fork: Added ability to disable. TODO: This is 5 years old, look into upgrading. -# https://github.com/sassafrastech/rack-attack/commits/master gem "rack-attack", "~> 6.3" gem "rake", "~> 13.0" gem "random_data", "~> 1.6" # Deprecated: Use Faker instead @@ -59,7 +57,10 @@ gem "reverse_markdown", "~> 2.0" # Storage gem "active_storage_validations", "~> 0.9.3" gem "aws-sdk-s3", "~> 1.86", require: false -gem "azure-storage-blob", "~> 2.0", require: false +# Fork: address nokogiri vuln. +# https://github.com/Azure/azure-storage-ruby/issues/194 +gem "azure-storage-blob", github: "mschiller/azure-storage-ruby", + tag: "c84806f766b773cdeea72a7f73d79ddab598b256", require: false gem "image_processing", "~> 1.12" gem "sys-filesystem", "~> 1.4" diff --git a/Gemfile.lock b/Gemfile.lock index f33aecd00b..827c320f20 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,6 +8,20 @@ GIT jquery-rails railties +GIT + remote: https://github.com/mschiller/azure-storage-ruby.git + revision: c84806f766b773cdeea72a7f73d79ddab598b256 + tag: c84806f766b773cdeea72a7f73d79ddab598b256 + specs: + azure-storage-blob (2.0.1) + azure-storage-common (~> 2.0) + nokogiri (~> 1.12) + azure-storage-common (2.0.2) + faraday (~> 1.0) + faraday_middleware (~> 1.0.0.rc1) + net-http-persistent (~> 4.0) + nokogiri (~> 1.12) + GIT remote: https://github.com/sassafrastech/closure_tree.git revision: 531edabe1853a89f13ab595f660bb5926c895e58 @@ -133,14 +147,6 @@ GEM aws-sigv4 (~> 1.1) aws-sigv4 (1.2.2) aws-eventstream (~> 1, >= 1.0.2) - azure-storage-blob (2.0.1) - azure-storage-common (~> 2.0) - nokogiri (~> 1.11.0.rc2) - azure-storage-common (2.0.2) - faraday (~> 1.0) - faraday_middleware (~> 1.0.0.rc1) - net-http-persistent (~> 4.0) - nokogiri (~> 1.11.0.rc2) babel-source (5.8.35) babel-transpiler (0.7.0) babel-source (>= 4.0, < 6) @@ -322,7 +328,7 @@ GEM mime-types-data (3.2020.1104) mini_magick (4.11.0) mini_mime (1.1.1) - mini_portile2 (2.5.3) + mini_portile2 (2.6.1) minitest (5.14.4) mocha (1.11.2) msgpack (1.3.3) @@ -332,8 +338,8 @@ GEM connection_pool (~> 2.2) netrc (0.11.0) nio4r (2.5.8) - nokogiri (1.11.7) - mini_portile2 (~> 2.5.0) + nokogiri (1.12.5) + mini_portile2 (~> 2.6.1) racc (~> 1.4) parallel (1.20.1) parser (3.0.0.0) @@ -605,7 +611,7 @@ DEPENDENCIES authlogic (~> 6.1) awesome_print (~> 1.6) aws-sdk-s3 (~> 1.86) - azure-storage-blob (~> 2.0) + azure-storage-blob! binding_of_caller (~> 0.8.0) bluecloth (~> 2.2) blueprinter (~> 0.25.1)