Skip to content

Commit

Permalink
patch: security vulnerability fix (#56)
Browse files Browse the repository at this point in the history 
#### Why <!-- A short description of why this change is required -->
Security vulnerabilities
https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280
```
Name: actionpack
Version: 7.1.3
CVE: CVE-[20](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:21)24-26142
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
Title: Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
Solution: upgrade to '>= 7.1.3.1'

Name: actionpack
Version: 7.1.3
CVE: CVE-2024-26143
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
Title: Possible XSS Vulnerability in Action Controller
Solution: upgrade to '~> 7.0.8, >= 7.0.8.1', '>= 7.1.3.1'

Name: rack
Version: 3.0.9
CVE: CVE-2024-25126
GHSA: GHSA-[22](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:23)f2-v57c-j9cx
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
Title: Denial of Service Vulnerability in Rack Content-Type Parsing
Solution: upgrade to '~> 2.2.8, >= 2.2.8.1', '>= 3.0.9.1'

Name: rack
Version: 3.0.9
CVE: CVE-20[24](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:25)-[26](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:27)141
GHSA: GHSA-xj5v-6v4g-jfw6
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
Title: Possible DoS Vulnerability with Range Header in Rack
Solution: upgrade to '~> 2.2.8, >= 2.2.8.1', '>= 3.0.9.1'

Name: rack
Version: 3.0.9
CVE: CVE-2024-26146
GHSA: GHSA-54rr-7fvw-6x8f
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/849[42](https://github.com/wealthsimple/eventsimple/actions/runs/8101388745/job/22141453280#step:6:43)
Title: Possible Denial of Service Vulnerability in Rack Header Parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.4', '~> 2.1.4, >= 2.1.4.4', '~> 2.2.8, >= 2.2.8.1', '>= 3.0.9.1'

Vulnerabilities found!
```


#### What changed <!-- Summary of changes when modifying hundreds of
lines -->
Updated dependencies with `bundle update rails`
  • Loading branch information
@darrunategui
darrunategui authored Feb 29, 2024
1 parent 133eb8c commit c21786d
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 59 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## Unreleased

## 1.3.2 - 2024-03-01
### Changed
- Updated dependencies to fix a security vulnerability

## 1.3.1 - 2024-01-19
### Changed
- Restore readonly status to the original status after enable_writes! block.
Expand Down
116 changes: 58 additions & 58 deletions Gemfile.lock
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
eventsimple (1.3.1)
eventsimple (1.3.2)
dry-struct (~> 1.6)
dry-types (~> 1.7)
pg (~> 1.4)
Expand All @@ -11,71 +11,71 @@ PATH
GEM
remote: https://rubygems.org/
specs:
actioncable (7.1.3)
actionpack (= 7.1.3)
activesupport (= 7.1.3)
actioncable (7.1.3.2)
actionpack (= 7.1.3.2)
activesupport (= 7.1.3.2)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
zeitwerk (~> 2.6)
actionmailbox (7.1.3)
actionpack (= 7.1.3)
activejob (= 7.1.3)
activerecord (= 7.1.3)
activestorage (= 7.1.3)
activesupport (= 7.1.3)
actionmailbox (7.1.3.2)
actionpack (= 7.1.3.2)
activejob (= 7.1.3.2)
activerecord (= 7.1.3.2)
activestorage (= 7.1.3.2)
activesupport (= 7.1.3.2)
mail (>= 2.7.1)
net-imap
net-pop
net-smtp
actionmailer (7.1.3)
actionpack (= 7.1.3)
actionview (= 7.1.3)
activejob (= 7.1.3)
activesupport (= 7.1.3)
actionmailer (7.1.3.2)
actionpack (= 7.1.3.2)
actionview (= 7.1.3.2)
activejob (= 7.1.3.2)
activesupport (= 7.1.3.2)
mail (~> 2.5, >= 2.5.4)
net-imap
net-pop
net-smtp
rails-dom-testing (~> 2.2)
actionpack (7.1.3)
actionview (= 7.1.3)
activesupport (= 7.1.3)
actionpack (7.1.3.2)
actionview (= 7.1.3.2)
activesupport (= 7.1.3.2)
nokogiri (>= 1.8.5)
racc
rack (>= 2.2.4)
rack-session (>= 1.0.1)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.2)
rails-html-sanitizer (~> 1.6)
actiontext (7.1.3)
actionpack (= 7.1.3)
activerecord (= 7.1.3)
activestorage (= 7.1.3)
activesupport (= 7.1.3)
actiontext (7.1.3.2)
actionpack (= 7.1.3.2)
activerecord (= 7.1.3.2)
activestorage (= 7.1.3.2)
activesupport (= 7.1.3.2)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.1.3)
activesupport (= 7.1.3)
actionview (7.1.3.2)
activesupport (= 7.1.3.2)
builder (~> 3.1)
erubi (~> 1.11)
rails-dom-testing (~> 2.2)
rails-html-sanitizer (~> 1.6)
activejob (7.1.3)
activesupport (= 7.1.3)
activejob (7.1.3.2)
activesupport (= 7.1.3.2)
globalid (>= 0.3.6)
activemodel (7.1.3)
activesupport (= 7.1.3)
activerecord (7.1.3)
activemodel (= 7.1.3)
activesupport (= 7.1.3)
activemodel (7.1.3.2)
activesupport (= 7.1.3.2)
activerecord (7.1.3.2)
activemodel (= 7.1.3.2)
activesupport (= 7.1.3.2)
timeout (>= 0.4.0)
activestorage (7.1.3)
actionpack (= 7.1.3)
activejob (= 7.1.3)
activerecord (= 7.1.3)
activesupport (= 7.1.3)
activestorage (7.1.3.2)
actionpack (= 7.1.3.2)
activejob (= 7.1.3.2)
activerecord (= 7.1.3.2)
activesupport (= 7.1.3.2)
marcel (~> 1.0)
activesupport (7.1.3)
activesupport (7.1.3.2)
base64
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
Expand Down Expand Up @@ -176,7 +176,7 @@ GEM
net-imap
net-pop
net-smtp
marcel (1.0.2)
marcel (1.0.3)
method_source (1.0.0)
mini_mime (1.1.5)
minitest (5.22.2)
Expand Down Expand Up @@ -216,38 +216,38 @@ GEM
puma (6.4.2)
nio4r (~> 2.0)
racc (1.7.3)
rack (3.0.9)
rack (3.0.9.1)
rack-session (2.0.0)
rack (>= 3.0.0)
rack-test (2.1.0)
rack (>= 1.3)
rackup (2.1.0)
rack (>= 3)
webrick (~> 1.8)
rails (7.1.3)
actioncable (= 7.1.3)
actionmailbox (= 7.1.3)
actionmailer (= 7.1.3)
actionpack (= 7.1.3)
actiontext (= 7.1.3)
actionview (= 7.1.3)
activejob (= 7.1.3)
activemodel (= 7.1.3)
activerecord (= 7.1.3)
activestorage (= 7.1.3)
activesupport (= 7.1.3)
rails (7.1.3.2)
actioncable (= 7.1.3.2)
actionmailbox (= 7.1.3.2)
actionmailer (= 7.1.3.2)
actionpack (= 7.1.3.2)
actiontext (= 7.1.3.2)
actionview (= 7.1.3.2)
activejob (= 7.1.3.2)
activemodel (= 7.1.3.2)
activerecord (= 7.1.3.2)
activestorage (= 7.1.3.2)
activesupport (= 7.1.3.2)
bundler (>= 1.15.0)
railties (= 7.1.3)
railties (= 7.1.3.2)
rails-dom-testing (2.2.0)
activesupport (>= 5.0.0)
minitest
nokogiri (>= 1.6)
rails-html-sanitizer (1.6.0)
loofah (~> 2.21)
nokogiri (~> 1.14)
railties (7.1.3)
actionpack (= 7.1.3)
activesupport (= 7.1.3)
railties (7.1.3.2)
actionpack (= 7.1.3.2)
activesupport (= 7.1.3.2)
irb
rackup (>= 1.0.0)
rake (>= 12.2)
Expand All @@ -262,7 +262,7 @@ GEM
rdoc (6.6.2)
psych (>= 4.0.0)
regexp_parser (2.9.0)
reline (0.4.2)
reline (0.4.3)
io-console (~> 0.5)
retriable (3.1.2)
rexml (3.2.6)
Expand Down Expand Up @@ -337,7 +337,7 @@ GEM
lint_roller (~> 1.0)
rubocop-rails (~> 2.23.1)
stringio (3.1.0)
thor (1.3.0)
thor (1.3.1)
timeout (0.4.1)
treetop (1.6.12)
polyglot (~> 0.3)
Expand Down
2 changes: 1 addition & 1 deletion lib/eventsimple/version.rb
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# frozen_string_literal: true

module Eventsimple
VERSION = '1.3.1'
VERSION = '1.3.2'
end

0 comments on commit c21786d

Please sign in to comment.