Process backlogged dependabot reports

[ryscher]

Sometimes when dependabot detects a problem, it cannot automatically create a pull request.

Process the backlog of detected problems at https://github.com/datadryad/dryad-app/security/dependabot, and create pull requests for all that are possible.

[ryscher]

In progress, many are dependent on removing gulp.

[DragosIorgulescu]

Current status of dependabot alerts

Alerts left to investigate

These are pending upgrade investigation

• [ ] TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements and TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

  We are currently using v6.7.3 for tinymce

  => Found "tinymce@6.7.3"
  info Reasons this module exists
   - "@tinymce#tinymce-react" depends on it
   - Hoisted from "@tinymce#tinymce-react#tinymce"

• [ ] Axios Cross-Site Request Forgery Vulnerability

  browser-sync@2.29.3 requires axios@0.21.4 via localtunnel@2.0.2

• [ ] minimatch ReDoS vulnerability

  => Found "ssi#minimatch@0.3.0"
  info Reasons this module exists
   - "browsersync-ssi#ssi#glob" depends on it
   - Hoisted from "browsersync-ssi#ssi#glob#minimatch"

Gulp dependencies

The following are dependencies of gulp, which will be removed once we remove gulp:

• Puma HTTP Request/Response Smuggling vulnerability

  yarn why http-cache-semantics
  
  => Found "http-cache-semantics@3.8.1"
  info Reasons this module exists
   - "gulp-imagemin#imagemin-gifsicle#gifsicle#bin-wrapper#download#got#cacheable-request" depends on it
   - Hoisted from "gulp-imagemin#imagemin-gifsicle#gifsicle#bin-wrapper#download#got#cacheable-request#http-cache-semantics"

• Code Injection in pac-resolver

  gulp-w3cjs@1.3.2 requires degenerator@^1.0.4 via a transitive dependency on pac-resolver@3.0.0

• netmask npm package mishandles octal input data

  gulp-w3cjs@1.3.2 requires netmask@^1.0.6 via a transitive dependency on pac-resolver@3.0.0

stash-deposit dependencies

Bundler::GemspecError with message: [!] There was an error while loading `stash-deposit.gemspec`: uninitialized constant Stash. Bundler cannot continue.

 #  from /home/dependabot/dependabot-updater/dependabot_tmp_dir/stash/stash-deposit/stash/stash-deposit/stash-deposit.gemspec:31
 #  -------------------------------------------
 #  Gem::Specification.new do |s|
 >    s.name          = Stash::Deposit::NAME
 #    s.version       = "0.0.1"
 #  -------------------------------------------

The stash-deposit engine has been removed, so these can be closed

• Inefficient Regular Expression Complexity in rails-html-sanitizer
• Inefficient Regular Expression Complexity in Loofah
• Uncontrolled Recursion in Loofah
• httparty has multipart/form-data request tampering vulnerability
• Possible XSS vulnerability with certain configurations of rails-html-sanitizer
• Possible XSS vulnerability with certain configurations of rails-html-sanitizer (duplicate)
• Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
• Improper neutralization of data URIs may allow XSS in Loofah

stash-wrapper dependencies

The stash-wrapper engine seems to no longer be used, it is recommended we delete the associated files

Bundler::GemspecError with message: [!] There was an error while loading `stash-wrapper.gemspec`: uninitialized constant Stash. Bundler cannot continue.

 #  from /home/dependabot/dependabot-updater/repo/stash/stash-wrapper/stash/stash-wrapper/stash-wrapper.gemspec:31
 #  -------------------------------------------
 #  Gem::Specification.new do |s|
 >    s.name          = Stash::Wrapper::NAME
 #    s.version       = "0.0.1"
 #  -------------------------------------------

Once we remove, we can close the following alerts:

• Use-after-free in libxml2 via Nokogiri::XML::Reader
• Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
• Rails has possible Sensitive Session Information Leak in Active Storage
• view_component Cross-site Scripting vulnerability
• Puma HTTP Request/Response Smuggling vulnerability
• Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
• Rack has possible DoS Vulnerability with Range Header
• Rack Header Parsing leads to Possible Denial of Service Vulnerability

Alerts which will be resolved with ruby and rails upgrades

• Possible XSS Security Vulnerability in SafeBuffer#bytesplice
• Active Support Possibly Discloses Locally Encrypted Files
• Active Support Possibly Discloses Locally Encrypted Files (duplicate)

[ahamelers]

I am most of the way to removing gulp (#2906 ), however I need to make sure to incorporate changes to the CSS and JS files I'll be moving and deleting that have been made in various open PRs. I'm marking that ticket blocked for now.

See https://github.com/datadryad/dryad-app/pull/1604