search

goshippo / shippo-ruby-client

Shipping API Ruby library (USPS, FedEx, UPS and more)
https://goshippo.com/docs/
76 stars 72 forks source link

CVE-2020-10663 with dependency gem json #96

Closed axlekb closed 4 years ago

axlekb commented 4 years ago

This gem has dependency 

spec.add_dependency 'json', '~> 1.8'

However json has moved beyond 1.X and is now at 2.3.0.

Name: json
Version: 1.8.6
Advisory: CVE-2020-10663
Criticality: Unknown
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Solution: upgrade to >= 2.3.0
axlekb commented 4 years ago

@mykewould you still around? You appear to have been the last person to merge here...

mykewould commented 4 years ago

Hi @axlekb, I'm not longer with Shippo, but someone else should be along to help you.

oehlschl commented 4 years ago

Came across this issue as well while looking into dependencies blocking an update to a safe version of the json gem.

@jfriedr it looks like this json dependency was removed in 4.0 via https://github.com/goshippo/shippo-ruby-client/pull/90

Is that release stable and ready to use? Or can we release a 3.1.1 if there's more risk in updating to 4.0?

jfriedr commented 4 years ago

FWIW we are still attempting to figure out a good support situation for this gem.

A user who was having issues installing the gem with the json dependency pointed out that #90 would resolve the issue by removing the dependency altogether and resulting in the shippo gem using the json stdlib.

If there's an issue that you run into which differs from what you expect feel free to bring it up in another issue.

oehlschl commented 4 years ago

Thanks @jfriedr; makes sense. We'll investigate upgrading to 4.0