Closed larouchefrancois closed 9 months ago
PactNet is now on 4.x, and that is an older unsupported version. This was a sub-package that contained arch specific files, but is no longer required, and just the main PactNet project is.
That's great news then.
If I understand well the new 4.x version supports out of the box the Linux and OSX without the use of Ruby? In that case I'll close the ticket upon confirmation. I was actually wondering why it wasn't possible in the first place with the .Net core. But I'm sure they were good reasons.
pact net relies on a shared core once developed in ruby but now developed in rust.
ruby updates were not an option at the time, and still not officially today, by the main packaging maintainer but i have a fork of the packaging system which updated to the latest ruby and added additional arch.
pact-net 4.x was main lined by the point and changes are not being backported to the 3.x line
full details of the ecosystem reside here
Thanks that makes sense.
We did test the new code and it does work as you said it would. However, the nuget package uses an older release that doesn't include the new capabilities (v3 specification and less), only the nuget package 5.0.0-beta.1 supports the new V4.
@adamrodger Hi Adam, I saw you are the main contributor on the Beta and I was wondering if you had any idea when that Beta will be in final release. Thanks in advance for your answer!
As for this issue I will close it once I have an idea when it will be fixed. As far as the nuget package goes the vulnerabilities still stand.
The beta is currently blocked on some changes in the FFI, and I'm not sure on the progress of those.
Basically the problem is that pact files should be able to contain both regular HTTP interactions and messaging interactions within the same file, but currently if you try to do that it causes a number of problems.
The API should hopefully be correct for that use case now, but if you try to use it then there are errors. Separate files still works fine though and I've been using 5.0.0-beta.1 in production ever since it was released with no issues.
Also I want to replace Newtonsoft with System.Text.Json (see the RFCs in the issues tracker) which would be a breaking change, hence not releasing 5.x when there's potential breaking changes pending.
By the way - this particular issue won't be fixed. The 3.x series is now deprecated and won't receive further updates.
Hi pact-foundation team,
Great job by the way! We really love the project!
While running SCA scans against the latest nuget package PactNet.OSX 3.0.2 it found several critical and high security issues in the bundled libraries used in the package, all for what I assume is for the support on Mac machines. I know the issues are the same for PactNet linux nuget packages.
There are:
The good news is that, it appears that all security issues have been fixed in the more recent versions of the libraries in cause (See recommendation in the table below).
I took the time to make a table with enough information to help fix the security issues
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/dsl.rb[1.3.0.pre, 1.16.0.pre.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/lockfile_parser.rb[1.3.0.pre, 1.16.0.pre.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/gems/2.2.0/gems/bundler-1.9.9/lib/bundler/source/rubygems.rb[1.3.0.pre, 1.16.0.pre.1)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/text.rb[1.3.2 , 2.6.13)
An attacker can exploit this vulnerability by crafting a Ruby gem containing a maliciously crafted checksums.yaml.gz file in the gem specification, which itself contains malicious serialized YAML data. When this file is deserialized by RubyGems, the malicious code will be executed and will result in Remote Code Execution.
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/package.rb[2.0.0.preview2, 2.6.14)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/ruby/lib/ruby/2.2.0/rubygems/package/old.rb[2.0.0.preview2, 2.6.14)
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/lint.rb[2.1.0, 2.1.4.1)
Ref: https://bugs.ruby-lang.org/attachments/7669
Reference: https://bugs.ruby-lang.org/attachments/7669
- PactNet.OSX-3.0.2.nupkgtools/pact-osx/lib/vendor/ruby/2.2.0/gems/rack-2.1.4/lib/rack/multipart/parser.rb[2.1.0, 2.1.4.1)