toncid
commented
5 years ago There is a vulnerability in rubyzip < 1.3: https://github.com/rubyzip/rubyzip/pull/403
Open fabdbt opened 5 years ago
toncid
commented
5 years ago There is a vulnerability in rubyzip < 1.3: https://github.com/rubyzip/rubyzip/pull/403
fabdbt
commented
5 years ago By unlock, I do not mean allowing rubyzip versions prior to 1.3. I mean allowing people to use axlsx gem with rubyzip >= 1.3 and so rubyzip >= 2.
chriscz
commented
5 years ago @Apokly I've had success with the following polyfill on rubyzip == 1.2.1. YMMV.
edit: simplified it, but misread the question. regardless; useful nonetheless.
Place a file ``zip.rb'' as below
lib/
zip/
zip.rbzip.rb
# Polyfill to make AXLSX package work with v1.2.x `zip` which no longer defines `Zip::Zip`
require 'zip'
require 'zip/output_stream'
module Zip
class ZipOutputStream < OutputStream
def initialize(filename, stream = false)
if stream
filename = StringIO.new
end
super(filename, stream)
end
end
end
noniq
commented
5 years ago There’s now a community-supported fork of axlsx: https://github.com/caxlsx/caxlsx
Versions 2.0.2 and 3.0.x have been released, both supporting newer versions of Rubyzip. See https://rubygems.org/gems/caxlsx/versions/3.0.1
baburdick
commented
2 years ago Note: there have since been more critical vulnerabilities discovered in rubyzip v1.0.0:
Taking a serious look at https://github.com/caxlsx/caxlsx ...
noniq
commented
2 years ago As far as I understand, both vulnerabilities are in the context of extracting archives. Axlsx only creates archives.
However, it’s a very bad idea to have a vulnerable version of Rubyzip in your project at all, so please upgrade to at least caxlsx 2.0.2 or 3.0.1.
In caxlsx it's also possible to use an external zip program instead of Rubyzip, see https://www.rubydoc.info/gems/caxlsx/Axlsx/Package#serialize-instance_method
Could you please unlock
rubyzipversion to use newest version 2 ? https://github.com/rubyzip/rubyzip/releases/tag/v2.0.0