emma5678
commented
5 years ago @krisquigley @ryantownsend can this be addressed please.
Open emma5678 opened 5 years ago
emma5678
commented
5 years ago @krisquigley @ryantownsend can this be addressed please.
emma5678
commented
5 years ago @ryantownsend @krisquigley can this be prioritised please
emma5678
commented
4 years ago @ryantownsend @krisquigley Can this be prioritised asap please
ryantownsend
commented
4 years ago @emma5678 this isn't actually executed in production so it's not really a major issue - it's a tool that runs a server to generate documentation, but we don't actually use it. Still, we should address it – I'll get it on the wall.
emma5678
commented
4 years ago @ryantownsend Does it actually need to be there then? Can we remove it if its never used?
Yard vulnerability has been present in flex-commerce-api.gemspec since Dec 2017. We need to upgrade to 0.9.11 or later.
Issue also present in penthouse repo: https://github.com/shiftcommerce/penthouse/issues/13
This needs to be complete by April 2019.
Due to time passed, I would suggest updating to the very latest version, if greater than 0.9.11, unless an issue is identified with doing so.
Vulnerability details:
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.