Apply Ruby and Rails patches - Githubissues

zendesk / samson

Web interface for deployments, with plugin architecture and kubernetes support

Other

1.45k stars 235 forks source link

Apply Ruby and Rails patches #4020

Closed orien closed 2 years ago

orien commented 2 years ago

Changes

Bump Rails from 6.1.5.1 to 6.1.6.1: A new Rails release which resolves CVE-2022-32224
Bump Ruby from 2.7.5 to 2.7.6: A new Ruby release which resolves CVE-2022-28739
Add Linux x86_64 platform: Avoids compiling Nokogiri when building on this platform.
Bump diffy from 3.2.0 to 3.4.2: Resolve CVE-2022-33127

orien commented 2 years ago

Thanks

Looks like there are a couple more security issues:

Name: diffy
Version: 3.2.0
CVE: CVE-2022-33127
GHSA: GHSA-5ww9-9qp2-x524
Criticality: Critical
URL: https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
Title: Improper handling of double quotes in file name in Diffy in Windows environment
Solution: upgrade to >= 3.4.1

Name: octokit
Version: 4.18.0
CVE: CVE-2022-31072
GHSA: GHSA-g28x-pgr3-qqx6
Criticality: Low
URL: https://github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6
Title: Octokit gem published with world-writable files
Solution: upgrade to >= 4.25.0

Ok for me to add patches for these in this PR?

grosser commented 2 years ago

feel free to add as many patches as you like as long as they are low-risk, but I'd recommend hunting down these test-bugs first before adding more :)

Psych::DisallowedClass: Tried to load unspecified class: ActiveSupport::TimeWithZone
Psych::DisallowedClass: Tried to load unspecified class: BigDecimal

grosser commented 2 years ago

# https://github.com/collectiveidea/audited/issues/631
# List of classes deemed safe to load by YAML, and required by the Audited
# gem when deserialized audit records.
# As of Rails 6.0.5.1, YAML safe-loading method does not allow all classes
# to be deserialized by default: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
Rails.application.config.active_record.yaml_column_permitted_classes = [
  ActiveSupport::TimeWithZone,
  ActiveSupport::TimeZone,
  Date,
  Time,
  ActiveSupport::HashWithIndifferentAccess,
  BigDecimal
]

orien commented 2 years ago

I see there's an octokit monkey patch in this project, upgrading the octokit gem will take a bit of work. It's probably best for someone with more familiarity with the project than me to attempt it.

grosser commented 2 years ago

does octokit need the update ?

grosser commented 2 years ago

ahh

Name: octokit
Version: 4.[18](https://github.com/zendesk/samson/runs/7336090878?check_suite_focus=true#step:7:19).0
CVE: CVE-2022-31072

grosser commented 2 years ago

taking care of octokit here https://github.com/zendesk/samson/pull/4022