Security: Fix bundler-audit vulnerabilities#17
Closed
polographer wants to merge 1 commit intotrunkfrom
Closed
Conversation
This commit updates vulnerable gems identified by bundler-audit. See PR description for detailed analysis of changes and affected components.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bundler Audit Fixes
This PR updates vulnerable gems identified by bundler-audit.
Analysis
================================================================================
SECURITY UPDATE REVIEW - Gem Vulnerability Remediation
Date: March 25, 2026
Total Gems Updated: 4
All vulnerabilities have been successfully patched.
No vulnerabilities remaining after updates.
================================================================================
┌──────────────────────────────────────────────────────────────────────────────┐
│ 1. JSON GEM │
└──────────────────────────────────────────────────────────────────────────────┘
VERSION UPDATE:
2.18.0 → 2.19.3
SECURITY ISSUE:
CVE: CVE-2026-33210
GHSA: GHSA-3m6g-2423-7cp3
Severity: Unknown
Title: Ruby JSON has a format string injection vulnerability
Description: Format string injection vulnerability allowing potential code
execution or information disclosure through malformed JSON input
URL: GHSA-3m6g-2423-7cp3
FILES/MODULES USING THIS GEM:
Direct Usage:
• app/domain/cartafact/operations/validate_resource_identity_signature.rb:46
- Parses JSON from Base64-decoded identity headers
• app/controllers/api/v1/documents_controller.rb:113
- Parses JSON-encoded document metadata from multipart form requests
• spec/controllers/api/v1/documents_controller_spec.rb (multiple lines)
- Test fixtures for API request/response handling
• spec/domain/operations/validate_resource_identity_signature_spec.rb (multiple lines)
- Test fixtures for identity signature validation
Indirect Usage:
• Rails 7.2 framework uses json gem for all API JSON response serialization
• All controller endpoints use
render json:implicitly using this gemPOTENTIAL IMPACT AREAS:
⚠️ CRITICAL - Authentication/Authorization Pipeline:
- ValidateResourceIdentitySignature operation parses JSON from
X-RequestingIdentity headers for request authentication
- Format string injection could potentially compromise identity verification
- Document upload endpoint parses JSON metadata from multipart forms
- Malformed JSON could affect document creation workflow
- All API endpoints (index, show, create, download, copy) serialize
responses to JSON
- Response serialization could be affected by the vulnerability
RECOMMENDED ACTIONS:
================================================================================
┌──────────────────────────────────────────────────────────────────────────────┐
│ 2. LOOFAH GEM │
└──────────────────────────────────────────────────────────────────────────────┘
VERSION UPDATE:
2.25.0 → 2.25.1
SECURITY ISSUE:
GHSA: GHSA-46fp-8f5p-pf2m
Severity: Unknown
Title: Improper detection of disallowed URIs by Loofah
allowed_uri?Description: The allowed_uri? method fails to properly detect certain
disallowed URIs, potentially allowing XSS or other URI-based
attacks through HTML sanitization bypass
URL: GHSA-46fp-8f5p-pf2m
FILES/MODULES USING THIS GEM:
Direct Usage:
• None found in application code
Indirect Usage:
• Rails framework dependency through rails-html-sanitizer (version 1.6.2)
• Available for HTML sanitization if needed by ActionController
POTENTIAL IMPACT AREAS:
ℹ️ LOW - HTML Sanitization (Framework Level):
- This is an API-only application (config.api_only = true)
- No HTML views or direct HTML sanitization in application code
- Rails framework may use for parameter handling internally
ℹ️ LOW - Input Protection:
- While not explicitly used, Loofah is available through Rails for
any HTML sanitization needs
- Primarily affects HTML rendering scenarios not present in this API
RECOMMENDED ACTIONS:
================================================================================
┌──────────────────────────────────────────────────────────────────────────────┐
│ 3. NOKOGIRI GEM │
└──────────────────────────────────────────────────────────────────────────────┘
VERSION UPDATE:
1.19.0 → 1.19.2
SECURITY ISSUE:
GHSA: GHSA-wx95-c6cv-8532
Severity: Medium
Title: Nokogiri does not check the return value from xmlC14NExecute
Description: Failure to check return value from xmlC14NExecute could lead to
undefined behavior or security issues in XML canonicalization
URL: GHSA-wx95-c6cv-8532
FILES/MODULES USING THIS GEM:
Direct Usage:
• None found in application code
Indirect Usage:
• Rails framework dependency required by:
- actionpack (>= 1.8.5)
- loofah (>= 1.12.0)
- rails-html-sanitizer (>= 1.15.7)
- rails-dom-testing (~> 2.2)
POTENTIAL IMPACT AREAS:
ℹ️ LOW - XML/HTML Parsing (Framework Level):
- Rails framework uses Nokogiri internally for request parsing
- ActionPack relies on Nokogiri for parameter handling
- No direct XML parsing in application code
ℹ️ LOW - Request/Response Processing:
- Rails uses Nokogiri for DOM testing and HTML sanitization
- Infrastructure support for Rails' HTTP handling
RECOMMENDED ACTIONS:
================================================================================
┌──────────────────────────────────────────────────────────────────────────────┐
│ 4. RACK GEM │
└──────────────────────────────────────────────────────────────────────────────┘
VERSION UPDATE:
3.2.4 → 3.2.5
SECURITY ISSUES:
Issue 1:
CVE: CVE-2026-22860
GHSA: GHSA-mxw3-3hh2-x2mh
Severity: High
Title: Rack has a Directory Traversal via Rack::Directory
Description: Directory traversal vulnerability in Rack::Directory middleware
allowing unauthorized access to filesystem outside intended scope
URL: GHSA-mxw3-3hh2-x2mh
Issue 2:
CVE: CVE-2026-25500
GHSA: GHSA-whrj-4476-wvmp
Severity: Medium
Title: Stored XSS in Rack::Directory via javascript: filenames
Description: Cross-site scripting vulnerability when Rack::Directory renders
filenames containing javascript: URLs into anchor href attributes
URL: GHSA-whrj-4476-wvmp
FILES/MODULES USING THIS GEM:
Direct Usage:
• config/initializers/cors.rb:10
- Configures Rack::Cors middleware for cross-origin API access
• config.ru:7
- Rack application entry point for Rails application
• spec/controllers/api/v1/documents_controller_spec.rb:53,81
- Uses Rack::Test::UploadedFile for file upload testing
Indirect Usage:
• Rails 7.2 framework built on Rack (version 3.2.5)
• rack-session, rack-test, rackup gems in middleware stack
• All HTTP request/response handling flows through Rack
POTENTIAL IMPACT AREAS:
⚠️ CRITICAL - Web Server Interface:
- Rack is the foundation for the entire Rails application
- All HTTP requests/responses are processed through Rack middleware
- Rack::Cors middleware inserted at position 0 in middleware stack
- Allows cross-origin requests from hotfix-2-enroll.priv.dchbx.org
- Critical for API accessibility from configured domains
- config.ru runs Rails.application as Rack application
- Enables deployment with Puma app server
- All API endpoints depend on Rack's request/response handling
- Test suite uses Rack::Test::UploadedFile for multipart uploads
- Document creation workflow processes file uploads through Rack
- API endpoints: create, download, copy depend on Rack
ℹ️ NOTE - Rack::Directory Not Used:
- While CVE-2026-22860 affects Rack::Directory, this application
does not appear to use that specific middleware
- Update is still critical due to Rack being core infrastructure
RECOMMENDED ACTIONS:
================================================================================
┌──────────────────────────────────────────────────────────────────────────────┐
│ SUMMARY & PRIORITY RECOMMENDATIONS │
└──────────────────────────────────────────────────────────────────────────────┘
CRITICAL PRIORITY:
✓ JSON gem (2.18.0 → 2.19.3)
✓ Rack gem (3.2.4 → 3.2.5)
MODERATE PRIORITY:
3. ✓ Nokogiri gem (1.19.0 → 1.19.2)
- UPDATED: XML canonicalization issue
- IMPACT: Rails framework internal request processing
- ACTION: Monitor for any Rails-level parsing issues
TESTING CHECKLIST:
☐ Authentication with various X-RequestingIdentity header formats
☐ Document upload with edge-case JSON metadata payloads
☐ All CRUD API endpoints (index, show, create, update, delete)
☐ Document download and streaming functionality
☐ CORS requests from configured origin domains
☐ File upload processing with various file types and sizes
☐ API response serialization for all endpoints
☐ Error handling and logging review
DEPLOYMENT NOTES:
• All gem updates are patch/minor version updates
• No breaking changes expected in updated versions
• Gemfile.lock has been updated with new versions
• Run
bundle installon deployment to ensure consistency• Consider running test suite before deploying to production
• Monitor application logs after deployment for any issues
================================================================================
END OF REPORT