Security: Fix bundler-audit vulnerabilities

[polographer]

================================================================================
SECURITY VULNERABILITY REMEDIATION REPORT

Generated: March 25, 2026
All vulnerabilities have been successfully resolved.

================================================================================

1. JSON GEM
   ================================================================================

VERSIONS

Old Version: 2.18.0
New Version: 2.19.3

SECURITY ISSUES

CVE: CVE-2026-33210
GHSA: GHSA-3m6g-2423-7cp3
Severity: Unknown
Title: Ruby JSON has a format string injection vulnerability
URL: GHSA-3m6g-2423-7cp3

DESCRIPTION

The json gem had a format string injection vulnerability that could potentially
allow attackers to inject malicious format strings during JSON parsing operations.

FILES/MODULES USING THIS GEM

DIRECT USAGE:

1. /app/controllers/api/v1/documents_controller.rb (line 113)

   • JSON.parse(params[:document])
   • Parses JSON document metadata from request parameters

2. /app/domain/cartafact/operations/validate_resource_identity_signature.rb (line 46)

   • JSON.parse(data)
   • Parses Base64-decoded identity data for signature validation

3. Test Files:

   • /spec/controllers/api/v1/documents_controller_spec.rb
     Lines 40, 62, 67, 81, 134, 208, 337, 380
   • /spec/domain/operations/validate_resource_identity_signature_spec.rb
     Lines 95, 116, 162

INDIRECT USAGE (via Rails framework):

4. /app/controllers/application_controller.rb (lines 16, 19, 22, 26)

   • render json: {...} for authentication error responses

5. /app/controllers/api/v1/documents_controller.rb (lines 16, 18, 32, 44, 46, 74, 76, 126)

   • render :json => result.value! for API responses
   • All API endpoints return JSON responses

6. /app/serializers/document_serializer.rb (lines 4-37)

   • Uses FastJsonapi::ObjectSerializer for structured JSON serialization
   • Serializes Document models with Dublin Core metadata

7. /config/initializers/wrap_parameters.rb (line 10)

   • wrap_parameters format: [:json]

POTENTIAL IMPACT AREAS

CRITICAL - Affects core functionality:
✓ API Request/Response Handling - All document CRUD operations
✓ Authentication & Authorization - Identity signature validation
✓ Document Serialization - Converting document models to JSON API format
✓ Request Parameter Parsing - Document metadata from multipart requests

REVIEW PRIORITY: HIGH
The json gem is used extensively throughout the application for API operations
and authentication. Both direct parsing operations and all API response rendering
could have been vulnerable. Verify that API endpoints handle malformed JSON
correctly and that authentication flows reject invalid identity signatures.

================================================================================
2. LOOFAH GEM

VERSIONS

Old Version: 2.25.0
New Version: 2.25.1

SECURITY ISSUES

GHSA: GHSA-46fp-8f5p-pf2m
Severity: Unknown
Title: Improper detection of disallowed URIs by Loofah allowed_uri?
URL: GHSA-46fp-8f5p-pf2m

DESCRIPTION

Loofah had an issue with improper detection of disallowed URIs in the
allowed_uri? method, which could allow malicious URIs to bypass sanitization.

FILES/MODULES USING THIS GEM

NO DIRECT USAGE FOUND

INDIRECT USAGE (via Rails framework):

1. Via rails-html-sanitizer (Rails Framework Dependency)

   • ActionView uses rails-html-sanitizer (~> 1.6)
   • ActionPack uses rails-html-sanitizer (~> 1.6)
   • ActionMailer uses rails-dom-testing (~> 2.2) which includes sanitization

2. HTML Sanitization in Mailer Views:

   • /app/views/layouts/mailer.html.erb
   • Email HTML layouts (automatic sanitization)

3. Rails Security Layer:

   • Protects against XSS attacks in any HTML rendering
   • Sanitizes parameters that might contain HTML
   • Used by ActionView for safe HTML output

POTENTIAL IMPACT AREAS

LOW - Minimal direct impact (API-only application):
✓ HTML Sanitization in Email Templates - /app/views/layouts/mailer.html.erb
✓ Rails Security Layer - XSS protection for any HTML content
✓ Development/Test Helpers - Used by rails-dom-testing in controller specs

REVIEW PRIORITY: LOW
This is primarily an API application with minimal HTML rendering. Loofah is
used indirectly through Rails for HTML sanitization. The main exposure point
would be email templates. Verify that email views do not render user-supplied
HTML content, or if they do, that the sanitization is working correctly.

================================================================================
3. NOKOGIRI GEM

VERSIONS

Old Version: 1.19.0
New Version: 1.19.2

SECURITY ISSUES

GHSA: GHSA-wx95-c6cv-8532
Severity: Medium
Title: Nokogiri does not check the return value from xmlC14NExecute
URL: GHSA-wx95-c6cv-8532

DESCRIPTION

Nokogiri failed to check the return value from xmlC14NExecute, which could
lead to undefined behavior or security issues during XML canonicalization
operations.

FILES/MODULES USING THIS GEM

NO DIRECT USAGE FOUND

INDIRECT USAGE (via Rails framework and other gems):

1. Via Rails Framework (Critical Dependency):

   • ActionPack requires nokogiri (>= 1.8.5)
   • ActionText requires nokogiri (>= 1.8.5)
   • ActionView (implicit via rails-html-sanitizer)

2. Via loofah:

   • loofah (2.25.1) requires nokogiri (>= 1.12.0)
   • Provides XML/HTML parsing backend for sanitization

3. Via rails-dom-testing:

   • rails-dom-testing (2.3.0) requires nokogiri (>= 1.6)
   • Used in RSpec controller tests for parsing responses

AFFECTED AREAS:

4. HTTP Request/Response Parsing:

   • ActionPack uses nokogiri for parsing XML/HTML in requests
   • Content-Type negotiation and parameter parsing

5. Test Suite:

   • /spec/controllers/api/v1/documents_controller_spec.rb
   • RSpec controller tests use rails-dom-testing

6. Email Template Processing:

   • ActionMailer uses nokogiri for HTML email generation
   • /app/views/layouts/mailer.html.erb processing

POTENTIAL IMPACT AREAS

MEDIUM - Indirect but widespread usage:
✓ HTTP Request/Response Parsing - ActionPack XML/HTML parameter parsing
✓ Test Suite Support - Response parsing and validation in RSpec tests
✓ Rails HTML Sanitization Backend - Powers loofah's parsing capabilities
✓ Email Template Processing - HTML email generation

REVIEW PRIORITY: MEDIUM
While not directly used in application code, nokogiri is a critical dependency
for Rails HTTP processing and HTML sanitization. If the application accepts
XML requests or processes XML in any way, this could have been exploitable.
Verify that API endpoints properly validate Content-Type and reject malformed
XML/HTML input. Test email generation to ensure HTML templates render correctly.

================================================================================
4. RACK GEM

VERSIONS

Old Version: 3.2.4
New Version: 3.2.5

SECURITY ISSUES

CVE: CVE-2026-22860
GHSA: GHSA-mxw3-3hh2-x2mh
Severity: High
Title: Rack has a Directory Traversal via Rack::Directory
URL: GHSA-mxw3-3hh2-x2mh

CVE: CVE-2026-25500
GHSA: GHSA-whrj-4476-wvmp
Severity: Medium
Title: Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
URL: GHSA-whrj-4476-wvmp

DESCRIPTION

Two vulnerabilities were found in Rack:

1. Directory Traversal: Could allow attackers to access files outside intended
   directories via Rack::Directory middleware.
2. Stored XSS: Malicious filenames with javascript: URIs could be rendered as
   clickable links, enabling XSS attacks.

FILES/MODULES USING THIS GEM

DIRECT USAGE:

1. /config/initializers/cors.rb (line 10)

   • Rack::Cors - CORS middleware configuration
   • Allows cross-origin requests from 'hotfix-2-enroll.priv.dchbx.org'

2. Test Files:

   • /spec/controllers/api/v1/documents_controller_spec.rb (lines 53, 81)
   • Rack::Test::UploadedFile.new(tempfile, "application/pdf")
   • Simulates file uploads in RSpec tests

INDIRECT USAGE (EXTENSIVE - Core Foundation):

3. Web Server:

   • config.ru (line 7): run Rails.application
   • Puma web server (Rack-based) - config/puma.rb

4. Rails Framework (Core Dependency):

   • ActionPack requires rack (>= 2.2.4, < 3.3)
   • rack-session (2.1.1) - Session management
   • rack-test (2.2.0) - Testing framework
   • rack-cors (3.0.0) - CORS handling
   • rackup (2.3.1) - Application server interface

5. All Controllers:

   • /app/controllers/application_controller.rb

     • request.headers (line 10)
     • render json: (lines 16, 19, 22, 26)

   • /app/controllers/api/v1/documents_controller.rb

     • All 5 controller actions use Rack's request/response cycle
     • ActionController::Live streaming (line 50)
     • response.stream.write (line 91)
     • HTTP headers via Rack interface (lines 103-107)
     • params[:document], params[:id], params[:content]
     • Custom headers: request.headers["HTTP_X_REQUESTINGIDENTITY"]

6. File Operations:

   • Document download functionality (lines 52-100)
   • Chunked transfer encoding via response.stream
   • HTTP headers: Last-Modified, Content-Type, Content-Disposition

POTENTIAL IMPACT AREAS

CRITICAL - Rack is the foundational HTTP layer:
✓ HTTP Server Foundation - config.ru, Puma web server, all HTTP handling
✓ Middleware Stack - Rack::Cors for CORS, Rails middleware chain
✓ API Controllers - All 5 controller actions (index, show, create, download, copy)
✓ Request/Response Handling - params, request, response, headers access
✓ File Streaming - Document download with chunked transfer encoding
✓ Session & Authentication - JWT token extraction, signature validation
✓ Test Infrastructure - File upload testing, request/response simulation

REVIEW PRIORITY: CRITICAL
Rack is the absolute foundation of the application's HTTP layer. Every single
HTTP request and response goes through Rack. While Rack::Directory is not
explicitly used in this application, the entire request/response cycle was
potentially vulnerable.

SPECIFIC AREAS TO TEST:

1. CORS Configuration - Verify /config/initializers/cors.rb settings are correct
2. File Downloads - Test /api/v1/documents/:id/download for path traversal
   • Ensure document IDs cannot contain '../' or similar patterns
   • Verify file streaming only accesses authorized document storage
3. File Uploads - Test document creation with various filenames
   • Ensure filenames are sanitized before storage
   • Verify Content-Disposition headers escape special characters
4. API Authentication - Verify JWT token validation is secure
   • Test with malformed Authorization headers
   • Verify signature validation rejects invalid tokens
5. Request Parameter Handling - Test all API endpoints with malicious input
   • Path traversal attempts in document IDs
   • XSS attempts in document metadata
   • Malformed JSON in request bodies

================================================================================
TESTING RECOMMENDATIONS

HIGH PRIORITY TESTS:

1. Document Download Endpoint

   • Test with document IDs containing '../', '..%2F', etc.
   • Verify only authorized documents are accessible
   • Test with various Content-Disposition filenames

2. Document Upload/Create

   • Test with filenames containing special characters
   • Test with javascript: URIs in metadata
   • Verify filename sanitization

3. Authentication Flow

   • Test JWT token validation with malformed tokens
   • Test signature validation with invalid signatures
   • Test with missing or malicious HTTP_X_REQUESTINGIDENTITY headers

4. API Endpoints with JSON Parsing

   • Test all endpoints with malformed JSON
   • Test with deeply nested JSON structures
   • Test with format string injection attempts in JSON values

MEDIUM PRIORITY TESTS:

1. CORS Configuration

   • Verify only authorized origins can make cross-origin requests
   • Test with various Origin headers

2. Email Templates

   • If emails include user-supplied content, verify HTML sanitization
   • Test with malicious HTML/JavaScript in email content

3. API Response Rendering

   • Verify all JSON responses are properly escaped
   • Test with special characters in document metadata

================================================================================
DEPENDENCY SUMMARY

Gem Dependency Tree:

rails (7.2.3)
├── actionpack
│ ├── rack (>= 2.2.4, < 3.3) ✓ UPDATED
│ ├── nokogiri (>= 1.8.5) ✓ UPDATED
│ └── rails-html-sanitizer (> 1.6)
│ ├── loofah (> 2.21) ✓ UPDATED
│ └── nokogiri ✓ UPDATED
├── actionview
│ └── rails-html-sanitizer ✓
├── actionmailer
│ └── rails-dom-testing
│ └── nokogiri ✓ UPDATED
└── actiontext
└── nokogiri ✓ UPDATED

puma (~> 6.0)
└── nio4r (Rack-based server)

rack-cors
└── rack (>= 3.0.14) ✓ UPDATED

fast_jsonapi
└── activesupport (JSON serialization)

rubocop
└── json (~> 2.3) ✓ UPDATED

Critical Usage Patterns:

• json: Explicit parsing in 2 places, implicit everywhere via Rails JSON rendering
• loofah: Entirely indirect, provides HTML sanitization security layer
• nokogiri: Entirely indirect, provides XML/HTML parsing for Rails and loofah
• rack: Foundational - 1 explicit use (CORS), hundreds of implicit uses (entire HTTP layer)

================================================================================
CONCLUSION

All four gems have been successfully updated and all security vulnerabilities
have been resolved. The updates are backward-compatible and should not break
existing functionality, but thorough testing is recommended due to the critical
nature of these dependencies.

Focus testing efforts on:

1. Document download/upload functionality (rack vulnerabilities)
2. Authentication and JWT validation (json vulnerability)
3. API request/response handling (all gems)
4. File streaming and Content-Disposition headers (rack vulnerabilities)

Next Steps:

1. Run full test suite: bundle exec rspec
2. Perform manual testing of document upload/download flows
3. Test authentication with various token formats
4. Deploy to staging environment for integration testing
5. Monitor application logs for any parsing errors or authentication failures

================================================================================