Security: Fix bundler-audit vulnerabilities#19
Closed
polographer wants to merge 1 commit intotrunkfrom
Closed
Conversation
This commit updates vulnerable gems identified by bundler-audit. See PR description for detailed analysis of changes and affected components.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
================================================================================
SECURITY VULNERABILITY REMEDIATION REPORT
Generated: Wed Mar 25 2026
SUMMARY
Total Vulnerable Gems Found: 4
Total Gems Updated: 4
All Vulnerabilities: RESOLVED
================================================================================
GEM UPDATE #1: json
VERSION CHANGE
2.18.0 -> 2.19.3
SECURITY ISSUE
CVE: CVE-2026-33210
GHSA: GHSA-3m6g-2423-7cp3
Severity: Unknown
Title: Ruby JSON has a format string injection vulnerability
Reference: GHSA-3m6g-2423-7cp3
FILES/MODULES USING THIS GEM
DIRECT USAGE:
• app/controllers/api/v1/documents_controller.rb:113
- Uses JSON.parse() to parse document metadata from request parameters
• app/domain/cartafact/operations/validate_resource_identity_signature.rb:46
- Uses JSON.parse() to decode Base64-encoded identity headers for authentication
• spec/controllers/api/v1/documents_controller_spec.rb (multiple lines)
- Uses JSON.dump() to serialize document data in tests
- Uses JSON.parse() to validate API responses
• spec/domain/operations/validate_resource_identity_signature_spec.rb
- Uses JSON.dump() for encoding identity headers in authentication tests
INDIRECT USAGE (via Rails):
• All controller JSON rendering (render json: statements) - 12+ occurrences
• Parameter wrapping (config/initializers/wrap_parameters.rb)
• FastJsonapi gem (serialization library)
• RuboCop configuration parsing
POTENTIAL IMPACT AREAS
CRITICAL IMPACT:
• API Controllers (api/v1/documents_controller.rb, application_controller.rb)
- All API endpoints that return JSON responses
• Authentication System (validate_resource_identity_signature.rb)
- Identity validation and signature verification
• Serialization Layer (DocumentSerializer)
- Document data serialization using FastJsonapi
• Test Suite
- All controller and integration tests that parse/generate JSON
TESTING RECOMMENDATIONS:
[ ] Test all API endpoints for proper JSON response formatting
[ ] Verify authentication with identity headers still works correctly
[ ] Run full test suite to ensure JSON serialization/parsing works
[ ] Test document creation with metadata JSON parsing
[ ] Verify API error responses are properly formatted
================================================================================
GEM UPDATE #2: loofah
VERSION CHANGE
2.25.0 -> 2.25.1
SECURITY ISSUE
GHSA: GHSA-46fp-8f5p-pf2m
Severity: Unknown
Title: Improper detection of disallowed URIs by Loofah
allowed_uri?Reference: GHSA-46fp-8f5p-pf2m
FILES/MODULES USING THIS GEM
DIRECT USAGE:
• None - loofah is not directly used in application code
INDIRECT USAGE (via Rails dependencies):
• Required by rails-html-sanitizer (v1.6.2)
- Used by actionpack (v7.2.3) for request/response handling
- Used by actionview (v7.2.3) for view rendering
• Rails automatically uses loofah through rails-html-sanitizer for:
- Sanitizing request parameters
- HTML content in error messages
- View rendering (minimal impact since app is API-only)
POTENTIAL IMPACT AREAS
MEDIUM IMPACT:
• Request Processing
- Implicit protection for all controller actions that handle user input
- Parameter sanitization in ActionPack middleware
• Error Handling
- HTML sanitization in error messages rendered by ApplicationController
• Framework-level Security
- Rails framework's HTML sanitization layer
NOTE: Since this is a Rails API-only application (config.api_only = true), HTML
sanitization is less critical but still used by the framework for error pages
and parameter handling.
TESTING RECOMMENDATIONS:
[ ] Test error page rendering
[ ] Verify request parameter handling works correctly
[ ] Check that user input sanitization still functions properly
[ ] Test any endpoints that might process HTML content
================================================================================
GEM UPDATE #3: nokogiri
VERSION CHANGE
1.19.0 -> 1.19.2
SECURITY ISSUE
GHSA: GHSA-wx95-c6cv-8532
Severity: Medium
Title: Nokogiri does not check the return value from xmlC14NExecute
Reference: GHSA-wx95-c6cv-8532
FILES/MODULES USING THIS GEM
DIRECT USAGE:
• None - nokogiri is not directly used in application code
INDIRECT USAGE (via Rails dependencies):
• Required by multiple Rails components:
- actionpack (v7.2.3) - requires nokogiri >= 1.8.5
- actiontext (v7.2.3) - requires nokogiri >= 1.8.5
- rails-dom-testing (v2.3.0) - requires nokogiri >= 1.6
- loofah (v2.25.1) - requires nokogiri >= 1.12.0
- rails-html-sanitizer (v1.6.2) - requires nokogiri
• Rails uses nokogiri for:
- HTML/XML parsing in rails-dom-testing (used in test suite)
- HTML sanitization through loofah
- Request/response processing in ActionPack
- Parsing XML request bodies if XML APIs are used
POTENTIAL IMPACT AREAS
MEDIUM IMPACT:
• Test Suite
- Rails-dom-testing for controller specs
- RSpec integration tests
• Request Processing
- ActionPack middleware for parsing requests
- Potential XML request body parsing
• HTML Sanitization
- Used by loofah in rails-html-sanitizer
• Framework Infrastructure
- Core Rails dependency for document processing
FUTURE CONSIDERATIONS:
Given this is a document management system, nokogiri could be useful for:
• Parsing XML/HTML documents if that feature is added
• Extracting metadata from uploaded documents
• Processing structured document formats
TESTING RECOMMENDATIONS:
[ ] Run full test suite (ensures rails-dom-testing works correctly)
[ ] Test controller specs that parse request/response bodies
[ ] Verify any XML/HTML parsing functionality (if present)
[ ] Check ActionPack middleware functionality
================================================================================
GEM UPDATE #4: rack
VERSION CHANGE
3.2.4 -> 3.2.5
SECURITY ISSUES
Issue #1:
CVE: CVE-2026-22860
GHSA: GHSA-mxw3-3hh2-x2mh
Severity: High
Title: Rack has a Directory Traversal via Rack:Directory
Reference: GHSA-mxw3-3hh2-x2mh
Issue #2:
CVE: CVE-2026-25500
GHSA: GHSA-whrj-4476-wvmp
Severity: Medium
Title: Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Reference: GHSA-whrj-4476-wvmp
FILES/MODULES USING THIS GEM
DIRECT USAGE:
• config/initializers/cors.rb:10
- Uses Rack::Cors middleware for Cross-Origin Resource Sharing
- Configured to allow requests from 'hotfix-2-enroll.priv.dchbx.org'
• spec/controllers/api/v1/documents_controller_spec.rb:53, 81
- Uses Rack::Test::UploadedFile for file upload testing
INDIRECT USAGE (via Rails and gems):
• config.ru
- Rack application startup file (runs Rails.application)
• Required by multiple dependencies:
- actionpack - requires rack (>= 2.2.4, < 3.3)
- rack-cors (v3.0.0) - requires rack >= 3.0.14
- rack-session (v2.1.1) - requires rack >= 3.0.0
- rack-test (v2.2.0) - requires rack >= 1.3
- rackup (v2.3.1) - requires rack >= 3
- puma (v6.6.1) - Rack-compliant web server
FRAMEWORK INTEGRATION:
Rack is the foundation of the entire web application:
• Web Server Interface - Puma uses Rack to serve the application
• Middleware Stack - All Rails middleware is Rack-based
• HTTP Protocol - All request/response handling goes through Rack
POTENTIAL IMPACT AREAS
CRITICAL IMPACT:
• Web Server Infrastructure
- Puma web server (config/puma.rb, config.ru)
- Entire application runs on Rack
- ALL API endpoints affected
• CORS Configuration
- Cross-origin request handling (config/initializers/cors.rb)
- API security for allowed origins
• File Upload/Download
- Document creation endpoint (file uploads)
- Document download with streaming (ActionController::Live)
- Rack::Test::UploadedFile in tests
• Middleware Stack
- Request/response lifecycle management
- All HTTP request processing
- Session handling (rack-session)
• Test Suite
- Rack::Test for request specs
- File upload testing
TESTING RECOMMENDATIONS:
[ ] CRITICAL: Test all API endpoints for basic functionality
[ ] Test CORS configuration and cross-origin requests
[ ] Test file upload functionality (document creation)
[ ] Test file download functionality (document retrieval)
[ ] Test streaming responses (ActionController::Live)
[ ] Verify Puma web server starts and serves requests correctly
[ ] Run full test suite to ensure Rack::Test works properly
[ ] Test middleware stack functionality
[ ] Verify session handling if sessions are used
================================================================================
OVERALL RISK ASSESSMENT
CRITICAL DEPENDENCIES:
UPDATE RISK LEVELS:
HIGH RISK:
• rack: Changes could break the entire application, CORS, or file uploads
• json: Could break API serialization, authentication, and all endpoints
MEDIUM RISK:
• nokogiri: Primarily affects Rails internals and test suite
• loofah: Affects Rails security features but limited direct impact in API-only app
COMPREHENSIVE TESTING STRATEGY:
Phase 1 - Critical Functionality:
[ ] Start the application (bundle exec rails server)
[ ] Test basic API endpoint connectivity
[ ] Verify authentication works (identity signature validation)
[ ] Test document creation (file upload + JSON metadata)
[ ] Test document retrieval/download
Phase 2 - JSON Functionality:
[ ] Test all API endpoints for proper JSON responses
[ ] Verify JSON parsing in request parameters
[ ] Check serialization with FastJsonapi
[ ] Test error responses in JSON format
Phase 3 - Rack Infrastructure:
[ ] Test CORS functionality with allowed origin
[ ] Verify file upload handling
[ ] Test streaming download responses
[ ] Check middleware stack functionality
Phase 4 - Framework Dependencies:
[ ] Run full test suite (RSpec)
[ ] Verify request parameter sanitization
[ ] Test error page rendering
[ ] Check XML/HTML parsing if used
Phase 5 - Integration Testing:
[ ] Test end-to-end document workflows
[ ] Verify authentication flows
[ ] Test edge cases and error conditions
[ ] Performance testing for streaming responses
ROLLBACK PLAN:
If issues are discovered after deployment:
================================================================================
END OF REPORT