Security: Fix bundler-audit vulnerabilities

[polographer]

================================================================================
GEM VULNERABILITY UPDATE REVIEW

Date: March 25, 2026
Status: All vulnerabilities resolved
Gems Updated: 4 (json, loofah, nokogiri, rack)

================================================================================

1. JSON GEM
   ================================================================================

VERSION CHANGE:
2.18.0 → 2.19.3

VULNERABILITY DETAILS:

• CVE: CVE-2026-33210
• GHSA: GHSA-3m6g-2423-7cp3
• Severity: Unknown
• Issue: Format string injection vulnerability
• Advisory: GHSA-3m6g-2423-7cp3

POTENTIAL IMPACT AREAS:
⚠️ HIGH PRIORITY - Authentication & Authorization
• Parses requesting identity data from Base64-decoded headers
• Location: validate_resource_identity_signature.rb:46
• Risk: JSON parsing of authentication data is security-critical

⚠️ MEDIUM PRIORITY - API Controllers
• Document creation endpoint parses JSON from request params
• Location: documents_controller.rb:113
• Risk: User input parsing could be exploited

ℹ️ LOW PRIORITY - Test Suite
• Multiple JSON.parse() calls in test specs
• Used for parsing test responses and creating fixtures
• Risk: Minimal - test-only usage

FUNCTIONAL AREAS:

• API request/response handling
• Identity validation and signature verification
• Data serialization and deserialization
• Test fixtures and response parsing

RECOMMENDATIONS:
• Test authentication flow thoroughly (identity header parsing)
• Verify document creation endpoint handles malformed JSON gracefully
• Review all JSON.parse() operations for proper error handling
• Run integration tests for API endpoints

================================================================================
2. LOOFAH GEM

VERSION CHANGE:
2.25.0 → 2.25.1

VULNERABILITY DETAILS:

• GHSA: GHSA-46fp-8f5p-pf2m
• Severity: Unknown
• Issue: Improper detection of disallowed URIs by allowed_uri?
• Advisory: GHSA-46fp-8f5p-pf2m

POTENTIAL IMPACT AREAS:
ℹ️ LOW DIRECT RISK - Rails Framework Dependency
• Installed as transitive dependency via rails-html-sanitizer (v1.6.2)
• No explicit Loofah calls found in application code
• Application is API-only (config.api_only = true)

FUNCTIONAL AREAS:

• Rails framework internal HTML sanitization
• ActionView and ActionPack implicit sanitization
• Parameter handling (Rails framework level)

USAGE NOTES:
• Not directly used in application code
• Application doesn't render HTML views or process HTML content
• Minimal risk due to API-only configuration

RECOMMENDATIONS:
• Monitor for updates but low priority given no direct usage
• No specific testing required unless HTML processing is added

================================================================================
3. NOKOGIRI GEM

VERSION CHANGE:
1.19.0 → 1.19.2

VULNERABILITY DETAILS:

• GHSA: GHSA-wx95-c6cv-8532
• Severity: Medium
• Issue: Does not check return value from xmlC14NExecute
• Advisory: GHSA-wx95-c6cv-8532

POTENTIAL IMPACT AREAS:
ℹ️ LOW DIRECT RISK - Rails Framework Dependency
• Required by ActionPack, ActionText, and rails-dom-testing
• No explicit XML/HTML parsing in application code
• No web scraping or document processing operations

FUNCTIONAL AREAS:

• Rails framework internal DOM operations
• Testing infrastructure (rails-dom-testing)
• Framework-level HTML/XML handling

USAGE NOTES:
• Not directly used in application code
• Application processes binary documents (PDFs via Shrine), not XML/HTML
• Framework uses it internally for testing and ActionText support

RECOMMENDATIONS:
• Monitor for updates but low priority given no direct usage
• No specific testing required unless XML/HTML processing is added

================================================================================
4. RACK GEM

VERSION CHANGE:
3.2.4 → 3.2.5

VULNERABILITY DETAILS:

• CVE: CVE-2026-22860, CVE-2026-25500
• GHSA: GHSA-mxw3-3hh2-x2mh, GHSA-whrj-4476-wvmp
• Severity: High, Medium
• Issues:
  1. Directory Traversal via Rack::Directory
  2. Stored XSS in Rack::Directory via javascript: filenames

POTENTIAL IMPACT AREAS:
⚠️ HIGH PRIORITY - CORS Configuration
• Rack::Cors middleware limits cross-origin access
• Location: initializers/cors.rb
• Configuration: Restricted to 'hotfix-2-enroll.priv.dchbx.org'
• Risk: Critical for preventing unauthorized cross-origin requests

⚠️ HIGH PRIORITY - Custom Authentication Headers
• Processes HTTP_X_REQUESTINGIDENTITY header
• Processes HTTP_X_REQUESTINGIDENTITYSIGNATURE header
• Location: validate_resource_identity_signature.rb
• Risk: Core authentication mechanism relies on Rack header processing

⚠️ MEDIUM PRIORITY - File Upload & Streaming
• Document upload handling (multipart form data)
• Location: documents_controller.rb:52-100
• File streaming via ActionController::Live
• Response header manipulation (Content-Type, Content-Disposition, Cache-Control)
• Risk: File upload vulnerabilities could allow malicious content

ℹ️ LOW PRIORITY - Test Infrastructure
• Rack::Test::UploadedFile for simulating uploads in tests
• Risk: Minimal - test-only usage

FUNCTIONAL AREAS:

• HTTP request/response handling (core web server interface)
• Middleware stack (CORS, session management)
• Custom header authentication system
• File upload and download processing
• Test infrastructure

USAGE NOTES:
• Rack is fundamental to the application's HTTP layer
• Rails 7.2 uses Rack 3.x with multiple Rack-based middleware
• Application implements custom authentication via Rack request headers
• Uses Rack's streaming capabilities for large file downloads

RECOMMENDATIONS:
• Test CORS configuration thoroughly - verify cross-origin restrictions work
• Test custom authentication header processing end-to-end
• Verify file upload handling with various file types and sizes
• Test file download streaming functionality
• Review error handling for malformed requests
• Run integration tests for all API endpoints

================================================================================
TESTING PRIORITIES

CRITICAL (Must Test):

1. Authentication flow with identity headers (JSON + Rack)
2. CORS configuration enforcement (Rack)
3. File upload and download operations (Rack)
4. Document creation endpoint with JSON input (JSON)

RECOMMENDED (Should Test):
5. All API endpoints for general regression
6. Error handling for malformed JSON
7. Error handling for malformed HTTP requests

LOW PRIORITY (Optional):
8. Test suite passes (loofah & nokogiri are test dependencies)

================================================================================
VERIFICATION STATUS

✓ bundler-audit scan: No vulnerabilities found
✓ All gems successfully updated
✓ Gemfile.lock updated

Next Steps:
→ Run full test suite
→ Deploy to staging environment for integration testing
→ Monitor application logs for any parsing errors
→ Review and test priority areas listed above