Skip to content

Security: Fix bundler-audit vulnerabilities#21

Open
polographer wants to merge 1 commit intotrunkfrom
bundler-audit-fixes-20260326-095954
Open

Security: Fix bundler-audit vulnerabilities#21
polographer wants to merge 1 commit intotrunkfrom
bundler-audit-fixes-20260326-095954

Conversation

@polographer
Copy link
Copy Markdown
Contributor

@polographer polographer commented Mar 26, 2026

========================================
SECURITY GEM UPDATES - REVIEW SUMMARY

Date: 2026-03-26
Status: All vulnerabilities resolved
Bundler Audit: PASSED (No vulnerabilities found)

========================================

  1. JSON GEM
    ========================================
    Versions: 2.18.0 -> 2.19.3
    Vulnerability: CVE-2026-33210 (Format string injection vulnerability)
    Criticality: Unknown
    Advisory: GHSA-3m6g-2423-7cp3

POTENTIAL IMPACT AREAS:

  • API Response Rendering

    • app/controllers/api/v1/documents_controller.rb (8 occurrences)
      • All controller actions rendering JSON responses (index, show, create, update)
      • Error responses in format: { status: "failure", errors: [...] }
    • app/controllers/application_controller.rb (4 occurrences)
      • JWT token validation error responses
      • System key validation responses

  • Request Processing

    • app/domain/cartafact/operations/validate_resource_identity_signature.rb
      • JSON.parse() for identity header validation
    • app/controllers/api/v1/documents_controller.rb
      • JSON.parse() for document parameter processing

  • Test Suite

    • spec/domain/operations/validate_resource_identity_signature_spec.rb
      • JSON.dump() for test data generation
    • spec/controllers/api/v1/documents_controller_spec.rb
      • JSON.parse() and JSON.dump() for request/response testing

  • Configuration

    • config/initializers/wrap_parameters.rb
      • Parameter wrapping format configuration for JSON APIs

DEPENDENCY CHAIN:

  • Direct dependency via rubocop (1.82.1) which depends on json (~> 2.3)
  • Used throughout Rails for JSON serialization/deserialization

TESTING RECOMMENDATIONS:

  1. Test all API endpoints for proper JSON rendering
  2. Verify JWT token validation still works correctly
  3. Test document upload/download with JSON metadata
  4. Ensure identity signature validation processes correctly

========================================
2. LOOFAH GEM

Versions: 2.25.0 -> 2.25.1
Vulnerability: GHSA-46fp-8f5p-pf2m (Improper URI detection)
Criticality: Unknown

POTENTIAL IMPACT AREAS:

  • HTML/XML Sanitization (via Rails)

    • Indirect usage through rails-html-sanitizer
    • ActionText (if used for rich text content)
    • Any user-generated HTML content

  • No Direct Usage Found:

    • No explicit loofah references in application code
    • Used indirectly by Rails framework for HTML sanitization

DEPENDENCY CHAIN:

  • rails-html-sanitizer (1.6.2) -> loofah (~> 2.21)
  • Used by ActionPack and ActionText for sanitizing HTML

TESTING RECOMMENDATIONS:

  1. Test any rich text input/output functionality
  2. Verify HTML sanitization in user content (if applicable)
  3. Check any areas where user input is rendered as HTML

========================================
3. NOKOGIRI GEM

Versions: 1.19.0 -> 1.19.2
Vulnerability: GHSA-wx95-c6cv-8532 (xmlC14NExecute return value check)
Criticality: Medium

POTENTIAL IMPACT AREAS:

  • XML/HTML Processing (via Rails and dependencies)

    • ActionPack (core Rails request/response handling)
    • ActionText (rich text processing)
    • Loofah (HTML sanitization)
    • Rails DOM testing tools

  • No Direct Usage Found:

    • No explicit nokogiri references in application code
    • Used indirectly by Rails framework and dependent gems

  • Document Processing:

    • Potentially involved in any XML/HTML document handling
    • May impact PDF processing pipeline if XML metadata is parsed

DEPENDENCY CHAIN:

  • actionpack (7.2.3) -> nokogiri (>= 1.8.5)
  • actiontext (7.2.3) -> nokogiri (>= 1.8.5)
  • loofah (2.25.1) -> nokogiri (>= 1.12.0)
  • rails-dom-testing (2.3.0) -> nokogiri (>= 1.6)
  • rails-html-sanitizer (1.6.2) -> nokogiri (>= 1.15.7)

TESTING RECOMMENDATIONS:

  1. Test core Rails request/response cycle
  2. Verify document upload and storage functionality
  3. Test any XML/HTML content processing
  4. Run full test suite to catch any XML parsing issues

========================================
4. RACK GEM

Versions: 3.2.4 -> 3.2.5
Vulnerabilities:

  • CVE-2026-22860 (Directory Traversal via Rack::Directory) - HIGH criticality
  • CVE-2026-25500 (Stored XSS in Rack::Directory) - MEDIUM criticality

POTENTIAL IMPACT AREAS:

  • Core Web Server Interface

    • ALL HTTP request/response handling
    • Middleware stack execution
    • Session management
    • CORS handling

  • Specific Components:

    • rack-cors gem (3.0.0) - Cross-Origin Resource Sharing

      • Configured in config/initializers/cors.rb
      • Affects all API endpoints allowing cross-origin requests

    • ActionPack (7.2.3) - Core Rails request processing

      • All controller actions
      • All routing
      • All middleware

    • Rack::Test (2.2.0) - Test framework

      • All controller tests
      • Integration tests

  • Application Entry Points:

    • Puma web server (6.0.x) uses Rack interface
    • All API endpoints in api/v1/documents_controller.rb
    • Authentication/authorization in application_controller.rb

DEPENDENCY CHAIN:

  • actionpack (7.2.3) -> rack (>= 2.2.4, < 3.3)
  • rack-cors (3.0.0) -> rack (>= 3.0.14)
  • rack-session (2.1.1) -> rack (>= 3.0.0)
  • rack-test (2.2.0) -> rack (>= 1.3)
  • rackup (2.3.1) -> rack (>= 3)

TESTING RECOMMENDATIONS:

  1. Test all API endpoints (GET, POST, PUT, DELETE operations)
  2. Verify CORS configuration works correctly for cross-origin requests
  3. Test JWT authentication middleware
  4. Test file upload/download functionality
  5. Verify all controller actions respond correctly
  6. Run full integration test suite
  7. Test error handling and error responses

========================================
OVERALL TESTING STRATEGY

HIGH PRIORITY:

  1. Run full RSpec test suite: bundle exec rspec
  2. Test all document API endpoints:
    • GET /api/v1/documents (list)
    • GET /api/v1/documents/:id (show)
    • POST /api/v1/documents (create)
    • PUT /api/v1/documents/:id (update)
    • DELETE /api/v1/documents/:id (delete)
  3. Verify JWT authentication works correctly
  4. Test document upload with JSON metadata
  5. Test CORS functionality for cross-origin requests

MEDIUM PRIORITY:

  1. Test identity signature validation flows
  2. Test error handling and error responses
  3. Verify all JSON responses render correctly
  4. Test file download functionality

LOW PRIORITY:

  1. Performance testing (should be similar)
  2. Load testing for concurrent requests

========================================
NOTES

  • All gems updated to patch security vulnerabilities
  • No breaking changes expected (all are patch/minor updates)
  • Application uses Rails 7.2.0 which is compatible with all updated gems
  • Primary application is a document management API
  • Main functionality: JWT-authenticated document CRUD operations
  • MongoDB backend (Mongoid 8.1.5)
  • Puma web server (6.0.x)

@polographer
fix: update gems to resolve bundler-audit security vulnerabilities
cdd0163 
This commit updates vulnerable gems identified by bundler-audit.
See PR description for detailed analysis of changes and affected components.
@polographer polographer added the dependencies Pull requests that update a dependency file label Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@polographer