Update rubyzip to 1.3.0 to fix vulnerability (forem#4133)

Aswathprabhu · Sep 30, 2019 · 56c5f08 · 56c5f08
1 parent a4ac194
commit 56c5f08
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -76,7 +76,7 @@ gem "redcarpet", "~> 3.5" # A fast, safe and extensible Markdown to (X)HTML pars
 gem "reverse_markdown", "~> 1.3" # Map simple html back into markdown
 gem "rolify", "~> 5.2" # Very simple Roles library
 gem "rouge", "~> 3.10" # A pure-ruby code highlighter
-gem "rubyzip", "~> 1.2" # Rubyzip is a ruby library for reading and writing zip files
+gem "rubyzip", "~> 1.2", ">= 1.3.0" # Rubyzip is a ruby library for reading and writing zip files
 gem "s3_direct_upload", "~> 0.1" # Direct Upload to Amazon S3
 gem "sail", "~> 1.5" # Sail is a lightweight Rails engine that brings an admin panel for managing configuration settings on a live Rails app
 gem "sass-rails", "~> 5.1" # Sass adapter for the Rails asset pipeline

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -670,7 +670,7 @@ GEM
     ruby-vips (2.0.15)
       ffi (~> 1.9)
     ruby_dep (1.5.0)
-    rubyzip (1.2.4)
+    rubyzip (1.3.0)
     s3_direct_upload (0.1.7)
       coffee-rails (>= 3.1)
       jquery-fileupload-rails (~> 0.4.1)
@@ -956,7 +956,7 @@ DEPENDENCIES
   rubocop-rails (~> 2.3)
   rubocop-rspec (~> 1.35)
   ruby-prof (~> 1.0)
-  rubyzip (~> 1.2)
+  rubyzip (~> 1.2, >= 1.3.0)
   s3_direct_upload (~> 0.1)
   sail (~> 1.5)
   sass-rails (~> 5.1)

diff --git a/config/initializers/rubyzip.rb b/config/initializers/rubyzip.rb
@@ -0,0 +1,5 @@
+# Validate entry size on extract
+# NOTE: this initializer can be removed when upgrading to rubyzip >= 2.0
+# see https://github.com/rubyzip/rubyzip/pull/403
+# see https://github.com/rubyzip/rubyzip#size-validation
+Zip.validate_entry_sizes = true