Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Nokogiri to protect against CVE-2019-5477 #11751

Merged
merged 1 commit into from Aug 13, 2019
Merged

Update Nokogiri to protect against CVE-2019-5477 #11751

merged 1 commit into from Aug 13, 2019

Conversation

lowellrex
Copy link
Contributor

@lowellrex lowellrex commented Aug 13, 2019
edited

bundle exec rake security alerted us to a vulnerability in the Nokogiri library we use for XML and HTML parsing. This PR updates the library to a version that is not vulnerable to the disclosed CVE as per the directions presented by the maintainers (sparklemotion/nokogiri#1915).

$> bundle exec rake security
...
Updated ruby-advisory-db
ruby-advisory-db: 384 advisories
Looking for ~/Projects/caseflow/.security.yml
bundle-audit check --ignore=
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Vulnerabilities found!

Failed. Security vulnerabilities were found. Find the dependency in Gemfile.lock,
then specify a safe version of the dependency in the Gemfile (preferred) or
snooze the CVE in .security.yml for a week.

@lowellrex lowellrex requested a review from lomaxap August 13, 2019 14:16
@lowellrex lowellrex self-assigned this Aug 13, 2019
@codeclimate
Copy link

codeclimate bot commented Aug 13, 2019

Code Climate has analyzed commit 4a19b55 and detected 0 issues on this pull request.

View more on Code Climate.

@lowellrex lowellrex added the Ready-to-Merge This PR is ready to be merged and will be picked up by va-bot to automatically merge to master label Aug 13, 2019
@va-bot va-bot merged commit 00091c8 into master Aug 13, 2019
@va-bot va-bot deleted the lowell/update_nokogiri branch August 13, 2019 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lomaxap lomaxap lomaxap approved these changes

Assignees

@lowellrex lowellrex

Labels
Ready-to-Merge This PR is ready to be merged and will be picked up by va-bot to automatically merge to master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lowellrex @lomaxap @va-bot