Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sinatra currently includes CWE-444 #1770

Closed
blakegearin opened this issue Mar 14, 2022 · 1 comment
Closed

Sinatra currently includes CWE-444 #1770

blakegearin opened this issue Mar 14, 2022 · 1 comment

Comments

@blakegearin
Copy link

Snyk notified me that the latest version of Rack (2.2.3) has CWE-444. According to the Snyk website, this was fixed on their main branch via this PR (commit).

As indicated on a PR comment, version 3.x of Rack doesn't have an estimated release period/schedule yet. It is at least worth considering making Sinatra be compatible with this commit/change before 3.x is released to remove the presence of CWE-444.

In the meantime, I believe this can be patched at the project level by adding Rack as a dependency in a Gemfile specifying the fixing commit:

gem 'rack', github: 'rack/rack', ref: 'ef1fc0c'

However, there are other changes included when upgrading to this commit that may break things.
@jkowens
Copy link
Member

jkowens commented Jul 18, 2022

Thanks for the heads up.

@jkowens jkowens closed this as completed Jul 18, 2022
@dentarg dentarg mentioned this issue Nov 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkowens @blakegearin