Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patching vulnerabilities | esbuild, net-imap #450

Merged
merged 7 commits into from
Feb 12, 2025
Merged

Patching vulnerabilities | esbuild, net-imap #450

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8713e59
patching esbuild
Feb 12, 2025
ff95655
Fix for net-imap
Feb 12, 2025
9d545b0
updated semver to resolve HIGH vulnerability
Feb 12, 2025
e505c67
libstan and net-imap image fix
Feb 12, 2025
bd15cbb
is this ugly fix going to work...
Feb 12, 2025
6df5984
adding bundle clean step, removing the code to delete gems that we ar…
Feb 12, 2025
c2b39e4
setting net-imap to be an explicit version
Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions app/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,25 +120,25 @@ RUN apt-get update -qq && \
postgresql-client=15+248 \
python-is-python3=3.11.2-1+deb12u1 \
python3-venv=3.11.2-1+b1 \
unzip=6.0-28 && \
unzip=6.0-28 \
libtasn1-6=4.19.0-2+deb12u1 && \
rm -rf /var/lib/apt/lists /var/cache/apt/archives && \
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && \
unzip awscli-bundle.zip && \
./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws && \
rm -rf ./awscli-bundle awscli-bundle.zip

# Remove base rexml for GHSA-4xqq-m2hx-25v8
RUN gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 debug && \
gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rss && \
gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rexml

# Install custom db migrate script
COPY bin/db-migrate /usr/bin/

# Copy built artifacts: gems, application, binary dependencies
COPY --from=release-build /usr/local/bundle /usr/local/bundle
COPY --from=release-build /rails /rails

# Clean up any unused gems and ensure we have the correct versions
RUN bundle clean --force && \
bundle install --no-cache

# Ensure all necessary directories exist
RUN mkdir -p /rails/tmp/pids /rails/log /rails/db

Expand Down
1 change: 1 addition & 0 deletions app/Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ gem "stackprof"
gem "rexml", "~> 3.3.9"
gem "gpgme", "~> 2.0", ">= 2.0.12"
gem "pdf-reader", "~> 2.12.0"
gem "net-imap", "~> 0.4.19" # Fixing CVE-2025-25186
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably shouldn't need to do this - the updated version in the lock file should be sufficient.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay interesting. So the net-imap entry here doesn't result in the Gemfile.lock being updated? I thought the lock file was dependent on the contents of the Gemfile.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Gemfile.lock will bump for version drift at the moment bundle install is run. ~> I believe implies minor version drift.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha! Yeah, let's pin this version.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bundle update will update every gem in the lockfile to the most recent version that satisfies all constraints. Since there wasn't previously a constraint for this gem, I would have expected bundle update net-imap to have upgraded its version to 0.4.19 in the lockfile. (Sometimes, there are constraints in the dependencies of other gems that may prevent bundler from doing an upgrade like that, though.)

Also, side note, but when upgrading for security reasons, we should use >= rather than ~> since ~> 0.4.19 means "allow versions 0.4.x". We don't have the need to actually prevent an upgrade to 0.5 of this gem, hence >= 0.4.19 being slightly preferable.


gem "maybe_later"
gem "activeresource"
Expand Down
5 changes: 3 additions & 2 deletions app/Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,7 @@ GEM
mutex_m (0.3.0)
net-http (0.4.1)
uri
net-imap (0.4.17)
net-imap (0.4.19)
date
net-protocol
net-pop (0.1.2)
Expand Down Expand Up @@ -478,7 +478,7 @@ GEM
unicode-display_width (>= 1.1.1, < 3)
thor (1.3.2)
timecop (0.9.10)
timeout (0.4.1)
timeout (0.4.3)
ttfunk (1.8.0)
bigdecimal (~> 3.1)
turbo-rails (2.0.11)
Expand Down Expand Up @@ -551,6 +551,7 @@ DEPENDENCIES
jsbundling-rails
maybe_later
mixpanel-ruby
net-imap (~> 0.4.19)
newrelic_rpm
omniauth-azure-activedirectory-v2
omniauth-rails_csrf_protection (~> 1.0)
Expand Down
Loading
Loading