🚨 [security] Upgrade better_errors: 2.1.1 → 2.9.1 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ better_errors (2.1.1 → 2.9.1) · Repo · Changelog

Security Advisories 🚨

🚨 Older releases of better_errors open to Cross-Site Request Forgery attack

Impact

better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks.

As a developer tool, better_errors documentation strongly recommends addition only to the development bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the development group (or the non-Rails equivalent).

Patches

Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3".

Workarounds

There are no known workarounds to mitigate the risk of using older releases of better_errors.

References

• Chris Moberly provided an example attack that uses a now-patched vulnerability of webpack-dev-server in conjunction with Better Errors

For more information

If you have any questions or comments about this advisory, please

• Add to the discussion in better_errors
• Open an issue in better_errors

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ coderay (indirect, 1.1.0 → 1.1.3) · Repo · Changelog

Release Notes

1.1.3

Diff: v1.1.2...v1.1.3

• Tokens: Ensure Ruby 2.6 compatibility. [#233, thanks to Jun Aruga]
• SQL scanner: Add numeric data type. [#223, thanks to m16a1]
• Java scanner: Add var as type. [#229, thanks to Davide Angelocola]
• Gem: Fix deprecation warning. [#246, thanks to David Rodríguez]

1.1.2

Diff: v1.1.1...v1.1.2

• Ruby future: Add support for frozen string literals. [#211, thanks to Pat Allan]
• C++ scanner: Add C++11 keywords. [#195, thanks to Johnny Willemsen]
• Haml scanner: Allow - in tags.
• Java scanner: Allow Unicode characters in identifiers. [#212, thanks to t-gergely]

1.1.1

Diff: v1.1.0...v1.1.1

• SQL scanner: Allow $ signs in SQL identifiers [#164, thanks to jasir and Ben Basson]
• SQL scanner: Fix open strings [#163, thanks to Adam]
• Ruby scanner: Accept number literal suffixes r and i (Ruby 2.1)
• Ruby scanner: Accept quoted hash keys like { "a": boss } (Ruby 2.2)
• Ruby scanner: Accept save navigation operator &. (Ruby 2.3)
• Ruby scanner: Accept squiggly heredoc <<~ (Ruby 2.3)
• Diff scanner: Prevent running out of regexp stack.
• HTML encoder: You can keep tabs intact now by setting tab_width: false.
• Alpha style: Tweaked colors for :function group with :content.
• File structure: One module per file, autoload CodeRay::Version, paths follow namespace hierarchy.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 1.6.4 → 1.6.13) · Repo · Changelog

Security Advisories 🚨

🚨 Possible information leak / session hijack vulnerability

There's a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks
targeting the session id. Session ids are usually stored and indexed in a
database that uses some kind of scheme for speeding up lookups of that
session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack
the session.

The session id itself may be generated randomly, but the way the session is
indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying
the backing session storage engine. Most storage mechanisms (for example a
database) use some sort of indexing in order to speed up the lookup of that
id. By carefully timing requests and session lookup failures, an attacker
may be able to perform a timing attack to determine an existing session id
and hijack that session.

🚨 Possible XSS vulnerability in Rack

There is a possible vulnerability in Rack. This vulnerability has been
assigned the CVE identifier CVE-2018-16471.

Versions Affected: All.
Not affected: None.
Fixed Versions: 2.0.6, 1.6.11

Impact

There is a possible XSS vulnerability in Rack. Carefully crafted requests can
impact the data returned by the scheme method on Rack::Request.
Applications that expect the scheme to be limited to "http" or "https" and do
not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

<%= request.scheme.html_safe %>

Note that applications using the normal escaping mechanisms provided by Rails
may not impacted, but applications that bypass the escaping mechanisms, or do
not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The 2.0.6 and 1.6.11 releases are available at the normal locations.

Workarounds

The following monkey patch can be applied to work around this issue:

require "rack"
require "rack/request"
class Rack::Request

SCHEME_WHITELIST = %w(https http).freeze
def scheme

if get_header(Rack::HTTPS) == 'on'

'https'

elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'

'https'

elsif forwarded_scheme

forwarded_scheme

else

get_header(Rack::RACK_URL_SCHEME)

end

end
def forwarded_scheme

scheme_headers = [

get_header(HTTP_X_FORWARDED_SCHEME),

get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]

]
scheme_headers.each do |header|

return header if SCHEME_WHITELIST.include?(header)

end
nil

end

end

Release Notes

1.6.12 (from changelog)

• [CVE-2019-16782] Prevent timing attacks targeted at session ID lookup. (@tenderlove, @rafaelfranca)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 51 commits:

• bump version
• Handle case where session id key is requested but it is missing
• Merge pull request #1462 from jeremyevans/sessionid-to_s
• Merge branch '1-6-sec' into 1-6-stable
• Bump version
• making diff smaller
• fix memcache tests on 1.6
• fix tests on 1.6
• Introduce a new base class to avoid breaking when upgrading
• Add a version prefix to the private id to make easier to migrate old values
• Fallback to the public id when reading the session in the pool adapter
• Also drop the session with the public id when destroying sessions
• Fallback to the legacy id when the new id is not found
• Add the private id
• revert conditionals to master
• remove NullSession
• remove || raise and get closer to master
• store hashed id, send public id
• use session id objects
• remove more nils
• try to ensure we always have some kind of object
• Fix assertion on bacon
• Bumping version for release
• Whitelist http/https schemes
• Merge pull request #1296 from tomelm/fix-prefers-plaintext
• Bump version for release
• Merge pull request #1249 from mclark/handle-invalid-method-parameters
• handle failure to upcase invalid strings
• Stick with a passing version of Rubygems and bundler
• bump version for release
• Merge pull request #1237 from eileencodes/backport-1137
• Backport pull request #1137 from unabridged/fix-eof-failure
• bump version
• Merge pull request #1170 from rack/1-8-fix
• Merge pull request #1169 from eileencodes/fix-mistake-in-encoding-change
• Ruby 1.8 doesn't know about encodings
• Fix mistake in encoding change
• Bump rack version for release
• Ensure env values are ASCII 8BIT encoded
• Bump Rack version for release
• Merge pull request #1115 from Shopify/fix-multipart-parsing-with-null-byte
• Merge pull request #1158 from marshall-lee/1-6-stable-backport-2f8b710
• Merge pull request #1080 from sophiedeziel/master
• bumping version
• Use Mutex instead of Thread.exclusive for reloader
• CI: Refresh and repair builds
• Validate the SameSite cookie option
• Merge pull request #1037 from mastahyeti/backport_same_site_cookies
• first-party cookies are now same-site cookies
• First-Party cookies, another line of CSRF defense
• fix 1.8 backwards compat

🆕 erubi (added, 1.10.0)

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)