New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Schneems/sprockets fatal #776

Merged
merged 3 commits into from Jun 19, 2018

Conversation

Projects
None yet
2 participants
@schneems
Contributor

schneems commented Jun 19, 2018

Details about the vulnerability can be found at https://blog.heroku.com/rails-asset-pipeline-vulnerability.

schneems added some commits Jun 18, 2018

Fail builds with known directory traversal config
Fail builds for an application that is using a known vulnerable version of Sprockets and has enabled a setting that will allow for a directory traversal:

```
config.assets.compile = true # Enables security vulnerability
```


Applications can deploy again by either upgrading their version of sprockets or by disabling dynamic asset compilation via setting:

```
config.assets.compile = false # Disables security vulnerability
```

If an app really needs to deploy but cannot upgrade their sprockets version, then they should know they are at extreme risk. It should be assumed that all their credentials and source code is in the hands of an attacker. They can do this manually via replacing `heroku/ruby` with `https://github.com/heroku/heroku-buildpack-ruby#v186`, though note that this is should be temporary while a fix can be put in place, pinning to a specific buildpack version like this is not supported in the long term.
@cji

cji approved these changes Jun 19, 2018

@schneems schneems merged commit 52cd0bd into master Jun 19, 2018

6 checks passed

ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
heroku/compliance All requirements completed. Reviewed by cji.
Details
license/snyk - Gemfile.lock (languages) No manifest changes detected
security/snyk - Gemfile.lock (languages) No manifest changes detected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment