Skip to content
This repository has been archived by the owner on Feb 12, 2022. It is now read-only.

Update rest-client gem because security vulnerabilities #1984

Closed
wants to merge 2 commits into from
Closed

Update rest-client gem because security vulnerabilities #1984

wants to merge 2 commits into from

Conversation

balazslaszlo
Copy link

rest-client 1.6.8 has security vulnerabilities
https://www.versioneye.com/ruby/rest-client/1.6.8

@jdx
Copy link
Contributor

jdx commented Jul 22, 2016

haven't been able to figure out why yet, but this fails locally for me

@bluta
Copy link

bluta commented Jul 27, 2016

@dickeyxxx maybe only bcs restclient switched on netrc auth on 1.7.0 so your stubbed requests do not match if you have a .netrc file.

@bluta
Copy link

bluta commented Aug 12, 2016

@dickeyxxx could you take a look if - on top of the additional commit kind of taking care of the stubbed requests - there's anything more we can do to have this merged?

@eschersgirl
Copy link

👍

2 similar comments
@storhet
Copy link

storhet commented Aug 29, 2016

👍

@Hawerrr
Copy link

Hawerrr commented Aug 30, 2016

👍

@bluta
Copy link

bluta commented Sep 5, 2016

@atmos -- anything we can do get this rechecked/merged?

@atmos
Copy link

atmos commented Sep 6, 2016

@bluta I don't understand the security vulnerabilities well enough to comment. 1.6 -> 1.8 is an API breaking change in a lot of places and I don't have enough things running constantly to speak authoritatively.

@bluta
Copy link

bluta commented Sep 6, 2016

@atmos - you mean although the coverage for the first look seems promising for the API, still feel it'll fail in real applications? by any chance you have a rough direction for such problems?
sorry to bother, but our application works fine with the changes, and we also need the new version of rest-client for our own oauth - and we usually try to avoid forking if possible.

@ransombriggs
Copy link
Contributor

@balazslaszlo I merged this into #2011 and released, I just removed the regexes in favor of a host / netrc existence check. I was going to mock out Netrc completely so that it never did user / pass in the url, but we depend on it to verify things in other tests, so it was not as straightforward as I had hoped. Thanks for putting this together and sorry it took so long to get merged.

@ransombriggs
Copy link
Contributor

@balazslaszlo I had to roll back #2011 because this did not work on windows due to an ffi dependency.

from C:/Program Files (x86)/Heroku/ruby-2.1.7/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in require': cannot load such file -- ffi (LoadError)
from C:/Program Files (x86)/Heroku/ruby-2.1.7/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:inrequire'
from C:/Program Files (x86)/Heroku/vendor/gems/rest-client-1.8.0/lib/restclient/windows/root_certs.rb:2:in <top (required)>'
from C:/Program Files (x86)/Heroku/vendor/gems/rest-client-1.8.0/lib/restclient/windows.rb:7:inrequire_relative'
from C:/Program Files (x86)/Heroku/vendor/gems/rest-client-1.8.0/lib/restclient/windows.rb:7

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@balazslaszlo @jdx @bluta @eschersgirl @storhet @Hawerrr @atmos @ransombriggs