Updated: Bump rest-client to 1.8.0

[rodrigoargumedo]

In rest-client/rest-client#349, there was a security vulnerability that allows developers to see password logs in plain text into the console. This problem solves in 1.7.3. I preferred to update this gem to it's latest version to fix this critical problem.

This also now requires to have Ruby 1.9.2 on board despite the first build failed miserably. Ruby 1.8.7 fails because it requires mime-types on Ruby 1.9.2. So, that is now eliminated from RVM builds in Travis.

Additional resources:
rest-client/rest-client#352
CVE-2015-3448

Edit: I rebased it for easier commit reading and quality. Although, this needs to merge soon in the feature.

[jaymiejones86]

👍 on this issue.

[jaymiejones86]

No traction on this one? Seems quite important.

[rodrigoargumedo]

I feel that developers aren't quite keeping up with development of this RubyGem and this needs to be merged soon.

[russelldavis]

The gemfiles you changed are just local overrides when using the gem from its own repo (e.g., for running tests). These overrides exist specifically for compatibility when running tests with older versions of Ruby.

The actual dependency for the gem itself is in stripe.gemspec, and is already set to ~1.4, which means any project including the gem will automatically use the latest 1.x version, unless that project wants to specifically override that in its own gemfile (which they may want to do for compatibility reasons).

[rodrigoargumedo]

Updated the gemspec and hope it doesn't break this build.

[russelldavis]

Sorry, I may not have been clear -- the gemspec doesn't need to be updated either. Anyone adding this gem to a project will already get the latest 1.x version of rest-client by default. We are still compatbile with rest-client 1.4, so we're not going to change the lower bound.

[jaymiejones86]

So @russelldavis is saying that if you installed this gem into a new project at this point, the rest-client dependency would use a rest-client version that no longer has the vulnerability.

If you have an existing project with the gem, you can simply bump the rest-client version yourself to override.

Is that correct @russelldavis?

[russelldavis]

Yep, that's correct.

[jaymiejones86]

Perfect @russelldavis, I think that should close this issue if everyone else is happy?

[jaymiejones86]

After some further investigation, there is no newer version than 1.8.0 which still has the vulnerability.
The next available version for rest-client is the 2x branch which is still in RC1 and due to the restriction to the 1x branch in the stripe-ruby gem there is not an upgrade option.

[russelldavis]

@jaymiejones86 can you clarify? What's the problem w/ using 1.7.3 or 1.8.x?

[jaymiejones86]

@russelldavis 1.7.3, 1.8.0 (latest) all have the vulnerability, so bundle-audit says. I went quite far back in the various versions for rest-client and still encountered the vulnerability.

[russelldavis]

Not sure what bundle-audit is doing, but I think it must be wrong. Here's the fix:

rest-client/rest-client@a8b3f3c

You can see from the tags it exists in v2.0.0.rc1, v1.8.0, and v1.7.3.

[jaymiejones86]

Hmmm OSVDB still states that it is vulnerable but does say:

It has been reported that this has been fixed. Please refer to the product listing for upgraded versions that address this vulnerability.

So I would assume that 1.8.0 is good to use, happy for this issue to be closed as that commit fixes those tagged versions of the rest-client gem.

[russelldavis]

Thanks, closing.