Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bundler < 2.2.10 has "Source Priority" vulnerability #1126

Closed
jaredbeck opened this issue Feb 18, 2021 · 7 comments
Closed

Bundler < 2.2.10 has "Source Priority" vulnerability #1126

jaredbeck opened this issue Feb 18, 2021 · 7 comments

Comments

@jaredbeck
Copy link

The developer was able to expose (in a non-malicious way) a vulnerability present in well-known dependency managers, where given a library name they will end up preferring installing it from a public source rather than from a private source.

Unfortunately, Bundler had this vulnerability.

The issue has been fixed in bundler 2.2.10
https://bundler.io/blog/2021/02/15/a-more-secure-bundler-we-fixed-our-source-priorities.html

AFAICT, this buildpack is currently using bundler 2.1.4 (BLESSED_BUNDLER_VERSIONS).

I know that a lot of care and thought goes into bundler upgrades. So, I'm not suggesting a specific course of action, but it is a vulnerability that concerns me.
@schneems
Copy link
Contributor

Thanks!

@dentarg
Copy link

dentarg commented Feb 25, 2021

The use of Bundler 2.1.4 might hide missing require "set" in apps (rubygems/rubygems#4297, in Bundler 2.2.8 and above). I guess you could run into this on Heroku (when Heroku do use 2.2.x) and you update the Bundler version in your lockfile and deploy, without verifying locally that your app works. Just noting this here, as this issue looked a bit relevant to Heroku start using Bundler 2.2.x.

@schneems schneems mentioned this issue Feb 25, 2021
Merged
schneems added a commit that referenced this issue Feb 25, 2021
@schneems
[close #1126] Update bundler to 2.2.11
21d86d2 
Bundler < 2.2.10 has "Source Priority" vulnerability #1126. This PR updates bundler to the latest version (2.2.11).
@schneems
Copy link
Contributor

Thanks @dentarg it looks like that fix is merged. Is it in 2.2.11? I've staged 2.2.11 on main

@dentarg
Copy link

dentarg commented Feb 25, 2021

@schneems rubygems/rubygems#4297 is in Bundler 2.2.8 according to their release notes: https://github.com/rubygems/rubygems/releases/tag/bundler-v2.2.8

@dentarg
Copy link

dentarg commented Feb 25, 2021
edited
Loading

I guess you could run into this on Heroku (when Heroku do use 2.2.x) and you update the Bundler version in your lockfile and deploy, without verifying locally that your app works.

Okay, I think it will be much easier to run into the problem (you rely on the set gem but haven't required it) than I said, as Heroku will now use Bundler 2.2.11 for any Bundler 2.x in the lockfile.

I guess there's the risk of apps not starting after the daily dyno cycling?

$ cd /tmp
$ touch Gemfile
$ chruby 2.7.2
$ bundle -v ; bundle e ruby -e 'Set'
Bundler version 1.17.3

$ bundle _2.1.4_ -v ; bundle _2.1.4_ e ruby -e 'Set'
Bundler version 2.1.4

$ bundle _2.2.11_ -v ; bundle _2.2.11_ e ruby -e 'Set'
Bundler version 2.2.11
Traceback (most recent call last):
-e:1:in `<main>': uninitialized constant Set (NameError)

@schneems
Copy link
Contributor

Ahh, so the risk is people were previously relying on Set but not explicitly requiring it because that was being done by bundler.

People won't get bundler 2.2.11 unless they make a new deploy. In that case we boot the app for rake assets:precompile as well as most people run a release phase of rake db:migrate. Hopefully it will fail there where people can add the require before it hits runtime.

Another mitigating factor (for rails apps) is Rails does a blanket Bundler.require call so anything in the Gemfile is usually required.

@dentarg
Copy link

dentarg commented Feb 25, 2021

People won't get bundler 2.2.11 unless they make a new deploy

That's great and good to know 👍🏻

krisrang added a commit to skyltmax/heroku-buildpack-ruby that referenced this issue May 13, 2021
@krisrang
Merge remote-tracking branch 'upstream/main'
c5894e2 
* upstream/main: (52 commits)
  Fix date (heroku#1152)
  Bundler 2.2.16 (heroku#1150)
  v226 (heroku#1149)
  [changelog skip] Remove Heroku-16 from tests: (heroku#1146)
  [close 1135] Update bundler 2.x to 2.2.15 (heroku#1144)
  [changelog skip] Clean up mime magic in repos (heroku#1145)
  Clean up CNB release process (heroku#1139)
  Use correct method name in script heroku#1129 (heroku#1129)
  Post-release updates: heroku/ruby 0.1.0 (heroku#1138)
  Add package.toml (heroku#1137)
  Add CNB release scripts (heroku#1136)
  Release v225 (heroku#1133)
  [close heroku#1126] Update bundler to 2.2.11 (heroku#1132)
  Update buildpack tests (heroku#1131)
  v224 (heroku#1128)
  Use jvm buildpack to install JRuby dependencies (heroku#1119)
  Fix YAML formatting (heroku#1116)
  Rails 2, 3, and 4 LTS tests (heroku#1115)
  v223 (heroku#1114)
  Fail detection with a CNB-friendly exit code (heroku#1112)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dentarg @schneems @jaredbeck