CVE-2019-16892 + #49

- updated rubyzip to fix a security issue - updated axlsx and file writing method as a possible fix for #49
2025-01-17 06:52:27 +01:00 · 2019-10-21 16:11:49 +02:00 · 2019-10-21 16:11:49 +02:00 · fdcec06345
commit fdcec06345
parent 36a15fb364
4 changed files with 29 additions and 31 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # Changelog Fab Manager

+- Updated axlsx gem to caxlsx 3.0
+- Updated axlsx_rails to 0.6.0 
+- Fix a security issue: updated rubyzip to 1.3.0 to fix [CVE-2019-16892](https://nvd.nist.gov/vuln/detail/CVE-2019-16892)
+
 ## v4.2.0 2019 October 21

 - Upgraded PostgreSQL from 9.4 to 9.6
@ -12,7 +16,7 @@
 - Ability to bulk-import members from a CSV file
 - Ability to disable invoices generation and interfaces
 - Added a known issue to the README (#152)
- Ability to fully rebuild the projets index in ElasticSearch with rake fablab:es:build_projects_index
+- Ability to fully rebuild the projets index in ElasticSearch with `rake fablab:es:build_projects_index`
 - Ability to configure SMTP connection to use SMTP/TLS
 - Updated user's manual for v4.2 (fr)
 - Fix a bug: invoices with total = 0, are marked as paid on site even if paid by card
@ -24,7 +28,7 @@
 - Fix a bug: missing asterisks on some required fields in profile_complete form 
 - Fix a bug: public calendar won't show anything if the current date range include a reserved space availability (#151)
 - Fix a bug: invoices list is not shown by default in "manage invoices" section
- Fix a bug: unable to run rake fablab:es:* tasks due to an issue with gem faraday 0.16.x (was updated to 0.17)
+- Fix a bug: unable to run rake `fablab:es:*` tasks due to an issue with gem faraday 0.16.x (was updated to 0.17)
 - Fix a bug: unauthorized user can see the edit project form
 - Fix a bug: do not display each days in invoices for multiple days event reservation 
 - Fix a security issue: fixed [CVE-2015-9284](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284)
--- a/4
+++ b/4
@ -140,9 +140,9 @@ gem 'apipie-rails'
 gem 'has_secure_token'

 # XLS files generation
-gem 'axlsx', git: 'https://github.com/randym/axlsx', branch: 'master'
 gem 'axlsx_rails'
-gem 'rubyzip', '>= 1.2.2'
+gem 'caxlsx'
+gem 'rubyzip', '>= 1.3.0'

 gem 'rack-protection', '1.5.5'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -1,14 +1,3 @@
-GIT
-  remote: https://github.com/randym/axlsx
-  revision: c593a08b2a929dac7aa8dc418b55e26b4c49dc34
-  branch: master
-  specs:
-    axlsx (3.0.0.pre)
-      htmlentities (~> 4.3, >= 4.3.4)
-      mimemagic (~> 0.3)
-      nokogiri (~> 1.8, >= 1.8.2)
-      rubyzip (~> 1.2, >= 1.2.1)
-
 GEM
  remote: https://rubygems.org/
  specs:
@ -67,9 +56,9 @@ GEM
      descendants_tracker (~> 0.0.4)
      ice_nine (~> 0.11.0)
      thread_safe (~> 0.3, >= 0.3.1)
-    axlsx_rails (0.4.0)
-      axlsx (>= 2.0.1)
-      rails (>= 3.1)
+    axlsx_rails (0.6.0)
+      actionpack (>= 3.1)
+      caxlsx (>= 3.0)
    bcrypt (3.1.13)
    binding_of_caller (0.7.3)
      debug_inspector (>= 0.0.1)
@ -85,6 +74,11 @@ GEM
      activesupport (>= 3.2.0)
      json (>= 1.7)
      mime-types (>= 1.16)
+    caxlsx (3.0.0)
+      htmlentities (~> 4.3, >= 4.3.4)
+      mimemagic (~> 0.3)
+      nokogiri (~> 1.8, >= 1.8.2)
+      rubyzip (~> 1.2, >= 1.2.1)
    chroma (0.0.1)
    chunky_png (1.3.4)
    cldr-plurals-runtime-rb (1.0.1)
@ -116,7 +110,7 @@ GEM
      tins (>= 1.6.0, < 2)
    crack (0.4.3)
      safe_yaml (~> 1.0.0)
-    crass (1.0.4)
+    crass (1.0.5)
    daemons (1.2.4)
    database_cleaner (1.4.1)
    debug_inspector (0.0.3)
@ -214,7 +208,7 @@ GEM
      actionpack (>= 3.0.0)
      activesupport (>= 3.0.0)
    libv8 (3.16.14.19)
-    loofah (2.2.3)
+    loofah (2.3.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    mail (2.7.1)
@ -232,17 +226,17 @@ GEM
    message_format (0.0.3)
      twitter_cldr (~> 3.1)
    mime-types (2.99.3)
-    mimemagic (0.3.2)
+    mimemagic (0.3.3)
    mini_magick (4.9.4)
-    mini_mime (1.0.1)
+    mini_mime (1.0.2)
    mini_portile2 (2.4.0)
-    minitest (5.11.3)
+    minitest (5.12.2)
    minitest-reporters (1.1.8)
      ansi
      builder
      minitest (>= 5.0)
      ruby-progressbar
-    multi_json (1.13.1)
+    multi_json (1.14.1)
    multi_xml (0.6.0)
    multipart-post (2.1.1)
    naught (1.1.0)
@ -317,8 +311,8 @@ GEM
      activesupport (>= 4.2.0, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
    rails-observers (0.1.2)
      activemodel (~> 4.0)
    rails_12factor (0.0.3)
@ -332,7 +326,7 @@ GEM
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    rainbow (3.0.0)
-    rake (12.3.3)
+    rake (13.0.0)
    rb-fsevent (0.9.4)
    rb-inotify (0.9.5)
      ffi (>= 0.5.0)
@ -359,7 +353,7 @@ GEM
      unicode-display_width (~> 1.4.0)
    ruby-progressbar (1.7.5)
    ruby-rc4 (0.1.5)
-    rubyzip (1.2.2)
+    rubyzip (1.3.0)
    safe_yaml (1.0.4)
    sass (3.4.13)
    sass-rails (5.0.1)
@ -483,11 +477,11 @@ DEPENDENCIES
  api-pagination
  apipie-rails
  awesome_print
-  axlsx!
  axlsx_rails
  bootstrap-sass (>= 3.4.1)
  byebug
  carrierwave
+  caxlsx
  chroma
  compass-rails (= 2.0.4)
  coveralls
@ -536,7 +530,7 @@ DEPENDENCIES
  responders (~> 2.0)
  rolify
  rubocop (~> 0.61.1)
-  rubyzip (>= 1.2.2)
+  rubyzip (>= 1.3.0)
  sass-rails (= 5.0.1)
  sdoc (~> 0.4.0)
  seed_dump
--- a/app/services/statistics_export_service.rb
+++ b/app/services/statistics_export_service.rb
@ -76,7 +76,7 @@ class StatisticsExportService

        content = av.render template: 'exports/statistics_current.xlsx.axlsx'
        # write content to file
-        File.open(export.file,"w+b") {|f| f.puts content }
+        File.open(export.file,"w+b") { |f| f.write content }
      end
    }, __FILE__, __LINE__ - 35
  end