Skip to content

Comments

Added two Rack vulnerabilities#1000

Merged
postmodern merged 1 commit intorubysec:masterfrom
jamgregory:rack-vulns
Feb 23, 2026
Merged

Added two Rack vulnerabilities#1000
postmodern merged 1 commit intorubysec:masterfrom
jamgregory:rack-vulns

Conversation

@jamgregory
Copy link
Contributor

@jamgregory jamgregory commented Feb 18, 2026

I've added two new Rack vulnerabilities that GitHub security scanning has alerted me to.

Hopefully these files are OK (they've passed the required tests)

postmodern
postmodern requested changes Feb 18, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML formatting is a bit off.

gems/rack/CVE-2026-22860.yml Outdated
url: https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
title: Rack has a Directory Traversal via Rack:Directory
date: 2026-02-17
description: "## Summary\n\n`Rack::Directory`’s path check used a string prefix match
Copy link
Member

@postmodern postmodern Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

description: should be block text, not a quoted string. It appears that code blocks can confuse YAML's formatting.

gems/rack/CVE-2026-22860.yml Outdated
patched_versions:
- "~> 2.2.22"
- "~> 3.1.20"
- ">= 3.2.5"
Copy link
Member

@postmodern postmodern Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML Array elements should be indented by two spaces.

gems/rack/CVE-2026-22860.yml Outdated
url:
- https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
- https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
- https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
Copy link
Member

@postmodern postmodern Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML Array elements should be indented by two spaces.

gems/rack/CVE-2026-25500.yml Outdated
patched_versions:
- "~> 2.2.22"
- "~> 3.1.20"
- ">= 3.2.5"
Copy link
Member

@postmodern postmodern Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML Array elements should be indented by two spaces.

gems/rack/CVE-2026-25500.yml Outdated
url:
- https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
- https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
- https://github.com/advisories/GHSA-whrj-4476-wvmp
Copy link
Member

@postmodern postmodern Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML Array elements should be indented by two spaces.

@jasnow
Copy link
Contributor

jasnow commented Feb 19, 2026

Known issue - hopefully the GHSA sync script could be changed to make this problem go away.

@jamgregory
Copy link
Contributor Author

jamgregory commented Feb 23, 2026

Thanks for the review @postmodern. I'd just gone with what the sync script had generated because it looked correct at the time, but I've updated them to match the expected style so hopefully they're correct now 🤞

@jasnow
Copy link
Contributor

jasnow commented Feb 23, 2026

Run "yamllint" and "rake" is what I use to check.

@postmodern postmodern merged commit 23d78a1 into rubysec:master Feb 23, 2026
1 check passed
@jamgregory jamgregory deleted the rack-vulns branch February 24, 2026 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jamgregory @jasnow @postmodern