zync icon indicating copy to clipboard operation
zync copied to clipboard

Published 20 hours ago verified publisher icon 3scale

🚨 [security] Update message_bus: 2.2.3 → 3.3.7 (major)

Open depfu[bot] opened this issue 3 years ago • 0 comments

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ message_bus (2.2.3 → 3.3.7) · Repo · Changelog

Security Advisories 🚨

🚨 Path traversal when MessageBus::Diagnostics is enabled

Impact

Users who deployed message bus with diagnostics features enabled (default off) were
vulnerable to a path traversal bug, which could lead to disclosure of secret
information on a machine if an unintended user were to gain access to the diagnostic
route. The impact is also greater if there is no proxy for your web application as
the number of steps up the directories is not bounded. For deployments which uses a
proxy, the impact varies. For example, If a request goes through a proxy like Nginx
with merge_slashes enabled, the number of steps up the directories that can be
read is limited to 3 levels.

Workarounds

Disable MessageBus::Diagnostics in production like environments.

Release Notes

3.3.7 (from changelog)

  - FIX: Prevent simple polling from clobbering the session
  - SECURITY: Fix path traversal on diagnostics route.

3.3.6 (from changelog)

  - FEATURE: Introduce support for transport codecs
  - FIX: event subscription leak in JS after start/stop/start sequence
  - FEATURE: MessageBus.onVisibilityChange() can be used to trigger a visiblity change check by hand

3.3.5 (from changelog)

  - PERF: Optimised CORS preflight handling
  - FEATURE: Enable CORS preflight caching
  - FEATURE: Removed trailing cache buster from message bus polls
  - PERF: Improved delay poll timeout for cases where a tab moves in and out of the background

3.3.4 (from changelog)

  - FIX: Remove trailing comma incorrectly added in ec60d8865.

3.3.3 (from changelog)

  - FIX: `queue_in_memory` option not being passed to the backends.
  - FIX: `MessageBus::DistributedCache#publish` should raise on error.

On the redis backend, any errors encountered during `MessageBus#publish`
will add the message into an in memory queue and silently swallow the
error. While this is behavior is OK for normal message_bus usage, it may
lead to inconsistency when using `DistributedCache`. If a process
doesn't publish successfully to another process, it will still update
its in memory cache leaving the other processes unaware. As such, the
distributed cache is out of sync and will require another successful
write to the cache to resync all the caches.

3.3.2 (from changelog)

  - FIX: In the JavaScript client throw when when lastId is given but is not a number.
  - FEATURE: raise when attempting to publish to invalid targets
  - Log when DistributedCache encounters an error when publishing.

3.3.1 (from changelog)

  - FIX: Disconnect Redis conn when rescuing errors in global subscribe.
  - FIX: `MessageBus::Backends::Redis#global_subscribe` not closing Redis connections.

3.2.0 (from changelog)

   - FIX: compatability with Rails 6.0.3, note: apps without ActionDispatch::Flash may stop working after this upgrade
   to correct this disable middleware injection with `config.skip_message_bus_middleware = true` and configure middleware by hand with `app.middleware.use(MessageBus::Rack::Middleware)`

3.1.0 (from changelog)

  - FEATURE: `MessageBus#register_client_message_filter` to register a custom filter so that messages can be inspected and filtered away from clients.

3.0.0 (from changelog)

  - Drop support for Ruby 2.3
  - FIX: Don't publish message to intersection of `user_ids` and `group_ids` - instead use the union, this is a behavior change, hence a new major release.

2.2.4 (from changelog)

  - FEATURE: shouldLongPollCallback optional setting which allows overriding decision about long polling

Does any of this look wrong? Please let us know.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

depfu[bot] avatar Dec 18 '21 20:12 depfu[bot]