loading...
Cover image for Fixing github vulnerabilities in your Rails app

Fixing github vulnerabilities in your Rails app

nkemjiks profile image Mbonu Blessing ・3 min read

Github repo with alerts

Hi everyone,

I am sure the image above looks very familiar so I am going to be showing how I fix my Github vulnerabilities quickly and correctly. I always had issues fixing them and it took me a while to figure it out so I hope it helps someone out there.

Github vulnerabilities alert

Some vulnerabilities are fairly simpler to fix while others might need a rails version upgrade. I will be using the screenshot above for reference. It's from one of my repos using Rails 6.

We can see from the image that the severity of each vulnerability is stated and the high severity vulnerabilities need to be fixed as soon as possible to stop your app from been vulnerable. You can set GitHub to fix these vulnerabilities but you still probably need to test it out to make sure your app still works fine.

I have 9 alerts i.e. 9 gems to fix. Two are reported from yarn.lock and seven from Gemfile.lock.

Fixing the Yarn.lock vulnerabilities

Lodash and websocket-extensions

Click on the alert to view more information about it. As you can see, Github's dependabot already created to PR to fix it for me but I will close that and fix it the manual way.

Lodash vulnerability alert

First, open the repo on your code editor and go to that file. Next, search for the package and delete it. Here is mine:

Lodash package in yarn.lock file

websocket-extensions package in yarn.lock file

We need to bump websocket-extensions from 0.1.3 to 0.1.4 and Lodash from 4.17.15 to 4.17.19.

Run yarn install and this should reinstall an updated version of those packages.

Updated websocket-extensions package in yarn.lock file

Updated Lodash package in yarn.lock file

Notice the versions have changed.

Fixing the Gemfile.lock vulnerabilities

We have vulnerabilities reported for actionview, activesupport, actionpack and activestorage which can only be fixed by bumping the rails version. Let's try to fix that first as it might bump the versions of the other gem vulnerability. Update the rails version in the Gemfile.

source "https://rubygems.org"
git_source(:github) { |repo| "https://github.com/#{repo}.git" }

ruby "2.6.3"

gem "rails", "~> 6.0.3.2"
$ bundle update --patch rails

Run the above command in your terminal to update all things rails related to the next patch version. Always check that the actionview, activesupport etc. gem version is the same with the Rails version in your Gemfile.

P.S: In some cases, a workaround is usually given when a version upgrade is not feasible. For example, actionview recommended a workaround if you can't upgrade yet.

Actionview workaround on github

For other vulnerable gems not listed in the Gemfile, using the bundle update --patch <gem_name> pattern should fix them too.

The rails upgrade fixed the rack and websocket-extensions gems. We only have puma left to fix.

$ bundle update --patch puma

The command above will update the puma gem and we are good to go. Push your changes to your repo and you should have no alerts.

Github repo with no alert

React to the post or leave a comment if this article helped you.

Until next week...

Posted on by:

nkemjiks profile

Mbonu Blessing

@nkemjiks

Full Stack developer @Execonline and @Andela | Languages: Javascript and Ruby | Libraries: React and Ruby on Rails | Love to learn: Flutter

Discussion

markdown guide