chore: Ruby 3.4 upgrade and full dependency security update#607
Open
chore: Ruby 3.4 upgrade and full dependency security update#607
Conversation
Ruby 3.2.2 reached EOL in March 2025. Upgrading to 3.4.9, the latest actively supported Ruby release. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Key security updates: - httparty 0.21.0 → 0.24.2 (fixes SSRF vulnerability) - faraday 2.13.1 → 2.14.1 (fixes SSRF via protocol-relative URL) - rexml 3.3.9 → 3.4.4 (fixes DoS via malformed XML) - sanitize 6.0.2 → 6.1.3 Also updates all other gems to latest compatible versions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
….4 compat Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rubocop 1.42 → 1.86 introduces many new cops. Regenerated the todo file to capture pre-existing offenses. No code changes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Node.js 20 actions are deprecated and will be forced to Node.js 24 starting June 2026. Updating checkout action across all workflows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
JSON.dump triggers a fallback code path in the json gem's C extension that interacts badly with ActiveSupport's to_json monkey-patches when serializing large objects. JSON.generate avoids this path and is the recommended approach for data serialization. This fixes a segfault in the AWS Inspector2 tests where 19 batches of vulnerability data accumulated in memory. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
simplecov-cobertura 2.1.0 crashes with rexml 3.4.4 when generating
Cobertura XML coverage reports ("Malformed XML: No root element").
Version 3.1.0 fixes this compatibility issue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CodeQL flagged write_file and write_file_stream as vulnerable to path traversal via user-provided directory/filename parameters. Added safe_output_path helper that uses File.basename to strip directory components from filenames and File.expand_path to verify the resolved path stays within the intended output directory. Fixes https://github.com/KennaSecurity/toolkit/security/code-scanning/20 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #607 +/- ##
==========================================
+ Coverage 35.47% 35.56% +0.09%
==========================================
Files 128 128
Lines 8465 8463 -2
==========================================
+ Hits 3003 3010 +7
+ Misses 5462 5453 -9 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Covers the new path sanitization logic to satisfy codecov/patch check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add tests for write_file method (was untested) - Mark the defensive raise in safe_output_path as :nocov: since File.basename already prevents traversal from reaching it Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hey team! I was cleaning up some of my old PRs and noticed this repo hasn't had much dependency love recently. Ruby 3.2 hit EOL back in March 2025, and bundle-audit was flagging a few CVEs, so I figured it was time for a thorough refresh.
Ruby & Gem Updates
~>pessimistic operators to all gems to prevent surprise major version bumps on futurebundle installrunsSecurity Fixes
write_fileandwrite_file_streaminlib/helpers.rb(flagged by CodeQL)Bug Fixes
JSON.dump(obj, file)withFile.write(path, JSON.generate(obj))inwrite_file_streamto fix a segfault caused by json gem's C extension interacting with ActiveSupport'sto_jsonmonkey-patches on large objectsCI & Infrastructure
ruby:3.4, removed stale CVE workarounds for uri/time gemsbundle-auditinvocation viaruby/setup-ruby.rubocop_todo.ymlfor new copsTest Results
All CI checks pass:
bundle-audit check --update— no vulnerabilitiesbundle exec rubocop— no offensesTest plan
bundle exec rspec— 234 examples, 0 failuresbundle exec ruby toolkit.rb task=help— smoke test passesbundle-audit check --update— no vulnerabilities foundbundle exec rubocop— no offenses detecteddocker build -t toolkit-test .✅🤖 Generated with Claude Code