afinetooth / coveralls-test-travis
48%

DEFAULT BRANCH: master
Repo Added
Files 9
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH master
branch: master
CHANGE BRANCH
x

40

push

travis-ci

web-flow 
Dependabot security update; dependably could not fix. Requesting update to active support, but no Gemfile entry for active support, only Rails. Updating Rails to => 6.0.3.1. (#7)

Details
CVE-2020-8165
high severity
Vulnerable versions: >= 6.0.0, <= 6.0.3
Patched version: 6.0.3.1
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }
Impact
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

13 of 27 relevant lines covered (48.15%)

0.48 hits per line

Relevant lines Covered
27 RELEVANT LINES 13 COVERED LINES
0.48 HITS PER LINE
Source Files on master
Detailed source file information is not available for this build.

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
40 master Dependabot security update; dependably could not fix. Requesting update to active support, but no Gemfile entry for active support, only Rails. Updating Rails to => 6.0.3.1. (#7) Details CVE-2020-8165 high severity Vulnerable versions: >= 6.0.... push web-flow travis-ci pending completion  
37 master Bump websocket-extensions from 0.1.3 to 0.1.4 (#6) Bumps [websocket-extensions](https://github.com/faye/websocket-extensions-node) from 0.1.3 to 0.1.4. - [Release notes](https://github.com/faye/websocket-extensions-node/releases) - [Changelog](... push web-flow travis-ci pending completion  
34 master Bump websocket-extensions from 0.1.4 to 0.1.5 (#5) Bumps [websocket-extensions](https://github.com/faye/websocket-extensions-ruby) from 0.1.4 to 0.1.5. - [Release notes](https://github.com/faye/websocket-extensions-ruby/releases) - [Changelog](... push web-flow travis-ci pending completion  
33 master Bump puma from 4.3.3 to 4.3.5 (#4) Bumps [puma](https://github.com/puma/puma) from 4.3.3 to 4.3.5. - [Release notes](https://github.com/puma/puma/releases) - [Changelog](https://github.com/puma/puma/blob/master/History.md) - [Commits](https://... push web-flow travis-ci pending completion  
32 master Update README push web-flow travis-ci pending completion  
23 master Update README Change coveralls badge to main repo badge. push web-flow travis-ci pending completion  
22 master BDD first feature (PR #2) ### Setup * Scaffold new rails app. * Install dependencies. * Configure generators. * Install dependencies (Gemfile.lock). * Replace factory_girl_rails with factory_bot_rails. * Migrate database for the first tim... push web-flow travis-ci pending completion  
See All Builds (37)