Fix Jruby 9.2 & 9.3 with rexml 3.2.6

DataDog · May 22, 2024 · b278b8e · b278b8e
1 parent ca21fd3
commit b278b8e
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 11 deletions.
diff --git a/Gemfile b/Gemfile
@@ -71,7 +71,7 @@ gem 'simplecov-html', '~> 0.10.2' if RUBY_VERSION < '2.4.0'
 gem 'warning', '~> 1' if RUBY_VERSION >= '2.5.0'
 gem 'webmock', '>= 3.10.0'
 
-gem 'rexml', '>= 3.2.7'
+gem 'rexml', '>= 3.2.7' # https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
 
 gem 'webrick', '>= 1.7.0' if RUBY_VERSION >= '3.0.0' # No longer bundled by default since Ruby 3.0
 if RUBY_VERSION >= '2.3.0'

diff --git a/appraisal/jruby-9.2.rb b/appraisal/jruby-9.2.rb
@@ -164,6 +164,11 @@
 appraise 'aws' do
   gem 'aws-sdk'
   gem 'shoryuken'
+
+  # https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
+  # `rexml` 3.2.7+ breaks because of strscan incompatibility
+  # `strsan` 3.1.0 does not fix the issue and raise TypeError when StringScanner#scan is given a string instead of Regexp
+  gem 'rexml', '= 3.2.6'
 end
 
 appraise 'http' do

diff --git a/appraisal/jruby-9.3.rb b/appraisal/jruby-9.3.rb
@@ -144,6 +144,12 @@
 appraise 'aws' do
   gem 'aws-sdk'
   gem 'shoryuken'
+
+  # https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
+  # `rexml` 3.2.7+ breaks because of strscan incompatibility, which is ported with JRuby 9.3.14.0
+  # `strsan` 3.1.0 does not fix the issue and raise TypeError when StringScanner#scan is given a string instead of Regexp
+  # https://www.jruby.org/2024/02/20/jruby-9-3-14-0
+  gem 'rexml', '= 3.2.6'
 end
 
 appraise 'http' do

diff --git a/gemfiles/jruby_9.2_aws.gemfile b/gemfiles/jruby_9.2_aws.gemfile
diff --git a/gemfiles/jruby_9.2_aws.gemfile.lock b/gemfiles/jruby_9.2_aws.gemfile.lock
diff --git a/gemfiles/jruby_9.3_aws.gemfile b/gemfiles/jruby_9.3_aws.gemfile
diff --git a/gemfiles/jruby_9.3_aws.gemfile.lock b/gemfiles/jruby_9.3_aws.gemfile.lock