From b278b8e8748d529bd469a092981cb7604de9adf0 Mon Sep 17 00:00:00 2001
From: Tony Hsu <tony.hsu@datadoghq.com>
Date: Wed, 22 May 2024 08:53:11 +0200
Subject: [PATCH] Fix Jruby 9.2 & 9.3 with rexml 3.2.6

---
 Gemfile                             | 2 +-
 appraisal/jruby-9.2.rb              | 5 +++++
 appraisal/jruby-9.3.rb              | 6 ++++++
 gemfiles/jruby_9.2_aws.gemfile      | 2 +-
 gemfiles/jruby_9.2_aws.gemfile.lock | 6 ++----
 gemfiles/jruby_9.3_aws.gemfile      | 2 +-
 gemfiles/jruby_9.3_aws.gemfile.lock | 6 ++----
 7 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/Gemfile b/Gemfile
index cd56e2f2d19..1e53700d18a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -71,7 +71,7 @@ gem 'simplecov-html', '~> 0.10.2' if RUBY_VERSION < '2.4.0'
 gem 'warning', '~> 1' if RUBY_VERSION >= '2.5.0'
 gem 'webmock', '>= 3.10.0'
 
-gem 'rexml', '>= 3.2.7'
+gem 'rexml', '>= 3.2.7' # https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
 
 gem 'webrick', '>= 1.7.0' if RUBY_VERSION >= '3.0.0' # No longer bundled by default since Ruby 3.0
 if RUBY_VERSION >= '2.3.0'
diff --git a/appraisal/jruby-9.2.rb b/appraisal/jruby-9.2.rb
index 977893178a2..0fb685ce0e6 100644
--- a/appraisal/jruby-9.2.rb
+++ b/appraisal/jruby-9.2.rb
@@ -164,6 +164,11 @@
 appraise 'aws' do
   gem 'aws-sdk'
   gem 'shoryuken'
+
+  # https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
+  # `rexml` 3.2.7+ breaks because of strscan incompatibility
+  # `strsan` 3.1.0 does not fix the issue and raise TypeError when StringScanner#scan is given a string instead of Regexp
+  gem 'rexml', '= 3.2.6'
 end
 
 appraise 'http' do
diff --git a/appraisal/jruby-9.3.rb b/appraisal/jruby-9.3.rb
index ef3171eab24..84bd68667a6 100644
--- a/appraisal/jruby-9.3.rb
+++ b/appraisal/jruby-9.3.rb
@@ -144,6 +144,12 @@
 appraise 'aws' do
   gem 'aws-sdk'
   gem 'shoryuken'
+
+  # https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
+  # `rexml` 3.2.7+ breaks because of strscan incompatibility, which is ported with JRuby 9.3.14.0
+  # `strsan` 3.1.0 does not fix the issue and raise TypeError when StringScanner#scan is given a string instead of Regexp
+  # https://www.jruby.org/2024/02/20/jruby-9-3-14-0
+  gem 'rexml', '= 3.2.6'
 end
 
 appraise 'http' do
diff --git a/gemfiles/jruby_9.2_aws.gemfile b/gemfiles/jruby_9.2_aws.gemfile
index 37a6a037c86..c91d45eee6a 100644
--- a/gemfiles/jruby_9.2_aws.gemfile
+++ b/gemfiles/jruby_9.2_aws.gemfile
@@ -25,7 +25,7 @@ gem "simplecov", git: "https://github.com/DataDog/simplecov", ref: "3bb6b7ee58bf
 gem "simplecov-cobertura", "~> 2.1.0"
 gem "warning", "~> 1"
 gem "webmock", ">= 3.10.0"
-gem "rexml", ">= 3.2.7"
+gem "rexml", "= 3.2.6"
 gem "yard", "~> 0.9"
 gem "dogstatsd-ruby", ">= 3.3.0", "!= 5.0.0", "!= 5.0.1", "!= 5.1.0"
 gem "aws-sdk"
diff --git a/gemfiles/jruby_9.2_aws.gemfile.lock b/gemfiles/jruby_9.2_aws.gemfile.lock
index 2cc52c87a7f..9c138a581a1 100644
--- a/gemfiles/jruby_9.2_aws.gemfile.lock
+++ b/gemfiles/jruby_9.2_aws.gemfile.lock
@@ -1484,8 +1484,7 @@ GEM
     rake (13.0.6)
     rake-compiler (1.2.5)
       rake
-    rexml (3.2.8)
-      strscan (>= 3.0.9)
+    rexml (3.2.6)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
@@ -1520,7 +1519,6 @@ GEM
     simplecov_json_formatter (0.1.4)
     spoon (0.0.6)
       ffi
-    strscan (3.1.0-java)
     thor (1.2.2)
     warning (1.3.0)
     webmock (3.13.0)
@@ -1550,7 +1548,7 @@ DEPENDENCIES
   pry-debugger-jruby
   rake (>= 10.5)
   rake-compiler (~> 1.1, >= 1.1.1)
-  rexml (>= 3.2.7)
+  rexml (= 3.2.6)
   rspec (~> 3.12)
   rspec-collection_matchers (~> 1.1)
   rspec-wait (~> 0)
diff --git a/gemfiles/jruby_9.3_aws.gemfile b/gemfiles/jruby_9.3_aws.gemfile
index c41081ba247..5ded6aaf32e 100644
--- a/gemfiles/jruby_9.3_aws.gemfile
+++ b/gemfiles/jruby_9.3_aws.gemfile
@@ -25,7 +25,7 @@ gem "simplecov", git: "https://github.com/DataDog/simplecov", ref: "3bb6b7ee58bf
 gem "simplecov-cobertura", "~> 2.1.0"
 gem "warning", "~> 1"
 gem "webmock", ">= 3.10.0"
-gem "rexml", ">= 3.2.7"
+gem "rexml", "= 3.2.6"
 gem "yard", "~> 0.9"
 gem "rubocop", "~> 1.50.0", require: false
 gem "rubocop-packaging", "~> 0.5.2", require: false
diff --git a/gemfiles/jruby_9.3_aws.gemfile.lock b/gemfiles/jruby_9.3_aws.gemfile.lock
index 0a42fec362e..43363e38058 100644
--- a/gemfiles/jruby_9.3_aws.gemfile.lock
+++ b/gemfiles/jruby_9.3_aws.gemfile.lock
@@ -1493,8 +1493,7 @@ GEM
     rake-compiler (1.2.5)
       rake
     regexp_parser (2.8.1)
-    rexml (3.2.8)
-      strscan (>= 3.0.9)
+    rexml (3.2.6)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
@@ -1552,7 +1551,6 @@ GEM
     simplecov_json_formatter (0.1.4)
     spoon (0.0.6)
       ffi
-    strscan (3.1.0-java)
     thor (1.2.2)
     unicode-display_width (2.4.2)
     warning (1.3.0)
@@ -1583,7 +1581,7 @@ DEPENDENCIES
   pry-debugger-jruby
   rake (>= 10.5)
   rake-compiler (~> 1.1, >= 1.1.1)
-  rexml (>= 3.2.7)
+  rexml (= 3.2.6)
   rspec (~> 3.12)
   rspec-collection_matchers (~> 1.1)
   rspec-wait (~> 0)