Skip to content

Bump rexml to 3.3.6 on example apps to avoid potential DoS vulnerability #902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sbarrio merged 1 commit into from
Jun 17, 2025
Merged

Bump rexml to 3.3.6 on example apps to avoid potential DoS vulnerability #902

sbarrio merged 1 commit into from
Jun 17, 2025

Conversation

@sbarrio
Copy link
Contributor

@sbarrio sbarrio commented Jun 5, 2025
edited
Loading

What does this PR do?

Dependabot has notified us of a security issue that could cause Denial of Service attacks related to rexml on both of our example apps. Bumping it to 3.3.6 solves the problem.

From https://github.com/DataDog/dd-sdk-reactnative/security/dependabot/10

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests
  • Make sure you discussed the feature or bugfix with the maintaining team in an Issue
  • Make sure each commit and the PR mention the Issue number (cf the CONTRIBUTING doc)
  • If this PR is auto-generated, please make sure also to manually update the code related to the change

@sbarrio sbarrio marked this pull request as ready for review June 5, 2025 16:33
@sbarrio sbarrio requested a review from a team as a code owner June 5, 2025 16:33
@sbarrio sbarrio changed the title Bump rexml to 3.3.6 on example apps to avoid security issues Bump rexml to 3.3.6 on example apps to avoid potential DoS issues Jun 5, 2025
@sbarrio sbarrio changed the title Bump rexml to 3.3.6 on example apps to avoid potential DoS issues Bump rexml to 3.3.6 on example apps to avoid potential DoS vulnerability Jun 5, 2025
@datadog-datadog-prod-us1
Copy link

datadog-datadog-prod-us1 bot commented Jun 5, 2025

Datadog Report

Branch report: sbarrio/fix/security-dependency-rexml
Commit report: 53d219a
Test service: dd-sdk-reactnative

✅ 0 Failed, 663 Passed, 1 Skipped, 3.75s Total Time

@sbarrio sbarrio self-assigned this Jun 6, 2025
@sbarrio sbarrio merged commit 9806e6a into develop Jun 17, 2025
10 checks passed
@sbarrio sbarrio deleted the sbarrio/fix/security-dependency-rexml branch June 17, 2025 09:21
@marco-saia-datadog marco-saia-datadog mentioned this pull request Jun 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdn34dd cdn34dd cdn34dd approved these changes

Assignees

@sbarrio sbarrio

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sbarrio @cdn34dd