1. 10
    Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760) ruby security web blog.heroku.com
    schneems avatar authored by schneems 2 months ago | cached | 4 comments

  1.  

  2. 3
    danielcompton avatar danielcompton 2 months ago | link

    I like the Moderation Log for this post:

    Story: Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760)
    Action: changed tags from “ruby” to “ruby security web”
    Reason: Adding a couple tags… after checking the Lobsters production.rb.

    1. 2
      schneems avatar schneems 2 months ago | link

      This is the first time Heroku has ever been able to detect configuration options and block a deploy for a vulnerability like this.

      1. 1
        faitswulff avatar faitswulff 2 months ago | link

        Is there a particular reason for it being a first? Also thanks for the write up and the fixes!

        1. 2
          schneems avatar schneems 2 months ago | link

          Is there a particular reason for it being a first? Also thanks for the write up and the fixes!

          We’ve never had the capability before. I just added the code to detect configuration via rails runner recently https://github.com/heroku/heroku-buildpack-ruby/pull/758.