RR-540: Replace apparition with selenium-webdriver #95
Conversation
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
|
@SocketSecurity ignore gem/nokogiri@1.15.7 |
dduugg
changed the title
|
This pull request disables Chrome's sandbox in Capybara tests by adding the '--no-sandbox' flag (running in a root Docker container increases risk of host compromise if the browser is exploited) and adds nokogiri 1.15.7 which is vulnerable to a critical CVE (fixed in >= 1.18.9).
Disabled Browser Sandbox in
|
| Vulnerability | Disabled Browser Sandbox |
|---|---|
| Description | The Chrome driver for Capybara tests is configured with the '--no-sandbox' argument. This disables a critical security feature that provides process isolation for the browser. Since the Docker container runs as the root user (due to the absence of a 'USER' instruction in the Dockerfile), an attacker exploiting a browser vulnerability during a test run could potentially execute code on the host machine with root privileges, leading to a severe compromise. |
grpc-web-ruby/spec/spec_helper.rb
Lines 119 to 122 in af65d87
Vulnerable Dependency in Gemfile.lock
| Vulnerability | Vulnerable Dependency |
|---|---|
| Description | The nokogiri gem version 1.15.7, which is added as a dependency, has a critical vulnerability (GHSA-353f-x4gh-cqq8). This vulnerability stems from nokogiri patching its vendored libxml2 library to resolve multiple CVEs. The affected versions include 1.15.7, and the issue is fixed in version 1.18.9. |
Lines 102 to 112 in af65d87
All finding details can be found in the DryRun Security Dashboard.
Note that #92 also contains this work, though implemented differently.
(I'm not tied to this implementation, but i do think we want to break up that PR.)