CONJSE-2050: Merge pull request #1219 from Conjur-Enterprise/13.6.3-activestorage

CONJSE-2050: 13.6.3 activestorage

Author: codihuston

CHANGELOG.md

@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Security
 - Remove the policy factory API endpoints from the config/routes.rb file to prevent
   anyone being able to call these endpoints and trigger the marshal.load call. CONJSE-2038
+- Fix unsafe shell command executions. CONJSE-2039. CONJSE-2041-2046.
+- Remove vulnerable activestorage gem from the dependencies to address CVE-2025-24293. CONJSE-2050
 
 ## [1.22.2] - 2025-06-30
 ### Added

Dockerfile

@@ -11,6 +11,8 @@ RUN bundle config set --local without 'test development' && \
     bundle config set --local deployment true && \
     bundle config set --local path vendor/bundle && \
     bundle config --local jobs "$(nproc --all)" && \
+    rm -rf .bundle/plugin && \
+    bundle plugin install bundler-override && \
     bundle install && \
     # Remove private keys brought in by gems in their test data
     find / -name 'openid_connect-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \

Dockerfile.fpm

@@ -5,7 +5,8 @@ RUN apt-get update -y && \
     apt-get install -y zlib1g-dev \
                        liblzma-dev
 
-RUN gem install --no-document fpm
+RUN bundle plugin install bundler-override && \
+ gem install --no-document fpm
 
 RUN mkdir -p /src/opt/conjur/project
 

Dockerfile.test

@@ -14,6 +14,8 @@ RUN bundle config unset --local without && \
     bundle config unset --local path && \
     bundle config set --local deployment false && \
     bundle config --local jobs "$(nproc --all)" && \
+    rm -rf .bundle/plugin && \
+    bundle plugin install bundler-override && \
     # this is a workaround to allow installation of ruby-debug-ide, for unknown
     # reasons the first attempt to install it fails but the subsequent call is
     # successful, therefore we try to install again if the first invocation fails
@@ -28,6 +30,7 @@ FROM conjur:${VERSION}
 
 ENV GEM_HOME=/usr/local/bundle
 ENV PATH="${GEM_HOME}/bin:${PATH}"
+ENV BUNDLE_APP_CONFIG="/opt/conjur-server/.bundle"
 
 RUN bundle config unset --local without && \
     bundle config unset --local path && \

Dockerfile.ubi

@@ -12,6 +12,8 @@ RUN bundle config set --local without 'test development' && \
     bundle config set --local deployment true && \
     bundle config set --local path vendor/bundle && \
     bundle config --local jobs "$(nproc --all)" && \
+    rm -rf .bundle/plugin && \
+    bundle plugin install bundler-override && \
     bundle install && \
     # removing CA bundle of httpclient gem
     find / -name 'httpclient-*' -type d -exec find {} -name '*.pem' -type f -delete \; && \

Gemfile

@@ -5,13 +5,22 @@ source 'https://rubygems.org'
 # ruby=ruby-3.0
 # ruby-gemset=conjur
 
+require File.join(
+  Bundler::Plugin.index.load_paths('bundler-override')[0],
+  'bundler-override'
+) rescue nil
+
 # make sure to use tls for github
 git_source(:github) { |name| "https://github.com/#{name}.git" }
 
 # Do not use fuzzy version matching (~>) with the Ruby version. It doesn't play
 # nicely with RVM and we should be explicit since Ruby is such a fundamental
 # part of a Rails project. The Ruby version is also locked in place by the
 # Docker base image so it won't be updated with fuzzy matching.
+override 'rails', drop: 'activestorage'
+override 'actionmailbox', drop: 'activestorage'
+override 'actiontext', drop: 'activestorage'
+override 'conjur-cli', drop: 'activestorage'
 
 gem 'base58'
 gem 'command_class'
@@ -33,7 +42,6 @@ gem 'sequel-pg_advisory_locking'
 gem 'sequel-postgres-schemata', require: false
 gem 'sequel-rails'
 
-gem 'activesupport', '~> 6.1', '>= 6.1.4.6'
 gem 'base32-crockford'
 gem 'bcrypt'
 gem 'gli', require: false

Gemfile.lock

@@ -25,7 +25,6 @@ GEM
       actionpack (= 6.1.7.10)
       activejob (= 6.1.7.10)
       activerecord (= 6.1.7.10)
-      activestorage (= 6.1.7.10)
       activesupport (= 6.1.7.10)
       mail (>= 2.7.1)
     actionmailer (6.1.7.10)
@@ -45,7 +44,6 @@ GEM
     actiontext (6.1.7.10)
       actionpack (= 6.1.7.10)
       activerecord (= 6.1.7.10)
-      activestorage (= 6.1.7.10)
       activesupport (= 6.1.7.10)
       nokogiri (>= 1.8.5)
     actionview (6.1.7.10)
@@ -62,13 +60,6 @@ GEM
     activerecord (6.1.7.10)
       activemodel (= 6.1.7.10)
       activesupport (= 6.1.7.10)
-    activestorage (6.1.7.10)
-      actionpack (= 6.1.7.10)
-      activejob (= 6.1.7.10)
-      activerecord (= 6.1.7.10)
-      activesupport (= 6.1.7.10)
-      marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
     activesupport (6.1.7.10)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
@@ -313,12 +304,11 @@ GEM
       net-imap
       net-pop
       net-smtp
-    marcel (1.0.4)
     method_source (1.1.0)
     mime-types (3.7.0)
       logger
       mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0722)
+    mime-types-data (3.2025.0812)
     mini_mime (1.1.5)
     minitest (5.25.5)
     multi_json (1.15.0)
@@ -402,7 +392,6 @@ GEM
       activejob (= 6.1.7.10)
       activemodel (= 6.1.7.10)
       activerecord (= 6.1.7.10)
-      activestorage (= 6.1.7.10)
       activesupport (= 6.1.7.10)
       bundler (>= 1.15.0)
       railties (= 6.1.7.10)
@@ -566,7 +555,6 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
-  activesupport (~> 6.1, >= 6.1.4.6)
   anyway_config
   aruba
   aws-sdk-iam

dev/Dockerfile.dev

@@ -10,7 +10,8 @@ COPY gems/ gems/
 # this is a workaround to allow installation of ruby-debug-ide, for unknown
 # reasons the first attempt to install it fails but the subsequent call is
 # successful, therefore we try to install again if the first invocation fails
-RUN bundle install || bundle install
+RUN bundle plugin install bundler-override && \
+    bundle install || bundle install
 
 FROM cyberark/ubuntu-ruby-postgres-fips:latest
 

package.sh

@@ -9,7 +9,7 @@ docker run --rm \
   -v "$(pwd)":"$(pwd)" \
   --workdir "$(pwd)" \
   cyberark/ubuntu-ruby-builder:latest \
-  sh -c "bundle lock --update=conjur-api"
+  sh -c "rm -rf .bundle/plugin && bundle plugin install bundler-override && bundle lock --update=conjur-api"
 
 # Create possum deb
 ./docker-debify package \