Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Published gem for xero-ruby 4.3.1 has incorrect permissions #264

Closed
zarqman opened this issue Jul 22, 2023 · 5 comments
Closed

Published gem for xero-ruby 4.3.1 has incorrect permissions #264

zarqman opened this issue Jul 22, 2023 · 5 comments

Comments

@zarqman
Copy link

zarqman commented Jul 22, 2023

Hi. It appears that xero-ruby v4.3.1 has incorrect file permissions. The included *.rb files have 0700 perms, whereas they should likely be 0644.

A common security practice is to install gems and other artifacts with one user and then run the app as a different user. With 0700 perms, this is impossible and results in the following error when booting the app:

LoadError: cannot load such file -- /usr/local/bundle/gems/xero-ruby-4.3.1/lib/xero-ruby.rb
<internal:/usr/local/lib/ruby/3.2.0/rubygems/core_ext/kernel_require.rb>:37:in `require'
A sample of the actual installed perms: 
$ ls -l /usr/local/bundle/gems/xero-ruby-4.3.1/lib/{,xero-ruby}
/usr/local/bundle/gems/xero-ruby-4.3.1/lib/:
total 36
drwxr-xr-x 4 root root  4096 Jul 22 16:33 xero-ruby
-rwx------ 1 root root 29233 Jul 22 16:33 xero-ruby.rb

/usr/local/bundle/gems/xero-ruby-4.3.1/lib/xero-ruby:
total 60
drwxr-xr-x  2 root root  4096 Jul 22 16:33 api
-rwx------  1 root root 22689 Jul 22 16:33 api_client.rb
-rwx------  1 root root  1527 Jul 22 16:33 api_error.rb
-rwx------  1 root root  9077 Jul 22 16:33 configuration.rb
drwxr-xr-x 11 root root  4096 Jul 22 16:33 models
-rwx------  1 root root  1478 Jul 22 16:33 string_serialization.rb
-rwx------  1 root root   348 Jul 22 16:33 version.rb
-rwx------  1 root root  1662 Jul 22 16:33 where.rb

v4.2.0 is known to be good. I did not check v4.3.0.
@github-actions
Copy link

PETOSS-318

@github-actions
Copy link

Thanks for raising an issue, a ticket has been created to track your request

@nicpillinger
Copy link

This caught us out as well, worked fine locally, deployed to production and bang! 💥
Can confirm v4.3.0 works fine.

@Raghunath-S-S-J
Copy link
Contributor

Hi all, Apologies for the delay. We have fixed the permissions issue in the latest xero-ruby package i.e., v5.0.0

Latest release also includes lot of other changes. Do check out the release notes for details.

Revert back to us if you are still facing any issues.

Thank you for your patience!

@Raghunath-S-S-J
Copy link
Contributor

Closing the issue. Reopen or create new issue incase facing any issues.

@armstrjare armstrjare mentioned this issue Oct 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zarqman @nicpillinger @Raghunath-S-S-J