Fix vulnerability per dependabot/35

delphidabbler · delphidabbler · commit 60365444021f · 2025-03-04T08:17:12.000Z
https://github.com/delphidabbler/delphidabbler.github.io/security/dependabot/35 The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.
diff --git a/Gemfile b/Gemfile
@@ -22,6 +22,7 @@ gem "rexml", "~> 3.3.9"
 gem "addressable", ">= 2.8.0"
 gem "commonmarker", ">= 0.23.10"
 gem "activesupport", "~> 7.0.7.1"
+gem "uri", ">= 0.13.2"
 
 # Fix for when using Ruby 3 - webrick no longer installed w/ Ruby 3
 gem "webrick", "~> 1.8"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -254,7 +254,7 @@ GEM
     unf_ext (0.0.9.1)
     unf_ext (0.0.9.1-x64-mingw-ucrt)
     unicode-display_width (1.8.0)
-    uri (0.13.0)
+    uri (1.0.3)
     wdm (0.1.1)
     webrick (1.8.1)
 
@@ -271,6 +271,7 @@ DEPENDENCIES
   rexml (~> 3.3.9)
   tzinfo (~> 2.0.6)
   tzinfo-data
+  uri (>= 0.13.2)
   wdm (~> 0.1.1)
   webrick (~> 1.8)
 
