What to do if you get a MiniMagick vulnerability alert on GitHub

phenomenon

When I pushed the Rails app to GitHub, I received an alarm email for a vulnerability related to mini_magick. Keep it as a memorandum until the solution.

Problems and causes

image.png The version of mini_magick is old, and the fetched remote image file name may cause the execution of remote commands. The solution seems to be to upgrade the version.

Edit GemFile

Gemfile

gem 'mini_magick',  '3.8.0'

The current version of MiniMagick was 3.8 Modify to install 4.9.4 or later as suggested in the alert.

Gemfile

gem 'mini_magick', '>= 4.9.4'

By editing as above, you should be upgraded to 4.9.4 or later.

bundle install

python

bundle install

The version should have changed with this, so check the operation and if there is no problem, it is OK. After that, if you push it, the alert disappears!

Recommended Posts

What to do if you get a MiniMagick vulnerability alert on GitHub
What to do if you get a NoClassDefFoundError when trying to run eclipse on Java9
What to do if you get a port error when docker-compose up on Mac
What to do if you get a groovy warning in Thymeleaf Layout
What to do if you accidentally create a model
What to do if you get a SQLite3 :: BusyException: database is locked error
What to do if you get an error on heroku rake db: migrate
What to do if you get a wrong number of arguments error in binding.pry
What to do if you install Ubuntu
What to do if you get angry with OpenSSL with pyenv install
[Rails] What to do if you can't get parameters with form_with
What to do if you get a "Cannot Pull Container Error" when starting ECS ​​Fargate
What to do if you get a "302" error in your controller unit test code in Rails
What to do if you get an error during rails db: reset
What to do if you get an uninitialized constant Likes Controller error
What to do if you get a "Mysql2 :: Error: Operand should contain 1 column (s)" error in Rails
What to do if you push incorrect information
What to do if you get a JNI shared library error when trying to build in Eclipse
What to do if you get an error when you hit Heroku logs
What to do if you get the error Too long with no output (exceeded 10m0s) on CircleCI
What to do if you get Could not locate Gemfile or .bundle / directory
What to do if you get the error message unrecognized selector send to instance "***"
What to do if you have installed Java for OS X on macOS
What to do if you get angry if you don't have nokogiri while installing wp2txt
What to do if you get To install the missing version, run `gem install bundler: 2.1.4`
What to do if you get an "A server is already running." Error when you try to start the rails server
What to do if you get a javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake in the IBM JDK
What to do if you get Could not save master table to file after importing a project in Eclipse
What to do if you can't get the text of an element in Selenium
What to do if you get the error Couldn't find Item without an ID
[Rails] What to do if you get an error saying "Could not find a JavaScript runtime." When executing the rails s command on Catalina
What to do if audio is not available on discordrb
# What to do if you accidentally do rails db: migrate: drop
What to do if mysql2 gets a bundle install error
What to do if you get an error saying "Please enter a valid value" when getting with Rails datetime_field
What to do if you get an error saying "Could not find a JavaScript runtime." When starting rails server
[Solution] What to do if you get a Docker error'ERROR: Cannot connect to the Docker daemon at unix: ///var/run/docker.sock. Is the docker daemon running?'
What to do if you enable UFW on Ubuntu VM on GCP and you can't connect to SSH
What to do if a SAX Parser error occurs when using Liferay 7 / DXP on AWS
[Swift5] What to do if you want to commit files to github but there are too many
What to do if you get an error in Basic authentication during Rails test code
How to make a jar with old Hadoop (hadoop-core-0.20.2-cdh3u6) in Gradle: (What to do if you get Could not expand ZIP ..)
What to do if you select a JRE in Eclipse and get "The selected JRE does not support the current compliance level 11"
What to do when you run into a docker-compose node_modules problem
What to do if you cannot roll back the migration (UnknownMigrationVersionError)
What to do if you get an [An HTTP request took too long to complete.] Error in Docker.
[Composer] [Laravel] What to do if you cannot install due to insufficient memory
What to do if deployment fails on Heroku (Ruby app not detected)
no space left on device What to do if an error occurs
What to do if you don't like the code generated by swagger-codegen-cli
What to do when "call'Hoge.connection' to establish a connection" appears on rails c
Notes on what to do when a WebView ClassNotFoundException occurs in JavaFX 12
What to do if you get an error with bundle install by entering gem'bcrypt' in your Gemfile
What to do if you get Application with name appName is already registered. When you try to start GlassFish
What to do if Operation not permitted is displayed when you execute a command in the terminal
What to do when you want to delete a migration file that is "NO FILE"
<f: ajax> Unable to attach <f: ajax> to non-ClientBehaviorHolder What to do when you become a parent
What to do if the server tomcat dies
What to do if Docker Desktop fails to launch on your M1 MacBook Pro
What do you use when converting to String?
What to do if the rails server doesn't run out on AWS cloud9