Skip to content

Fix CWE-78 in WebpackerManifestContainer: use URI.open instead of Kernel.open#4

Merged
j-sm-n merged 3 commits into
masterfrom
MX-1385-patch-ezcater-react-rails-cwe-78-vulnerability
May 15, 2026
Merged

Fix CWE-78 in WebpackerManifestContainer: use URI.open instead of Kernel.open#4
j-sm-n merged 3 commits into
masterfrom
MX-1385-patch-ezcater-react-rails-cwe-78-vulnerability

Conversation

@j-sm-n

@j-sm-n j-sm-n commented May 13, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown

Summary

  • Resolves the critical GitHub code scanning alert on master (alert #1) — rb/non-constant-kernel-open at lib/react/server_rendering/webpacker_manifest_container.rb:18.
  • Kernel.open interprets values beginning with | as shell commands. URI.open only resolves URI schemes (http/https/ftp), which is the only case this branch handles (asset_path.start_with?("http")).
  • Mirrors the upstream fix shipped in reactjs/react-rails v2.6.2 (PR Fix Warning/Error Caused by Using 'open' Instead of 'URI.open' reactjs/react-rails#1099, 2022-04-06).
  • Adds a Fork Status section to README.md documenting that this fork is in a terminal state, that ez-rails consumes the rails5 branch (not master), and that master exists primarily to satisfy CodeQL scans on the default branch.

Context

This is the surgical patch chosen in the MX-1374 investigation. ez-rails is not exposed to the vulnerability — it pins the rails5 branch (704cf3a) which does not contain webpacker_manifest_container.rb, and the EzReactAssetContainer override in ez-rails would prevent this class from being instantiated even on later versions. No ez-rails change is required for this PR.

The longer-term plan is to sunset this fork once ez-rails migrates off react-rails SSR entirely; tracked separately as a 2027+ effort.

Ticket: MX-1385

Test plan

  • CodeQL re-scan on this branch clears alert adding codeql #1.
  • No automated test coverage exists for the dev-server asset path in this gem; the change matches the upstream v2.6.2 substitution verbatim.
  • No ez-rails Gemfile.lock bump required — confirm by checking ez-rails/Gemfile.lock: axlsx and react-rails entries; react-rails is pinned to branch: "rails5" which is untouched by this PR.

🤖 Generated with Claude Code

j-sm-n and others added 2 commits May 13, 2026 16:34
@j-sm-n @claude
Fix CWE-78: use URI.open instead of Kernel.open in WebpackerManifestC…
d9540ee 
…ontainer

Resolves GitHub code scanning alert #1 (rb/non-constant-kernel-open, critical)
in lib/react/server_rendering/webpacker_manifest_container.rb. Kernel.open
interprets values beginning with `|` as shell commands; URI.open only resolves
URI schemes (http/https/ftp), which is the only case this branch handles.

Mirrors the upstream fix shipped in reactjs/react-rails v2.6.2 (PR reactjs#1099).
See MX-1374 investigation: https://ezcater.atlassian.net/wiki/spaces/POL/pages/6311247893

Ticket: https://ezcater.atlassian.net/browse/MX-1385

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@j-sm-n @claude
Add Fork Status section to README
d1b58a3 
Document that this fork is in a terminal state, that ez-rails consumes the
rails5 branch (not master), and that master exists primarily to satisfy
CodeQL scans on the default branch. Links to the MX-1374 investigation for
the full context and the long-term sunset plan.

Ticket: https://ezcater.atlassian.net/browse/MX-1385

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems May 13, 2026
View reviewed changes
Comment thread lib/react/server_rendering/webpacker_manifest_container.rb Fixed
@j-sm-n @claude
Use URI(uri).open to clear follow-up CodeQL alert
0d0e0d2 
CodeQL flags URI.open with a non-constant value as well, recommending the
explicit URI(<uri>).open form. URI(asset_path) parses the value into a
URI::HTTP object (raising on invalid input) before any I/O occurs; the
subsequent #open only fetches via HTTP.

Functionally identical to the previous URI.open call (the branch is gated
on asset_path.start_with?("http")), but matches the CodeQL-recommended
pattern.

Resolves https://github.com/ezcater/react-rails/security/code-scanning/6.

Ticket: https://ezcater.atlassian.net/browse/MX-1385

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@j-sm-n j-sm-n marked this pull request as ready for review May 13, 2026 22:45
@j-sm-n j-sm-n requested a review from a team as a code owner May 13, 2026 22:45
bray
bray approved these changes May 15, 2026
View reviewed changes

@bray bray left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Public repo, so codeowners error again :(

@j-sm-n j-sm-n merged commit 2d2fe28 into master May 15, 2026
3 checks passed
@j-sm-n

j-sm-n commented May 15, 2026

Copy link
Copy Markdown
Author

Public repo, so codeowners error again :(

I can still merge it, thankfully!

@j-sm-n j-sm-n deleted the MX-1385-patch-ezcater-react-rails-cwe-78-vulnerability branch May 15, 2026 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bray bray bray approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@j-sm-n @bray @github-advanced-security