Upgrade Rubyzip 2

[fabdbt]

Could you please unlock rubyzip version to use newest version 2 ? https://github.com/rubyzip/rubyzip/releases/tag/v2.0.0

[toncid]

There is a vulnerability in rubyzip < 1.3: rubyzip/rubyzip#403

[fabdbt]

By unlock, I do not mean allowing rubyzip versions prior to 1.3. I mean allowing people to use axlsx gem with rubyzip >= 1.3 and so rubyzip >= 2.

[chriscz]

@Apokly I've had success with the following polyfill on rubyzip == 1.2.1. YMMV.
edit: simplified it, but misread the question. regardless; useful nonetheless.

Place a file ``zip.rb'' as below

lib/
  zip/
    zip.rb

zip.rb

# Polyfill to make AXLSX package work with v1.2.x `zip` which no longer defines `Zip::Zip`
require 'zip'
require 'zip/output_stream'

module Zip
  class ZipOutputStream < OutputStream
    def initialize(filename, stream = false)
      if stream
        filename = StringIO.new
      end
      super(filename, stream)
    end
  end
end

[noniq]

There’s now a community-supported fork of axlsx: https://github.com/caxlsx/caxlsx

Versions 2.0.2 and 3.0.x have been released, both supporting newer versions of Rubyzip. See https://rubygems.org/gems/caxlsx/versions/3.0.1

[baburdick]

Note: there have since been more critical vulnerabilities discovered in rubyzip v1.0.0:

• Directory traversal vulnerability rubyzip/rubyzip#315
• Several directory traversal vulnerabilities rubyzip/rubyzip#369

Taking a serious look at https://github.com/caxlsx/caxlsx ...

[noniq]

As far as I understand, both vulnerabilities are in the context of extracting archives. Axlsx only creates archives.

However, it’s a very bad idea to have a vulnerable version of Rubyzip in your project at all, so please upgrade to at least caxlsx 2.0.2 or 3.0.1.

In caxlsx it's also possible to use an external zip program instead of Rubyzip, see https://www.rubydoc.info/gems/caxlsx/Axlsx/Package#serialize-instance_method