From 9672007172141c44ceac954e1ffb70f0686acc29 Mon Sep 17 00:00:00 2001
From: James Gregory-Monk <james.gregory@epigenesys.org.uk>
Date: Mon, 3 Jun 2024 15:10:15 +0100
Subject: [PATCH] Updates to support newer rexml versions

---
 .bundler-audit.yml       |  1 +
 .github/workflows/ci.yml |  4 ++--
 Gemfile                  | 21 +++++++++++++++++++++
 Gemfile.lock             | 12 +++++++++++-
 4 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/.bundler-audit.yml b/.bundler-audit.yml
index 5eeed40a..ed719dc8 100644
--- a/.bundler-audit.yml
+++ b/.bundler-audit.yml
@@ -13,3 +13,4 @@ ignore:
   - GHSA-xp5h-f8jf-rc8q
   - GHSA-8h22-8cf7-hq6g
   - GHSA-cr5q-6q9f-rq6q
+  - GHSA-r95h-9x8f-r3f7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d0247564..986bf7a9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         # Ensure these stay in sync!
-        ruby-version: [2.7, 3.0, 3.1, 3.2]
+        ruby-version: [2.7, 3.0, 3.1, 3.2, 3.3]
     runs-on: ubuntu-latest
     services:
       postgres:
@@ -47,7 +47,7 @@ jobs:
     strategy:
       matrix:
         # Ensure these stay in sync!
-        ruby-version: [2.7, 3.0, 3.1, 3.2]
+        ruby-version: [2.7, 3.0, 3.1, 3.2, 3.3]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
diff --git a/Gemfile b/Gemfile
index 27222412..dc533e1b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -70,6 +70,27 @@ else
   gem 'mail', '>= 2.8.0'
 end
 
+# This is required by Ruby 2.x to fix rexml DoS vulnerability
+ruby_major, ruby_minor, _ = RUBY_VERSION.split('.').map { |part| Integer(part) }
+if ruby_major.to_i >= 3 && ruby_minor.to_i >= 3
+  gem 'rexml', '>= 3.2.7'
+else
+  strscan_version = if ruby_major == 2 && ruby_minor == 7
+    '1.0.3'
+  elsif ruby_major == 3 && ruby_minor < 2
+    '3.0.1'
+  elsif ruby_major == 3 && ruby_minor == 2
+    '3.0.5'
+  elsif ruby_major == 3 && ruby_minor == 3
+    '3.0.7'
+  else
+    raise "strscan check doesn't support Ruby #{ruby_major}.#{ruby_minor}"
+  end
+
+  gem 'strscan', strscan_version
+  gem 'rexml', github: 'ruby/rexml', ref: 'f1df7d1'
+end
+
 # omniauth
 # TODO: 2.0.0 is not supported in Devise yet
 gem 'omniauth', '< 2.0.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 36e3ebbc..35e83dd3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,3 +1,11 @@
+GIT
+  remote: https://github.com/ruby/rexml.git
+  revision: f1df7d13b3e57a5e059273d2f0870163c08d7420
+  ref: f1df7d1
+  specs:
+    rexml (3.2.9)
+      strscan
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -294,7 +302,6 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rexml (3.2.5)
     rspec-core (3.11.0)
       rspec-support (~> 3.11.0)
     rspec-expectations (3.11.1)
@@ -349,6 +356,7 @@ GEM
     sshkit (1.21.2)
       net-scp (>= 1.1.2)
       net-ssh (>= 2.8.0)
+    strscan (1.0.3)
     terrapin (0.6.0)
       climate_control (>= 0.0.3, < 1.0)
     thor (1.2.1)
@@ -425,6 +433,7 @@ DEPENDENCIES
   react-rails (~> 1.11, >= 1.11.0)
   recaptcha (~> 4.0)
   rest-client (~> 2.0)
+  rexml!
   rspec-rails (>= 3.9.0)
   sass-rails
   select2-rails (~> 3.5)
@@ -433,6 +442,7 @@ DEPENDENCIES
   simplecov
   spring (~> 2.0)
   sprockets (< 4.0)
+  strscan (= 1.0.3)
   timecop
   trix-rails
   uglifier (~> 3.0.0)