Update sinatra to fix the current cve in version 3.2.0

[celinefb]

there is a CVE opened for Sinatra on version 3.2.0 and the non vulnerable version is 4.1.0

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

We use split in our code and it prevents us from updating Sinatra to 4.1.0

Please release a new version with updated dependencies.

[andrehjr]

Hi @celinefb I'll cut a new release tomorrow or over the weekend.

Meanwhile, if you can try running your project with the 'main' branch and let me know if you run into any issues? I guess the issue you're having is related to Rack compatibility. Correct?

Or is there some other error?

[celinefb]

I will have a closer look later and let you know about rack. I am not sure top of my head which version we are on right now

[celinefb]

Yep our rack version is 2.2.14 so I am guessing you are right!

[celinefb]

I managed to bump rack to 3.2.0 and sinatra got bumped to 4.1.1

[andrehjr]

Cool! There's also another fix for rack here on the main branch. It's required to make split work with rack > 3.

I'll release a new version today or over the weekend. I need to do some testing. After that, I think we can close this issue.