This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
Previous version of Dockerfile used `set clean 'true'`. However, this no longer works with "newer" versions of Ruby gems (rubygems/rubygems#3271), which now requires a force option when cleaning system gems.
Since there is no way to set the force flag through config, a new ARG (BUNDLER_FORCE_CLEAN) is used to provide the option of whether to run bundle clean --force on system gems.
Now uses the Rex::Version system to check the user's version of runC.
The old system used to allow runC version 1.1.12 (which is patched).
Now it allows from 1.0.0-rc93->1.1.11 (and I tested that it works as expected).
Support added for Debian as this was tested with both Debian and Ubuntu.
Newer versions of Docker wouldn't delete the built container due to the message format.
I added a new regex to check for the message format which now deletes containers.
Fixed error reporting bug, runC version sanitising
Some runC versions contain the `+` and `~` token. These break
Rex::Version objects. A simple check was added against these symbols
and anything following them is cut off. Another solution may be
to replace these tokens with the `-` symbol to maintain information.
One of the failure cases was unreachable and this was fixed.
Fix runC and docker presence checks
The old runC and docker presence checks wer using `if` instead of `unless`.
executable? also requires a full path to work correctly. Since only the command
names themselves were being passed in, the check was silently failing.
The chosen fix was to instead use the command_exists? function,
which has the added benefit of working on both Windows and Linux.
adfoster-r7