Merge branch 'fix-rexml-the-boogaloo-empire-strikes-back-ios-910'

mullvad · Nov 1, 2024 · 74d4fd9 · 74d4fd9
2 parents dfa90cb + 542b921
commit 74d4fd9
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/ci/ios/upload-vm/osv-scanner.toml b/ci/ios/upload-vm/osv-scanner.toml
@@ -0,0 +1,8 @@
+# Entire package ignored since there is a constant stream of newly found regular expression attacks.
+# All of these attacks rely on the input being malicious. We only use this package in our trusted
+# build environment with trusted inputs.
+[[PackageOverrides]]
+effectiveUntil = 2025-05-01 # Ignored for 6 months at a time, it is unlikely to be an issue.
+ignore = true
+name = "rexml"
+reason = "The XML payload is generated by Apple tooling which we trust"
diff --git a/ios/osv-scanner.toml b/ios/osv-scanner.toml
@@ -0,0 +1,8 @@
+# Entire package ignored since there is a constant stream of newly found regular expression attacks.
+# All of these attacks rely on the input being malicious. We only use this package in our trusted
+# build environment with trusted inputs.
+[[PackageOverrides]]
+effectiveUntil = 2025-05-01 # Ignored for 6 months at a time, it is unlikely to be an issue.
+ignore = true
+name = "rexml"
+reason = "The XML payload is generated by Apple tooling which we trust"