Ruby Deploys with known vulnerable Sprockets version and configuration are blocked

Change effective on 19 June 2018

Details about the vulnerability can be found at Rails Asset Pipeline Directory Traversal Vulnerability (CVE-2018-3760).

If your application is vulnerable, then the Ruby buildpack will prevent you from deploying again until the vulnerability is mitigated. You will receive an error message similar to this:

A security vulnerability has been detected in your application.
To protect your application you must take action. Your application
is currently exposing its credentials via an easy to exploit directory
traversal.

To protect your application you must either upgrade to Sprockets version "<safe_sprockets_version_needed>"
or disable dynamic compilation at runtime by setting:


    config.assets.compile = false # Disables security vulnerability


To read more about this security vulnerability please refer to this blog post:
  https://blog.heroku.com/rails-asset-pipeline-vulnerability

Upgrade Sprockets

To upagrade your version of sprockets, modify your Gemfile.lock for example if you’re using Sprockets 3.x then add this to your Gemfile:

gem 'sprockets', '~>3.7.2'

Then update your gems locally:

$ bundle update sprockets

When this is successful commit to git before you deploy:

$ git add .
$ git commit -m sprockets

Regain Deploy Ability on a vulnerable application

Heroku does not recommend this. Following these instructions will allow you to deploy vulnerable code to Heroku. Instead, we recommend upgrading your sprockets version or disabling compiling assets in production. This method should only be used as a last resort.

If you cannot immediately remediate this issue in your app by setting config.assets.compile = false or by upgrading your sprockets version, you can temporarily regain the ability to deploy by pinning to an older version of the buildpack. This should only be a temporary change and is not supported long term. This change will NOT protect your app from the vulnerability, it just removes the warning and error that we added to the buildpack.

To temporarily disable this error you can change heroku/ruby to https://github.com/heroku/heroku-buildpack-ruby#v186 using the heroku buildpacks command of your application. This should only be a temporary and means that your application remains vulnerable to this very serious exploit.