From 5743e4f784c292cccd26072ed092ca6581188dae Mon Sep 17 00:00:00 2001
From: Ben Ford <binford2k@overlookinfratech.com>
Date: Fri, 12 Sep 2025 12:55:34 -0700
Subject: [PATCH 1/2] [CVE] remove nokogiri and dependencies

Nokogiri was used to bump performance on MacOS clients when parsing
plist files. Without it, CFPropertyList will fall back to rexml.
However, performance testing indicates that the boost is negligible.
This just removes it and reduces our security exposure.

This removes the libxml2 & libxslt libraries from the agent runtime, but
doesn't actually delete the components yet because Bolt uses them.
---
 configs/components/rubygem-mini_portile2.rb  | 13 ---------
 configs/components/rubygem-nokogiri.rb       | 30 --------------------
 configs/projects/_shared-agent-components.rb |  2 --
 configs/projects/agent-runtime-main.rb       |  6 ----
 4 files changed, 51 deletions(-)
 delete mode 100644 configs/components/rubygem-mini_portile2.rb
 delete mode 100644 configs/components/rubygem-nokogiri.rb

diff --git a/configs/components/rubygem-mini_portile2.rb b/configs/components/rubygem-mini_portile2.rb
deleted file mode 100644
index f3c4d65a..00000000
--- a/configs/components/rubygem-mini_portile2.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-#####
-# Component release information:
-#   https://rubygems.org/gems/mini_portile2
-#   https://github.com/flavorjones/mini_portile/blob/main/CHANGELOG.md
-#####
-component 'rubygem-mini_portile2' do |pkg, _settings, _platform|
-  pkg.version '2.8.9'
-  pkg.sha256sum '0cd7c7f824e010c072e33f68bc02d85a00aeb6fce05bb4819c03dfd3c140c289'
-
-  instance_eval File.read('configs/components/_base-rubygem.rb')
-
-  pkg.environment 'GEM_HOME', settings[:gem_home]
-end
diff --git a/configs/components/rubygem-nokogiri.rb b/configs/components/rubygem-nokogiri.rb
deleted file mode 100644
index 50d2f97e..00000000
--- a/configs/components/rubygem-nokogiri.rb
+++ /dev/null
@@ -1,30 +0,0 @@
-#####
-# Component release information:
-#   https://rubygems.org/gems/nokogiri
-#   https://nokogiri.org/CHANGELOG.html
-#####
-component 'rubygem-nokogiri' do |pkg, settings, _platform|
-  pkg.version '1.18.9'
-  pkg.sha256sum 'ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33'
-
-  cflags = platform.is_macos? ? settings[:cflags] + '--with-cflags="-Wno-incompatible-function-pointer-types"' : ''
-  settings["#{pkg.get_name}_gem_install_options".to_sym] = "--platform=ruby -- \
-        --use-system-libraries \
-        --with-xml2-lib=#{settings[:libdir]} \
-        --with-xml2-include=#{settings[:includedir]}/libxml2 \
-        --with-xslt-lib=#{settings[:libdir]} \
-        --with-xslt-include=#{settings[:includedir]} \
-	#{cflags}"
-  instance_eval File.read('configs/components/_base-rubygem.rb')
-  pkg.build_requires 'rubygem-mini_portile2'
-  gem_home = settings[:gem_home]
-  pkg.environment "GEM_HOME", gem_home
-  if platform.is_macos?
-    pkg.environment "PKG_CONFIG_PATH", "#{settings[:libdir]}/pkgconfig"
-    if platform.is_cross_compiled?
-      pkg.install do
-        "rm -r #{gem_home}/gems/nokogiri-#{pkg.get_version}/ext/nokogiri/tmp"
-      end
-    end
-  end
-end
diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb
index ed0ce1ef..77c47b76 100644
--- a/configs/projects/_shared-agent-components.rb
+++ b/configs/projects/_shared-agent-components.rb
@@ -35,8 +35,6 @@
 proj.component "ruby-#{proj.ruby_version}"
 proj.component "readline" if platform.is_macos?
 proj.component 'augeas' unless platform.is_windows?
-proj.component 'libxml2' unless platform.is_windows?
-proj.component 'libxslt' unless platform.is_windows?
 
 proj.component 'ruby-augeas' unless platform.is_windows?
 proj.component 'ruby-shadow' unless platform.is_aix? || platform.is_windows?
diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb
index af2210e3..385dc43f 100644
--- a/configs/projects/agent-runtime-main.rb
+++ b/configs/projects/agent-runtime-main.rb
@@ -67,12 +67,6 @@
     proj.component 'rubygem-sys-filesystem'
   end
 
-  # Nokogiri and dependencies to improve macOS performance (PUP-11332)
-  if platform.is_macos?
-    proj.component 'rubygem-nokogiri'
-    proj.component 'rubygem-mini_portile2'
-  end
-
   # Dependencies for gettext for Ruby >= 3.2 (PA-4815)
   proj.component 'rubygem-erubi'
   proj.component 'rubygem-prime'

From eff7f66d76bdf703652cf239131d4f1f36bb5d37 Mon Sep 17 00:00:00 2001
From: Ben Ford <binford2k@overlookinfratech.com>
Date: Fri, 12 Sep 2025 14:41:52 -0700
Subject: [PATCH 2/2] missed an augeas dependency

---
 configs/projects/_shared-agent-components.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/projects/_shared-agent-components.rb b/configs/projects/_shared-agent-components.rb
index 77c47b76..cefe7f4a 100644
--- a/configs/projects/_shared-agent-components.rb
+++ b/configs/projects/_shared-agent-components.rb
@@ -35,6 +35,7 @@
 proj.component "ruby-#{proj.ruby_version}"
 proj.component "readline" if platform.is_macos?
 proj.component 'augeas' unless platform.is_windows?
+-proj.component 'libxml2' unless platform.is_windows?
 
 proj.component 'ruby-augeas' unless platform.is_windows?
 proj.component 'ruby-shadow' unless platform.is_aix? || platform.is_windows?