🚨 [security] Update rails-html-sanitizer: 1.0.2 → 1.4.3 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ rails-html-sanitizer (indirect, 1.0.2 → 1.4.3) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
This vulnerability has been assigned the CVE identifier CVE-2022-32209.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: v1.4.3

Impact

A possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer may allow an attacker to inject content if the
application developer has overridden the sanitizer's allowed tags to allow
both select and style elements.

Code is only impacted if allowed tags are being overridden. This may be done via application configuration:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

Or it may be done with a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["select", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

Or it may be done with Rails::Html::SafeListSanitizer directly:

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]

or

# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])

All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Remove either select or style from the overridden allowed tags.

Credits

This vulnerability was responsibly reported by windshock.

🚨 Possible XSS vulnerability in rails-html-sanitizer

🚨 Possible XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in rails-html-sanitizer. This
vulnerability has been assigned the CVE identifier CVE-2015-7578.

Versions Affected: All.
Not affected: None.
Fixed Versions: 1.0.3

Impact

There is a possible XSS vulnerability in rails-html-sanitizer. Certain
attributes are not removed from tags when they are sanitized, and these
attributes can lead to an XSS attack on target applications.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 1-0-sanitize_data_attributes.patch - Patch for 1.0 series

Credits

Thanks to Ben Murphy and Marien for reporting this.

🚨 XSS vulnerability in rails-html-sanitizer

There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.

Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3

Impact

Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's strip_tags
these entities will be unescaped what may cause a XSS attack if used in combination
with raw or html_safe.

For example:

strip_tags("<script>alert('XSS')</script>") 

Would generate:

<script>alert('XSS')</script> 

After the fix it will generate:

<script>alert('XSS')</script> 

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:

$ cat config/initializers/strip_tags_fix.rb 
class ActionView::Base 
  def strip_tags(html) 
    self.class.full_sanitizer.sanitize(html) 
  end 
end 

Patches

To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.

• Do-not-unescape-already-escaped-HTML-entities.patch

Credits

Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.

🚨 Possible XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in the white list sanitizer in the
rails-html-sanitizer gem. This vulnerability has been assigned the CVE
identifier CVE-2015-7580.

Versions Affected: All.
Not affected: None.
Fixed Versions: v1.0.3

Impact

Carefully crafted strings can cause user input to bypass the sanitization in
the white list sanitizer which will can lead to an XSS attack.

Vulnerable code will look something like this:

<%= sanitize user_input, tags: %w(em) %>

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Putting the following monkey patch in an initializer can help to mitigate the
issue:

class Rails::Html::PermitScrubber 
  alias :old_scrub :scrub 
  alias :old_skip_node? :skip_node? 
def scrub(node)

if node.cdata?

text = node.document.create_text_node node.text

node.replace text

return CONTINUE

end

old_scrub node

end
def skip_node?(node); node.text?; end

end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series

Credits

Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.

Release Notes

1.4.3

1.4.3 / 2022-06-09

• Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Prevent the combination of select and style as allowed tags in SafeListSanitizer.

  Fixes CVE-2022-32209

  Mike Dalessio

1.4.2

1.4.2 / 2021-08-23

• Slightly improve performance.

  Assuming elements are more common than comments, make one less method call per node.

1.4.1

1.4.1 / 2021-08-18

• Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.

  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
  passed through elements to the scrubber's keep_node? method.

  This change once again allows the scrubber to make the decision on comment nodes, but still skips
  other non-elements like processing instructions (see #115).

  Mike Dalessio

1.4.0

1.4.0 / 2021-08-18

• Processing Instructions are no longer allowed by Rails::Html::PermitScrubber

  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
  are no known security issues associated with these PIs, but similar to comments it's preferred to
  omit these nodes when possible from sanitized output.

  Fixes #115.

  Mike Dalessio

1.3.0

• Address deprecations in Loofah 2.3.0.

  Josh Goodall

1.2.0

• Remove needless white_list_sanitizer deprecation.

  By deprecating this, we were forcing Rails 5.2 to be updated or spew
  deprecations that users could do nothing about.

  That's pointless and I'm sorry for adding that!

  Now there's no deprecation warning and Rails 5.2 works out of the box, while
  Rails 6 can use the updated naming.

  Kasper Timm Hansen

1.1.0

• Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed
  in 1.2.0. #87

  Juanito Fatas

• Remove href from LinkScrubber's tags as it's not an element.
  #92

  Juanito Fatas

• Explain that we don't need to bump Loofah here if there's CVEs.
  d4d823c

  Kasper Timm Hansen

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.0.2 → 2.18.0) · Repo · Changelog

Security Advisories 🚨

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

🚨 Loofah XSS Vulnerability

Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.6.6.2 → 1.6.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Denial of service or RCE from libxml2 and libxslt

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
which are libraries Nokogiri depends on. It was discovered that libxml2 and
libxslt incorrectly handled certain malformed documents, which can allow
malicious users to cause issues ranging from denial of service to remote code
execution attacks.

For more information, the Ubuntu Security Notice is a good start:
http://www.ubuntu.com/usn/usn-2994-1/

🚨 Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2

Nokogiri version 1.6.7.2 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499
CVSS v2 Base Score: 5.0 (MEDIUM)

Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.

libxml2 could be made to crash if it opened a specially crafted
file. It was discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked
into opening a specially crafted document, an attacker could
possibly cause libxml2 to crash, resulting in a denial of service.

🚨 Nokogiri gem contains several vulnerabilities in libxml2

Nokogiri version 1.6.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:

CVE-2015-5312
CVSS v2 Base Score: 7.1 (HIGH)
The xmlStringLenDecodeEntities function in parser.c in libxml2
before 2.9.3 does not properly prevent entity expansion, which
allows context-dependent attackers to cause a denial of
service (CPU consumption) via crafted XML data, a different
vulnerability than CVE-2014-3660.

CVE-2015-7497
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlDictComputeFastQKey
function in dict.c in libxml2 before 2.9.3 allows
context-dependent attackers to cause a denial of service via
unspecified vectors.

CVE-2015-7498
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlParseXmlDecl function in
parser.c in libxml2 before 2.9.3 allows context-dependent
attackers to cause a denial of service via unspecified vectors
related to extracting errors after an encoding conversion
failure.

CVE-2015-7499
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.

CVE-2015-7500
CVSS v2 Base Score: 5.0 (MEDIUM)
The xmlParseMisc function in parser.c in libxml2 before 2.9.3
allows context-dependent attackers to cause a denial of
service (out-of-bounds heap read) via unspecified vectors
related to incorrect entities boundaries and start tags.

CVE-2015-8241
CVSS v2 Base Score: 6.4 (MEDIUM)
The xmlNextChar function in libxml2 2.9.2 does not properly
check the state, which allows context-dependent attackers to
cause a denial of service (heap-based buffer over-read and
application crash) or obtain sensitive information via crafted
XML data.

CVE-2015-8242
CVSS v2 Base Score: 5.8 (MEDIUM)
The xmlSAX2TextNode function in SAX2.c in the push interface in
the HTML parser in libxml2 before 2.9.3 allows
context-dependent attackers to cause a denial of
service (stack-based buffer over-read and application crash) or
obtain sensitive information via crafted XML data.

CVE-2015-8317
CVSS v2 Base Score: 5.0 (MEDIUM)
The xmlParseXMLDecl function in parser.c in libxml2 before
2.9.3 allows context-dependent attackers to obtain sensitive
information via an (1) unterminated encoding value or (2)
incomplete XML declaration in XML data, which triggers an
out-of-bounds heap read.

🚨 Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

Several vulnerabilities were discovered in the libxml2 and libxslt libraries
that the Nokogiri gem depends on.

CVE-2015-1819
A denial of service flaw was found in the way libxml2 parsed XML
documents. This flaw could cause an application that uses libxml2 to use an
excessive amount of memory.

CVE-2015-7941
libxml2 does not properly stop parsing invalid input, which allows
context-dependent attackers to cause a denial of service (out-of-bounds read
and libxml2 crash) via crafted specially XML data.

CVE-2015-7942
The xmlParseConditionalSections function in parser.c in libxml2
does not properly skip intermediary entities when it stops parsing invalid
input, which allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) via crafted XML data.

CVE-2015-7995
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check whether the parent node is an element, which allows attackers to cause
a denial of service using a specially crafted XML document.

CVE-2015-8035
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not
properly detect compression errors, which allows context-dependent attackers
to cause a denial of service (process hang) via crafted XML data.

Another vulnerability was discoverd in libxml2 that could cause parsing
of unclosed comments to result in "conditional jump or move depends on
uninitialized value(s)" and unsafe memory access. This issue does not have a
CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4.

🚨 Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

Several vulnerabilities were discovered in the libxml2 and libxslt libraries
that the Nokogiri gem depends on.

CVE-2015-1819
A denial of service flaw was found in the way libxml2 parsed XML
documents. This flaw could cause an application that uses libxml2 to use an
excessive amount of memory.

CVE-2015-7941
libxml2 does not properly stop parsing invalid input, which allows
context-dependent attackers to cause a denial of service (out-of-bounds read
and libxml2 crash) via crafted specially XML data.

CVE-2015-7942
The xmlParseConditionalSections function in parser.c in libxml2
does not properly skip intermediary entities when it stops parsing invalid
input, which allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) via crafted XML data.

CVE-2015-7995
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check whether the parent node is an element, which allows attackers to cause
a denial of service using a specially crafted XML document.

CVE-2015-8035
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not
properly detect compression errors, which allows context-dependent attackers
to cause a denial of service (process hang) via crafted XML data.

Another vulnerability was discoverd in libxml2 that could cause parsing
of unclosed comments to result in "conditional jump or move depends on
uninitialized value(s)" and unsafe memory access. This issue does not have a
CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 crass (added, 1.0.6)

🆕 mini_portile2 (added, 2.1.0)

🗑️ mini_portile (removed)

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)