🚨 [security] [ruby] Update loofah: 2.19.0 → 2.19.1 (patch)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ loofah (indirect, 2.19.0 → 2.19.1) · Repo · Changelog

Security Advisories 🚨

🚨 Inefficient Regular Expression Complexity in Loofah

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
• https://hackerone.com/reports/1684163

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

🚨 Improper neutralization of data URIs may allow XSS in Loofah

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as Medium Severity 6.1.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg
• https://hackerone.com/reports/1694173
• #101

Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

🚨 Uncontrolled Recursion in Loofah

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-674: Uncontrolled Recursion (4.9)

Commits

See the full diff on Github. The new version differs by 11 commits:

• version bump to v2.19.1
• docs: preserve the context and decision record
• fix: replace recursive approach to cdata with escaping solution
• fix: do not allow "image/svg+xml" in data URIs
• refactor: extract scrub_uri_attribute for downstream use
• ci: pin psych to v4 until v5 builds properly on CI
• fix: replace slow regex attribute check with crass parser
• Merge pull request #247 from flavorjones/flavorjones-downstream-test-rhs
• ci: test downstream rails-html-sanitizer
• Merge pull request #245 from flavorjones/flavorjones-fix-ruby-2.5-ci
• ci: ensure a min rubygems version

↗️ nokogiri (indirect, 1.13.9 → 1.13.10) · Repo · Changelog

Security Advisories 🚨

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-252: Unchecked Return Value (4.9)
• CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

Release Notes

1.13.10

1.13.10 / 2022-12-07

Security

• [CRuby] Address CVE-2022-23476, unchecked return value from xmlTextReaderExpand. See GHSA-qv4q-mr5r-qprj for more information.

Improvements

• [CRuby] XML::Reader#attribute_hash now returns nil on parse errors. This restores the behavior of #attributes from v1.13.7 and earlier. [#2715]

---

sha256 checksums:

777ce2e80f64772e91459b943e531dfef387e768f2255f9bc7a1655f254bbaa1  nokogiri-1.13.10-aarch64-linux.gem
b432ff47c51386e07f7e275374fe031c1349e37eaef2216759063bc5fa5624aa  nokogiri-1.13.10-arm64-darwin.gem
73ac581ddcb680a912e92da928ffdbac7b36afd3368418f2cee861b96e8c830b  nokogiri-1.13.10-java.gem
916aa17e624611dddbf2976ecce1b4a80633c6378f8465cff0efab022ebc2900  nokogiri-1.13.10-x64-mingw-ucrt.gem
0f85a1ad8c2b02c166a6637237133505b71a05f1bb41b91447005449769bced0  nokogiri-1.13.10-x64-mingw32.gem
91fa3a8724a1ce20fccbd718dafd9acbde099258183ac486992a61b00bb17020  nokogiri-1.13.10-x86-linux.gem
d6663f5900ccd8f72d43660d7f082565b7ffcaade0b9a59a74b3ef8791034168  nokogiri-1.13.10-x86-mingw32.gem
81755fc4b8130ef9678c76a2e5af3db7a0a6664b3cba7d9fe8ef75e7d979e91b  nokogiri-1.13.10-x86_64-darwin.gem
51d5246705dedad0a09b374d09cc193e7383a5dd32136a690a3cd56e95adf0a3  nokogiri-1.13.10-x86_64-linux.gem
d3ee00f26c151763da1691c7fc6871ddd03e532f74f85101f5acedc2d099e958  nokogiri-1.13.10.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• version bump to v1.13.10
• Merge pull request #2715 from sparklemotion/flavorjones-fix-reader-error-handling_v1.13.x
• fix(cruby): XML::Reader#attribute_hash returns nil on error
• Merge pull request #2717 from sparklemotion/flavorjones-lock-psych-to-fix-build_v1.13.x
• test: skip large cdata test on system libxml2
• dep(dev): pin psych to v4 until v5 builds in CI
• style(rubocop): disable Minitest/EmptyLineBeforeAssertionMethods

↗️ racc (indirect, 1.6.0 → 1.6.1) · Repo · Changelog

Release Notes

1.6.1

What's Changed

• CI: Add JRuby 9.3, use bundler-cache by @olleolleolle in #173
• Fix names by @nobu in #178
• Update README.rdoc by @jwillemsen in #179
• s/RubyVM::JIT/RubyVM::MJIT/g by @k0kubun in #180
• ci: update to cover Ruby 3.1 by @flavorjones in #181
• Fix typo in sample/calc.y. by @simi in #184
• Added dependabot.yml for actions by @hsbt in #186
• Bump actions/checkout from 2 to 3 by @dependabot in #187
• [DOC] Remove stale Object::ParseError documentation by @nobu in #188
• Strip trailing spaces by @nobu in #189
• Fix flag to Regexp.new by @nobu in #191
• Fix documentation directory name in README by @okuramasafumi in #193
• Make racc test more flexible (for JRuby). by @enebo in #194
• Update racc.en.rhtml by @jwillemsen in #195
• Update README.rdoc by @jwillemsen in #196
• Update racc.gemspec by @jwillemsen in #197
• ci: update jruby versions and add truffleruby by @flavorjones in #198

New Contributors

• @jwillemsen made their first contribution in #179
• @k0kubun made their first contribution in #180
• @simi made their first contribution in #184
• @dependabot made their first contribution in #187
• @okuramasafumi made their first contribution in #193

Full Changelog: v1.6.0...v1.6.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

• Bump version to 1.6.1
• Merge pull request #198 from ruby/flavorjones-update-ci-pipeline-20221123
• ci: update jruby versions and add truffleruby
• Merge pull request #197 from jwillemsen/patch-3
• Update racc.gemspec
• Merge pull request #196 from jwillemsen/patch-3
• Update README.rdoc
• Merge pull request #195 from jwillemsen/patch-3
• Update racc.en.rhtml
• Merge pull request #194 from enebo/jruby_racc_find
• Merge pull request #193 from okuramasafumi/patch-1
• Make racc test more flexible (for JRuby).
• Fix documentation directory name in README
• Merge pull request #191 from nobu/fix-regexp-option
• Fix flag to `Regexp.new`
• Merge pull request #189 from nobu/strip-trailing-spaces
• Strip trailing whitespaces [ci skip]
• Show diffs
• Strip trailing whitespaces at the last line of actions
• Merge pull request #188 from nobu/nodoc-parseerror
• [DOC] Remove stale `Object::ParseError` documentation
• Merge pull request #187 from ruby/dependabot/github_actions/actions/checkout-3
• Bump actions/checkout from 2 to 3
• Merge pull request #186 from ruby/add-dependabot
• Added dependabot
• Merge pull request #184 from simi/patch-1
• Fix typo in sample/calc.y.
• ci: fix name of default branch
• Merge pull request #181 from ruby/flavorjones-update-ci-with-ruby31
• ci: update to cover Ruby 3.1
• Merge pull request #180 from k0kubun/rubyvm-mjit
• s/RubyVM::JIT/RubyVM::MJIT/g
• Merge pull request #179 from jwillemsen/patch-3
• Update README.rdoc
• Merge pull request #178 from nobu/fix-names
• Fix a private method name
• Fix typo in a local variable name
• Merge pull request #173 from ruby/ci-use-cache-add-jruby93
• CI: Add JRuby 9.3, use bundler-cache

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)