🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
allow both "math" and "style" elements,
or allow both "svg" and "style" elements
Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
using application configuration:
# In config/application.rbconfig.action_view.sanitized_allowed_tags=["math","style"]# orconfig.action_view.sanitized_allowed_tags=["svg","style"]
All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.
Workarounds
Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
Using the Rails configuration config.action_view.sanitized_allow_tags=:
# In config/application.rbconfig.action_view.sanitized_allowed_tags=["select","style"]
All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:
the :tags option to the Action View helper method sanitize.
the :tags option to the instance method SafeListSanitizer#sanitize.
Workarounds
Remove either "select" or "style" from the overridden allowed tags.
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10.
Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ rails-html-sanitizer (indirect, 1.4.3 → 1.4.4) · Repo · Changelog
Security Advisories 🚨
🚨 Inefficient Regular Expression Complexity in rails-html-sanitizer
🚨 Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
🚨 Possible XSS vulnerability with certain configurations of rails-html-sanitizer
🚨 Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Commits
See the full diff on Github. The new version differs by 9 commits:
version bump to v1.4.4
dep: bump dependency on loofah
fix: escape CDATA nodes using Loofah's escaping methods
revert 45a5c10
fix: use Loofah's scrub_uri_attribute method
fix: replace slow regex attribute check with Loofah method
ci: pin system lib test to 20.04
Merge pull request #145 from rails/flavorjones-get-14x-green
tests: handle libxml 2.10.0 incorrectly-opened comment parsing
↗️ loofah (indirect, 2.19.0 → 2.19.1) · Repo · Changelog
Security Advisories 🚨
🚨 Inefficient Regular Expression Complexity in Loofah
🚨 Improper neutralization of data URIs may allow XSS in Loofah
🚨 Uncontrolled Recursion in Loofah
Commits
See the full diff on Github. The new version differs by 11 commits:
version bump to v2.19.1
docs: preserve the context and decision record
fix: replace recursive approach to cdata with escaping solution
fix: do not allow "image/svg+xml" in data URIs
refactor: extract scrub_uri_attribute for downstream use
ci: pin psych to v4 until v5 builds properly on CI
fix: replace slow regex attribute check with crass parser
Merge pull request #247 from flavorjones/flavorjones-downstream-test-rhs
ci: test downstream rails-html-sanitizer
Merge pull request #245 from flavorjones/flavorjones-fix-ruby-2.5-ci
ci: ensure a min rubygems version
↗️ nokogiri (indirect, 1.13.9 → 1.13.10) · Repo · Changelog
Security Advisories 🚨
🚨 Unchecked return value from xmlTextReaderExpand
Release Notes
1.13.10
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
version bump to v1.13.10
Merge pull request #2715 from sparklemotion/flavorjones-fix-reader-error-handling_v1.13.x
fix(cruby): XML::Reader#attribute_hash returns nil on error
Merge pull request #2717 from sparklemotion/flavorjones-lock-psych-to-fix-build_v1.13.x
test: skip large cdata test on system libxml2
dep(dev): pin psych to v4 until v5 builds in CI
style(rubocop): disable Minitest/EmptyLineBeforeAssertionMethods
↗️ racc (indirect, 1.6.0 → 1.6.1) · Repo · Changelog
Release Notes
1.6.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 39 commits:
Bump version to 1.6.1
Merge pull request #198 from ruby/flavorjones-update-ci-pipeline-20221123
ci: update jruby versions and add truffleruby
Merge pull request #197 from jwillemsen/patch-3
Update racc.gemspec
Merge pull request #196 from jwillemsen/patch-3
Update README.rdoc
Merge pull request #195 from jwillemsen/patch-3
Update racc.en.rhtml
Merge pull request #194 from enebo/jruby_racc_find
Merge pull request #193 from okuramasafumi/patch-1
Make racc test more flexible (for JRuby).
Fix documentation directory name in README
Merge pull request #191 from nobu/fix-regexp-option
Fix flag to `Regexp.new`
Merge pull request #189 from nobu/strip-trailing-spaces
Strip trailing whitespaces [ci skip]
Show diffs
Strip trailing whitespaces at the last line of actions
Merge pull request #188 from nobu/nodoc-parseerror
[DOC] Remove stale `Object::ParseError` documentation
Merge pull request #187 from ruby/dependabot/github_actions/actions/checkout-3
Bump actions/checkout from 2 to 3
Merge pull request #186 from ruby/add-dependabot
Added dependabot
Merge pull request #184 from simi/patch-1
Fix typo in sample/calc.y.
ci: fix name of default branch
Merge pull request #181 from ruby/flavorjones-update-ci-with-ruby31
ci: update to cover Ruby 3.1
Merge pull request #180 from k0kubun/rubyvm-mjit
s/RubyVM::JIT/RubyVM::MJIT/g
Merge pull request #179 from jwillemsen/patch-3
Update README.rdoc
Merge pull request #178 from nobu/fix-names
Fix a private method name
Fix typo in a local variable name
Merge pull request #173 from ruby/ci-use-cache-add-jruby93
CI: Add JRuby 9.3, use bundler-cache
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands