Bumps nokogiri from 1.8.2 to 1.11.2. This update includes security fixes.
Vulnerabilities fixed
Sourced from The Ruby Advisory Database.
Nokogiri Command Injection Vulnerability
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's Kernel.open method.
Processes are vulnerable only if the undocumented method
Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions
v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
code for parsing CSS queries. The underlying vulnerability was addressed in
Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
Nokogiri v1.10.4.
Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
Nokogiri::CSS::Tokenizer#load_file with untrusted user input.
Revert libxml2 behavior in Nokogiri gem that could cause XSS
[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Nokogiri v1.10.5 has been released.
This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.
If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.
Moderate severity vulnerability that affects nokogiri
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Nokogiri has backported the patch for CVE-2020-7595 into its vendored version
of libxml2, and released this as v1.10.8
CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and
so Nokogiri versions <= v1.10.7 are vulnerable.
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.
This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".
Affected Versions
Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Description
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.
This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as untrusted by default whenever possible.
Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".
Affected Versions
Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Nokogiri 1.8.5 has been released.
This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as "medium" by Red Hat, for which details are below.
If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that these patches are not
yet (as of 2018-10-04) in an upstream release of libxml2.
Full details about the security update are available in Github Issue #1785.
[#1785]: sparklemotion/nokogiri#1785
[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in #1785. Note that these
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Nokogiri v1.10.3 has been released.
This is a security release. It addresses a CVE in upstream libxslt rated as
"Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
details are available below.
If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time, though
you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet (as
of 2019-04-22) in an upstream release of libxslt.
[CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
[CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
[CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
[JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.
Improved
Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @ashmaroli!)
[JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @eregon!)
[TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @eregon!)
Changed
Nokogiri::XML::Path is now a Module (previously it has been a Class). It has been acting solely as a Module since v1.0.0. See 8461c74.
v1.11.1 / 2021-01-06
Fixed
[CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]
[CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
[CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
[CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
[JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.
Improved
Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @ashmaroli!)
[JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @eregon!)
[TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @eregon!)
Changed
Nokogiri::XML::Path is now a Module (previously it has been a Class). It has been acting solely as a Module since v1.0.0. See 8461c74.
1.11.1 / 2021-01-06
Fixed
[CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]
1.11.0 / 2021-01-03
Notes
Faster, more reliable installation: Native Gems for Linux and OSX/Darwin
"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.
We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:
Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
OSX/Darwin: x86_64-darwin and arm64-darwin
We'd appreciate your thoughts and feedback on this work at #2075.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps nokogiri from 1.8.2 to 1.11.2. This update includes security fixes.
Vulnerabilities fixed
Sourced from The Ruby Advisory Database.
Sourced from The Ruby Advisory Database.
Sourced from The Ruby Advisory Database.
Sourced from The Ruby Advisory Database.
... (truncated)
Sourced from The GitHub Security Advisory Database.
Sourced from The Ruby Advisory Database.
Sourced from The GitHub Security Advisory Database.
... (truncated)
Sourced from The Ruby Advisory Database.
... (truncated)
Sourced from The Ruby Advisory Database.
... (truncated)
Sourced from The Ruby Advisory Database.
... (truncated)
Release notes
Sourced from nokogiri's releases.
... (truncated)
Changelog
Sourced from nokogiri's changelog.
... (truncated)
Commits
2975cb4
version bump to v1.11.20027043
ci: truffleruby pipeline has better task namesbe901fd
ci: truffleruby pipeline tests the new winning compile flag combosf5575c3
ci: rake-test/run.sh accepts compile flags passed as COMPILE_FLAGS2ed1062
ci: concourse pipelines regenerated with fly 7.0.013c1e88
Merge pull request #2193 from eregon/flexible-config-truffleruby4a3836e
feat(build): default to --disable-static on TruffleRuby98bf3a0
doc: update CHANGELOG with enable/disable-system-librariesfa08f31
refactor: extract extconf config into methods332f74f
feat(build): extconf supports --disable/enable-system-librariesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)