Restrict Rouge formatters to Rouge::Formatters namespace

gettalong / kramdown

kramdown is a fast, pure Ruby Markdown superset converter, using a strict syntax definition and supporting several common extensions.

http://kramdown.gettalong.org

Other

1.72k stars 274 forks source link

Restrict Rouge formatters to Rouge::Formatters namespace #708

Closed stanhu closed 3 years ago

stanhu commented 3 years ago

ff0218aefcf00cd5a389e17e075d36cd46d011e2 added support for specifying custom Rouge formatters with the constraint that the formatter be in theRouge::Formatters namespace, but it did not actually enforce this constraint. For example, this is valid:

Rouge::Formatters.const_get('CSV')
=> CSV

Adding the false parameter to const_get prevents this:

Rouge::Formatters.const_get('CSV', false)
NameError: uninitialized constant Rouge::Formatters::CSV

gettalong commented 3 years ago

Thanks! I think this makes sense also from a security point of view.

stanhu commented 3 years ago

@gettalong Thanks! Would you mind merging and tagging a new release?

gettalong commented 3 years ago

There will be a release in due time.

gettalong commented 3 years ago

Thank you - merged and will be in the upcoming release.

aleksandrs-ledovskis commented 3 years ago

Source of CVSS 9.9 in GitLab.

I see no reason to keep it disconnected/under wraps once the patch (and consequently the vector) is known.

rfrohl commented 3 years ago

this issue got CVE-2021-28834 assigned