There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
Using the Rails configuration config.action_view.sanitized_allow_tags=:
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]
All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:
the :tags option to the Action View helper method sanitize.
the :tags option to the instance method SafeListSanitizer#sanitize.
Workarounds
Remove either "select" or "style" from the overridden allowed tags.
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
allow both "math" and "style" elements,
or allow both "svg" and "style" elements
Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
using application configuration:
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]
All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.
Workarounds
Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
rails/rails-html-sanitizer (rails-html-sanitizer)
### [`v1.4.4`](https://togithub.com/rails/rails-html-sanitizer/blob/HEAD/CHANGELOG.md#144--2022-12-13)
[Compare Source](https://togithub.com/rails/rails-html-sanitizer/compare/v1.4.3...v1.4.4)
- Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23517. See
[GHSA-5x79-w82f-gw8w](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w)
for more information.
*Mike Dalessio*
- Address improper sanitization of data URIs.
Fixes CVE-2022-23518 and [#135](https://togithub.com/rails/rails-html-sanitizer/issues/135). See
[GHSA-mcvf-2q2m-x72m](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m)
for more information.
*Mike Dalessio*
- Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23520. See
[GHSA-rrfc-7g8p-99q8](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8)
for more information.
*Mike Dalessio*
- Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23519. See
[GHSA-9h9g-93gc-623h](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h)
for more information.
*Mike Dalessio*
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
1.4.3->1.4.4GitHub Vulnerability Alerts
CVE-2022-23518
Summary
rails-html-sanitizer
>= 1.0.3, < 1.4.4is vulnerable to cross-site scripting via data URIs when used in combination with Loofah>= 2.1.0.Mitigation
Upgrade to rails-html-sanitizer
>= 1.4.4.Severity
The maintainers have evaluated this as Medium Severity 6.1.
References
Credit
This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).
CVE-2022-23520
Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
Using the Rails configuration
config.action_view.sanitized_allow_tags=:(see https://guides.rubyonrails.org/configuring.html#configuring-action-view)
Using the class method
Rails::Html::SafeListSanitizer.allowed_tags=:All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:
:tagsoption to the Action View helper methodsanitize.:tagsoption to the instance methodSafeListSanitizer#sanitize.Workarounds
Remove either "select" or "style" from the overridden allowed tags.
References
Credit
This vulnerability was responsibly reported by Dominic Breuker.
CVE-2022-23519
Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
using application configuration:
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
using a
:tagsoption to the Action View helpersanitize:see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
using Rails::Html::SafeListSanitizer class method
allowed_tags=:using a
:tagsoptions to the Rails::Html::SafeListSanitizer instance methodsanitize:All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.
Workarounds
Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
References
Credit
This vulnerability was responsibly reported by Dominic Breuker.
CVE-2022-23517
Summary
Certain configurations of rails-html-sanitizer
< 1.4.4use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.Mitigation
Upgrade to rails-html-sanitizer
>= 1.4.4.Severity
The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
Release Notes
rails/rails-html-sanitizer (rails-html-sanitizer)
### [`v1.4.4`](https://togithub.com/rails/rails-html-sanitizer/blob/HEAD/CHANGELOG.md#144--2022-12-13) [Compare Source](https://togithub.com/rails/rails-html-sanitizer/compare/v1.4.3...v1.4.4) - Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23517. See [GHSA-5x79-w82f-gw8w](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w) for more information. *Mike Dalessio* - Address improper sanitization of data URIs. Fixes CVE-2022-23518 and [#135](https://togithub.com/rails/rails-html-sanitizer/issues/135). See [GHSA-mcvf-2q2m-x72m](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m) for more information. *Mike Dalessio* - Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23520. See [GHSA-rrfc-7g8p-99q8](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8) for more information. *Mike Dalessio* - Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Fixes CVE-2022-23519. See [GHSA-9h9g-93gc-623h](https://togithub.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h) for more information. *Mike Dalessio*Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.