🚨 [security] Update nokogiri: 1.12.3 → 1.12.5 (patch)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.12.3 → 1.12.5) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

• Nokogiri::XML::SAX::Parser
• Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
• Nokogiri::XML::SAX::PushParser
• Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

Release Notes

1.12.4

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

Fix for XML::Builder

However, recognizing that we want Builder-created children to inherit namespaces, Builder now will set namespace_inheritance=true on the underlying document for both JRuby and CRuby. This means that, on CRuby, the pre-v1.12.0 behavior is restored.

Users who want to turn this behavior off may pass a keyword argument to the Builder constructor like so:

Nokogiri::XML::Builder.new(namespace_inheritance: false)

See https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html#label-Namespace+inheritance for example usage.

Downstream gem maintainers

Note that any downstream gems may want to specifically omit Nokogiri v1.12.0--v1.12.3 from their dependency specification if they rely on child namespace inheritance:

Gem::Specification.new do |gem|
  # ...
  gem.add_runtime_dependency 'nokogiri', '!=1.12.3', '!=1.12.2', '!=1.12.1', '!=1.12.0'
  # ...
end

Fixed

• [JRuby] Fix NPE in Schema parsing when an imported resource doesn't have a systemId. [#2296] (Thanks, @pepijnve!)

---

SHA256 checksums:

892808245fad3dea1bd4405461ba45d8f2261a6e23af91b8fc4b136e37cd3475  nokogiri-1.12.4-arm64-darwin.gem
1179f2c8fc13f4cb349b4e9219fbe7c1e7b885e24aceb2c8a0e06d1c3fe3ec2a  nokogiri-1.12.4-java.gem
44e728900a919ca9d8c6a3f545c2ff4903f4f45c47255904548386ad9f9869d6  nokogiri-1.12.4-x64-mingw32.gem
1116dac823e27f5255024c3154f0db3d2c9008cfdcaf11bbd66bde7770dca12d  nokogiri-1.12.4-x86-linux.gem
129b372c37dc817b588c623e6899ad32fe166498320789611ae3de0c361166ed  nokogiri-1.12.4-x86-mingw32.gem
f6f606dbdedd94e85e2fdc5e5829833441962115c3b62a2eab0a51f8ba938c3a  nokogiri-1.12.4-x86_64-darwin.gem
d706df7ed9382c749382e5b3bd9bfa4986935c0c5e36856d75fd9008d80f4da0  nokogiri-1.12.4-x86_64-linux.gem
7fec161ee1c7b2329e05fed019bfc7b1f910a39e6b30ae95825e75dda2094de9  nokogiri-1.12.4.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• version bump to v1.12.5
• update CHANGELOG
• Merge pull request #2329 from sparklemotion/flavorjones-GHSA-2rr5-8q37-2w7h_1.12.x
• fix(jruby): SAX parser uses an entity resolver
• refactor(jruby): handle errors more consistently
• format: test files
• Merge pull request #2327 from sparklemotion/2324-xhtml-self-closing-tags_v1.12.x
• fix: HTML4::Document.to_xhtml self-closing tags
• release v1.12.4
• backport #2320
• update CHANGELOG for #2296
• Resolve potential NPE in SchemaResourceResolver
• test: repro for #2296
• test: move the test from 3c95d44 to be within a test class

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closing because this update has already been applied