search

sarvex / metasploit-framework

Metasploit Framework
http://www.metasploit.com/
Other
0 stars 0 forks source link

Update dependency yard to v0.9.36 [SECURITY] - autoclosed #5

Closed renovate[bot] closed 7 months ago

renovate[bot] commented 7 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
yard (source) 0.9.34 -> 0.9.36 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-27285

Summary

The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.

Details

The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the "frames.erb" template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.

Snippet from "frames.erb": (v0.9.34)

<script type="text/javascript">
  var match = unescape(window.location.hash).match(/^#!(.+)/);
  var name = match ? match[1] : '<%= url_for_main %>';
  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
  window.top.location = name;
</script>

(v0.9.35)

<script type="text/javascript">
  var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
  var name = match ? match[1] : '<%= url_for_main %>';
  name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
  window.top.location.replace(name)
</script>

PoC (Proof of Concept)

To exploit this vulnerability:

  1. Gain access to the generated Yard Doc.
  2. Locate and access the "frames.html" file.
  3. Construct a URL containing the malicious payload in the hash segment, for instance: #!javascript:xss for v0.9.34, and #:javascript:xss for v0.9.35

Impact

This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.

Release Notes

lsegal/yard (yard) ### [`v0.9.36`](https://togithub.com/lsegal/yard/blob/HEAD/CHANGELOG.md#0936---February-29th-2024) [Compare Source](https://togithub.com/lsegal/yard/compare/v0.9.35...v0.9.36) [0.9.36]: https://togithub.com/lsegal/yard/compare/v0.9.35...v0.9.36 - Further XSS fixes for generated frameset pages ([#​1538](https://togithub.com/lsegal/yard/issues/1538)) - Improve tests for Ruby 3.3 compatibility ([#​1519](https://togithub.com/lsegal/yard/issues/1519), [#​1531](https://togithub.com/lsegal/yard/issues/1531)) - Documentation improvements ([#​1524](https://togithub.com/lsegal/yard/issues/1524)) ### [`v0.9.35`](https://togithub.com/lsegal/yard/blob/HEAD/CHANGELOG.md#0935---February-28th-2024) [Compare Source](https://togithub.com/lsegal/yard/compare/v0.9.34...v0.9.35) [0.9.35]: https://togithub.com/lsegal/yard/compare/v0.9.34...v0.9.35 - Fix possible XSS on generated YARD frameset pages (thanks to [@​RedYetiDev](https://togithub.com/RedYetiDev) for finding and patching) ([`2069e2b`](https://togithub.com/lsegal/yard/commit/2069e2b)). - Fix errors when using `@option` on non-method objects ([#​1508](https://togithub.com/lsegal/yard/issues/1508)) - Support Ruby 3.3 changes in Ripper parser ([#​1510](https://togithub.com/lsegal/yard/issues/1510))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

github-actions[bot] commented 7 months ago

🦙 MegaLinter status: ❌ ERROR

Descriptor Linter Files Fixed Errors Elapsed time
❌ ACTION actionlint 10 5 0.12s
⚠️ BASH bash-exec 25 3 0.32s
❌ BASH shellcheck 25 186 7.32s
⚠️ BASH shfmt 25 17 1 0.28s
❌ COPYPASTE jscpd yes 6175 346.79s
❌ CSS stylelint 4 4 1 2.43s
❌ DOCKERFILE hadolint 3 1 0.45s
❌ HTML djlint 18 1 1.09s
❌ HTML htmlhint 18 138 0.51s
❌ JAVASCRIPT standard 19 17 1 12.39s
❌ JSON jsonlint 15 1 0.63s
✅ JSON prettier 15 14 0 10.91s
✅ JSON v8r 15 0 4.38s
❌ KUBERNETES kubeconform 4 5 0.02s
⚠️ MARKDOWN markdownlint 1773 838 6190 38.59s
❌ MARKDOWN markdown-link-check 1773 107 298.47s
✅ MARKDOWN markdown-table-formatter 1773 855 0 3.72s
❌ REPOSITORY checkov yes 15 174.06s
❌ REPOSITORY gitleaks yes 464 291.33s
❌ REPOSITORY git_diff yes 1 0.98s
❌ REPOSITORY grype yes 1 33.44s
❌ REPOSITORY secretlint yes 1 987.9s
❌ REPOSITORY trivy yes 1 19.12s
✅ REPOSITORY trivy-sbom yes no 1.9s
✅ REPOSITORY trufflehog yes no 29.7s
❌ SPELL cspell 11256 351149 8074.25s
❌ SPELL lychee 2611 1 0.22s
❌ TYPESCRIPT ts-standard 5 0 1 0.75s
❌ XML xmllint 97 0 1 0.4s
⚠️ YAML prettier 255 225 1 8.78s
✅ YAML v8r 255 0 148.37s
❌ YAML yamllint 255 21 5.05s

See detailed report in MegaLinter reports

_MegaLinter is graciously provided by OX Security_