🚨 [security] Update nokogiri: 1.6.6.2 → 1.11.0 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.6.6.2 → 1.11.0) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.

This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as untrusted by default whenever possible.

Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri
1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):

1. Ensure the input is trusted. Do not enable this option
   for untrusted input.
2. When invoking the Nokogiri::XML::Schema constructor,
   pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the
   NONET flag turned off.

So if your previous code was:

# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)
# in v1.11.0.rc4 and later, the following is equivalent to the code above

# (the second parameter is optional, and this demonstrates its default value)

schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)

Then you can add the second parameter to indicate that the input is trusted by changing it to:

# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

🚨 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

🚨 Nokogiri gem, via libxslt, is affected by multiple vulnerabilities

Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
[#1943] #1943.

---

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

---

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

---

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

🚨 Nokogiri Command Injection Vulnerability

🚨 Nokogiri gem, via libxslt, is affected by improper access control vulnerability

Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as
"Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time, though
you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet (as
of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue
[#1892] #1892.

---

CVE-2019-11068

Permalinks are:

• Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068
• Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068

Description:

libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.

Canonical rates this as "Priority: Medium".

Debian rates this as "NVD Severity: High (attack range: remote)".

🚨 Nokogiri gem, via libxml2, is affected by multiple vulnerabilities

Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that these patches are not
yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785.
[#1785]: #1785

---

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in #1785. Note that these
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

---

CVE-2018-14404

Permalink:

https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html

Description:

A NULL pointer dereference vulnerability exists in the
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR
case. Applications processing untrusted XSL format inputs with the use of
the libxml2 library may be vulnerable to a denial of service attack due
to a crash of the application

Canonical rates this vulnerability as "Priority: Medium"

---

CVE-2018-14567

Permalink:

https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html

Description:

infinite loop in LZMA decompression

Canonical rates this vulnerability as "Priority: Medium"

🚨 Revert libxml2 behavior in Nokogiri gem that could cause XSS

[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact
here:

flavorjones/loofah#144

This release simply reverts the libxml2 commit in question to protect
users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you
comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

🚨 libxml2 could be made to crash or run arbitrary code if it opened a specially crafted file

The update of vendored libxml2 from 2.9.5 to 2.9.7 addresses at least one published vulnerability, CVE-2017-15412. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time.

Details: It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

🚨 Nokogiri gem, via libxml, is affected by DoS vulnerabilities

The version of libxml2 packaged with Nokogiri contains a
vulnerability. Nokogiri has mitigated these issue by upgrading to
libxml 2.9.5.

Wei Lei discovered that libxml2 incorrecty handled certain parameter
entities. An attacker could use this issue with specially constructed XML
data to cause libxml2 to consume resources, leading to a denial of service.

🚨 Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities

The version of libxml2 packaged with Nokogiri contains several vulnerabilities.
Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that
could cause a denial of service or possibly execute arbitrary
code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML
data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-9047)

Marcel Böhme and Van-Thuan Pham discovered a buffer overread
in libxml2 when handling elements. An attacker could use this
to specially construct XML data that could cause a denial of
service. (CVE-2017-9048)

Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050)

🚨 Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29

nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream
libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical
and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.

These patches only apply when using Nokogiri's vendored libxslt
package. If you're using your distro's system libraries, there's no
need to upgrade from 1.7.0.1 or 1.7.1 at this time.

Full details are available at the github issue linked to in the
changelog below.

---

1.7.2 / 2017-05-09

Security Notes

[MRI] Upstream libxslt patches are applied to the vendored libxslt
1.1.29 which address CVE-2017-5029 and CVE-2016-4738.

For more information:

• sparklemotion/nokogiri#1634
• http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

🚨 Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

Nokogiri version 1.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:

CVE-2016-4658
CVSS v3 Base Score: 9.8 (Critical)
libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
watchOS before 3 allows remote attackers to execute arbitrary code or cause
a denial of service (memory corruption) via a crafted XML document.

CVE-2016-5131
CVSS v3 Base Score: 8.8 (HIGH)
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google
Chrome before 52.0.2743.82, allows remote attackers to cause a denial of
service or possibly have unspecified other impact via vectors related to
the XPointer range-to function.

🚨 Denial of service or RCE from libxml2 and libxslt

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
which are libraries Nokogiri depends on. It was discovered that libxml2 and
libxslt incorrectly handled certain malformed documents, which can allow
malicious users to cause issues ranging from denial of service to remote code
execution attacks.

For more information, the Ubuntu Security Notice is a good start:
http://www.ubuntu.com/usn/usn-2994-1/

🚨 Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2

Nokogiri version 1.6.7.2 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499
CVSS v2 Base Score: 5.0 (MEDIUM)

Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.

libxml2 could be made to crash if it opened a specially crafted
file. It was discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked
into opening a specially crafted document, an attacker could
possibly cause libxml2 to crash, resulting in a denial of service.

🚨 Nokogiri gem contains several vulnerabilities in libxml2

Nokogiri version 1.6.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:

CVE-2015-5312
CVSS v2 Base Score: 7.1 (HIGH)
The xmlStringLenDecodeEntities function in parser.c in libxml2
before 2.9.3 does not properly prevent entity expansion, which
allows context-dependent attackers to cause a denial of
service (CPU consumption) via crafted XML data, a different
vulnerability than CVE-2014-3660.

CVE-2015-7497
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlDictComputeFastQKey
function in dict.c in libxml2 before 2.9.3 allows
context-dependent attackers to cause a denial of service via
unspecified vectors.

CVE-2015-7498
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlParseXmlDecl function in
parser.c in libxml2 before 2.9.3 allows context-dependent
attackers to cause a denial of service via unspecified vectors
related to extracting errors after an encoding conversion
failure.

CVE-2015-7499
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
vectors.

CVE-2015-7500
CVSS v2 Base Score: 5.0 (MEDIUM)
The xmlParseMisc function in parser.c in libxml2 before 2.9.3
allows context-dependent attackers to cause a denial of
service (out-of-bounds heap read) via unspecified vectors
related to incorrect entities boundaries and start tags.

CVE-2015-8241
CVSS v2 Base Score: 6.4 (MEDIUM)
The xmlNextChar function in libxml2 2.9.2 does not properly
check the state, which allows context-dependent attackers to
cause a denial of service (heap-based buffer over-read and
application crash) or obtain sensitive information via crafted
XML data.

CVE-2015-8242
CVSS v2 Base Score: 5.8 (MEDIUM)
The xmlSAX2TextNode function in SAX2.c in the push interface in
the HTML parser in libxml2 before 2.9.3 allows
context-dependent attackers to cause a denial of
service (stack-based buffer over-read and application crash) or
obtain sensitive information via crafted XML data.

CVE-2015-8317
CVSS v2 Base Score: 5.0 (MEDIUM)
The xmlParseXMLDecl function in parser.c in libxml2 before
2.9.3 allows context-dependent attackers to obtain sensitive
information via an (1) unterminated encoding value or (2)
incomplete XML declaration in XML data, which triggers an
out-of-bounds heap read.

🚨 Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

Several vulnerabilities were discovered in the libxml2 and libxslt libraries
that the Nokogiri gem depends on.

CVE-2015-1819
A denial of service flaw was found in the way libxml2 parsed XML
documents. This flaw could cause an application that uses libxml2 to use an
excessive amount of memory.

CVE-2015-7941
libxml2 does not properly stop parsing invalid input, which allows
context-dependent attackers to cause a denial of service (out-of-bounds read
and libxml2 crash) via crafted specially XML data.

CVE-2015-7942
The xmlParseConditionalSections function in parser.c in libxml2
does not properly skip intermediary entities when it stops parsing invalid
input, which allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) via crafted XML data.

CVE-2015-7995
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check whether the parent node is an element, which allows attackers to cause
a denial of service using a specially crafted XML document.

CVE-2015-8035
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not
properly detect compression errors, which allows context-dependent attackers
to cause a denial of service (process hang) via crafted XML data.

Another vulnerability was discoverd in libxml2 that could cause parsing
of unclosed comments to result in "conditional jump or move depends on
uninitialized value(s)" and unsafe memory access. This issue does not have a
CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4.

🚨 Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

Several vulnerabilities were discovered in the libxml2 and libxslt libraries
that the Nokogiri gem depends on.

CVE-2015-1819
A denial of service flaw was found in the way libxml2 parsed XML
documents. This flaw could cause an application that uses libxml2 to use an
excessive amount of memory.

CVE-2015-7941
libxml2 does not properly stop parsing invalid input, which allows
context-dependent attackers to cause a denial of service (out-of-bounds read
and libxml2 crash) via crafted specially XML data.

CVE-2015-7942
The xmlParseConditionalSections function in parser.c in libxml2
does not properly skip intermediary entities when it stops parsing invalid
input, which allows context-dependent attackers to cause a denial of service
(out-of-bounds read and crash) via crafted XML data.

CVE-2015-7995
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
check whether the parent node is an element, which allows attackers to cause
a denial of service using a specially crafted XML document.

CVE-2015-8035
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not
properly detect compression errors, which allows context-dependent attackers
to cause a denial of service (process hang) via crafted XML data.

Another vulnerability was discoverd in libxml2 that could cause parsing
of unclosed comments to result in "conditional jump or move depends on
uninitialized value(s)" and unsafe memory access. This issue does not have a
CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ jquery-rails (4.0.4 → 4.0.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ arel (indirect, 6.0.2 → 6.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ builder (indirect, 3.2.2 → 3.2.4) · Repo · Changelog

↗️ globalid (indirect, 0.3.5 → 0.4.2) · Repo · Changelog

Release Notes

0.4.2

More info than we can show here.

0.4.1

More info than we can show here.

0.4.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 0.7.0 → 0.9.5) · Repo · Changelog

Security Advisories 🚨

🚨 i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS

i18n Gem for Ruby contains a flaw in the Hash#slice() function in
lib/i18n/core_ext/hash.rb that is triggered when calling a hash when
:some_key is in keep_keys but not in the hash. This may allow an attacker
to cause the program to crash.

Release Notes

0.9.5

More info than we can show here.

0.9.4

More info than we can show here.

0.9.3

More info than we can show here.

0.9.1

More info than we can show here.

0.9.0

More info than we can show here.

0.8.6

More info than we can show here.

0.8.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 1.8.3 → 1.8.6) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.0.2 → 2.8.0) · Repo · Changelog

Security Advisories 🚨

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

🚨 Loofah XSS Vulnerability

Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.

Release Notes

2.8.0

More info than we can show here.

2.7.0

More info than we can show here.

2.6.0 (from changelog)

More info than we can show here.

2.5.0 (from changelog)

More info than we can show here.

2.4.0

More info than we can show here.

2.3.1

More info than we can show here.

2.3.0 (from changelog)

More info than we can show here.

2.2.3

More info than we can show here.

2.2.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mail (indirect, 2.6.3 → 2.7.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mime-types (indirect, 2.6.1 → 2.99.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.7.0 → 5.14.2) · Repo · Changelog

Release Notes

5.14.2 (from changelog)

More info than we can show here.

5.14.0 (from changelog)

More info than we can show here.

5.13.0 (from changelog)

More info than we can show here.

5.12.2 (from changelog)

More info than we can show here.

5.12.1 (from changelog)

More info than we can show here.

5.12.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 1.6.4 → 1.6.13) · Repo · Changelog

Security Advisories 🚨

🚨 Possible information leak / session hijack vulnerability

There's a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks
targeting the session id. Session ids are usually stored and indexed in a
database that uses some kind of scheme for speeding up lookups of that
session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack
the session.

The session id itself may be generated randomly, but the way the session is
indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying
the backing session storage engine. Most storage mechanisms (for example a
database) use some sort of indexing in order to speed up the lookup of that
id. By carefully timing requests and session lookup failures, an attacker
may be able to perform a timing attack to determine an existing session id
and hijack that session.

🚨 Possible XSS vulnerability in Rack

There is a possible vulnerability in Rack. This vulnerability has been
assigned the CVE identifier CVE-2018-16471.

Versions Affected: All.
Not affected: None.
Fixed Versions: 2.0.6, 1.6.11

Impact

There is a possible XSS vulnerability in Rack. Carefully crafted requests can
impact the data returned by the scheme method on Rack::Request.
Applications that expect the scheme to be limited to "http" or "https" and do
not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

<%= request.scheme.html_safe %>

Note that applications using the normal escaping mechanisms provided by Rails
may not impacted, but applications that bypass the escaping mechanisms, or do
not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The 2.0.6 and 1.6.11 releases are available at the normal locations.

Workarounds

The following monkey patch can be applied to work around this issue:

require "rack"
require "rack/request"
class Rack::Request

SCHEME_WHITELIST = %w(https http).freeze
def scheme

if get_header(Rack::HTTPS) == 'on'

'https'

elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'

'https'

elsif forwarded_scheme

forwarded_scheme

else

get_header(Rack::RACK_URL_SCHEME)

end

end
def forwarded_scheme

scheme_headers = [

get_header(HTTP_X_FORWARDED_SCHEME),

get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]

]
scheme_headers.each do |header|

return header if SCHEME_WHITELIST.include?(header)

end
nil

end

end

Release Notes

1.6.12 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-dom-testing (indirect, 1.0.6 → 1.0.9) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.0.2 → 1.3.0) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS vulnerability in rails-html-sanitizer

🚨 Possible XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in rails-html-sanitizer. This
vulnerability has been assigned the CVE identifier CVE-2015-7578.

Versions Affected: All.
Not affected: None.
Fixed Versions: 1.0.3

Impact

There is a possible XSS vulnerability in rails-html-sanitizer. Certain
attributes are not removed from tags when they are sanitized, and these
attributes can lead to an XSS attack on target applications.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 1-0-sanitize_data_attributes.patch - Patch for 1.0 series

Credits

Thanks to Ben Murphy and Marien for reporting this.

🚨 XSS vulnerability in rails-html-sanitizer

There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.

Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3

Impact

Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's strip_tags
these entities will be unescaped what may cause a XSS attack if used in combination
with raw or html_safe.

For example:

strip_tags("<script>alert('XSS')</script>") 

Would generate:

<script>alert('XSS')</script> 

After the fix it will generate:

<script>alert('XSS')</script> 

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:

$ cat config/initializers/strip_tags_fix.rb 
class ActionView::Base 
  def strip_tags(html) 
    self.class.full_sanitizer.sanitize(html) 
  end 
end 

Patches

To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.

• Do-not-unescape-already-escaped-HTML-entities.patch

Credits

Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.

🚨 Possible XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in the white list sanitizer in the
rails-html-sanitizer gem. This vulnerability has been assigned the CVE
identifier CVE-2015-7580.

Versions Affected: All.
Not affected: None.
Fixed Versions: v1.0.3

Impact

Carefully crafted strings can cause user input to bypass the sanitization in
the white list sanitizer which will can lead to an XSS attack.

Vulnerable code will look something like this:

<%= sanitize user_input, tags: %w(em) %>

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Putting the following monkey patch in an initializer can help to mitigate the
issue:

class Rails::Html::PermitScrubber 
  alias :old_scrub :scrub 
  alias :old_skip_node? :skip_node? 
def scrub(node)

if node.cdata?

text = node.document.create_text_node node.text

node.replace text

return CONTINUE

end

old_scrub node

end
def skip_node?(node); node.text?; end

end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series

Credits

Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.

Release Notes

1.3.0

More info than we can show here.

1.2.0

More info than we can show here.

1.1.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 10.4.2 → 13.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 OS Command Injection in Rake

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in
Rake::FileList when supplying a filename that begins with the pipe character
|.

Release Notes

13.0.3 (from changelog)

More info than we can show here.

13.0.1 (from changelog)

More info than we can show here.

13.0.0 (from changelog)

More info than we can show here.

12.3.3 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets (indirect, 3.2.0 → 3.7.2) · Repo · Changelog

Security Advisories 🚨

🚨 Path Traversal in Sprockets

Specially crafted requests can be used to access files that exist on
the filesystem that is outside an application's root directory, when the
Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workaround:
In Rails applications, work around this issue, set config.assets.compile = false and
config.public_file_server.enabled = true in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets-rails (indirect, 2.3.2 → 3.2.2) · Repo · Changelog

Release Notes

3.2.2

More info than we can show here.

3.2.1

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 0.19.1 → 1.0.1) · Repo · Changelog

Release Notes

1.0.1 (from changelog)

More info than we can show here.

1.0.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thread_safe (indirect, 0.3.5 → 0.3.6) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.2 → 1.2.9) · Repo · Changelog

Release Notes

1.2.9

More info than we can show here.

1.2.8

More info than we can show here.

1.2.7

More info than we can show here.

1.2.6

More info than we can show here.

1.2.5

More info than we can show here.

1.2.4

More info than we can show here.

1.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 concurrent-ruby (added, 1.1.7)

🆕 crass (added, 1.0.6)

🆕 mini_mime (added, 1.0.2)

🆕 mini_portile2 (added, 2.5.0)

🆕 racc (added, 1.5.2)

🗑️ mini_portile (removed)

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #44.