chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] - autoclosed #245
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.4.3
->1.4.4
GitHub Vulnerability Alerts
CVE-2022-23518
Summary
rails-html-sanitizer
>= 1.0.3, < 1.4.4
is vulnerable to cross-site scripting via data URIs when used in combination with Loofah>= 2.1.0
.Mitigation
Upgrade to rails-html-sanitizer
>= 1.4.4
.Severity
The maintainers have evaluated this as Medium Severity 6.1.
References
Credit
This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).
CVE-2022-23520
Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
config.action_view.sanitized_allow_tags=
:(see https://guides.rubyonrails.org/configuring.html#configuring-action-view)
Rails::Html::SafeListSanitizer.allowed_tags=
:All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:
:tags
option to the Action View helper methodsanitize
.:tags
option to the instance methodSafeListSanitizer#sanitize
.Workarounds
Remove either "select" or "style" from the overridden allowed tags.
References
Credit
This vulnerability was responsibly reported by Dominic Breuker.
CVE-2022-23519
Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
:tags
option to the Action View helpersanitize
:see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
allowed_tags=
::tags
options to the Rails::Html::SafeListSanitizer instance methodsanitize
:All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.
Workarounds
Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
References
Credit
This vulnerability was responsibly reported by Dominic Breuker.
CVE-2022-23517
Summary
Certain configurations of rails-html-sanitizer
< 1.4.4
use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.Mitigation
Upgrade to rails-html-sanitizer
>= 1.4.4
.Severity
The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
Release Notes
rails/rails-html-sanitizer (rails-html-sanitizer)
v1.4.4
Compare Source
Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23517. See
GHSA-5x79-w82f-gw8w
for more information.
Mike Dalessio
Address improper sanitization of data URIs.
Fixes CVE-2022-23518 and #135. See
GHSA-mcvf-2q2m-x72m
for more information.
Mike Dalessio
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23520. See
GHSA-rrfc-7g8p-99q8
for more information.
Mike Dalessio
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23519. See
GHSA-9h9g-93gc-623h
for more information.
Mike Dalessio
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.