Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] - autoclosed #245

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] - autoclosed #245

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 14, 2022
edited

Mend Renovate

This PR contains the following updates:

Package Update Change
rails-html-sanitizer (changelog) patch 1.4.3 -> 1.4.4

GitHub Vulnerability Alerts

CVE-2022-23518

Summary

rails-html-sanitizer >= 1.0.3, < 1.4.4 is vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0.

Mitigation

Upgrade to rails-html-sanitizer >= 1.4.4.

Severity

The maintainers have evaluated this as Medium Severity 6.1.

References

Credit

This vulnerability was independently reported by Maciej Piechota (@​haqpl) and Mrinmoy Das (@​goromlagche).

CVE-2022-23520

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.

  • Versions affected: ALL
  • Not affected: NONE
  • Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.

Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:

  1. Using the Rails configuration config.action_view.sanitized_allow_tags=:
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]

(see https://guides.rubyonrails.org/configuring.html#configuring-action-view)

  1. Using the class method Rails::Html::SafeListSanitizer.allowed_tags=:
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]

All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.

NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:

  • the :tags option to the Action View helper method sanitize.
  • the :tags option to the instance method SafeListSanitizer#sanitize.

Workarounds

Remove either "select" or "style" from the overridden allowed tags.

References

Credit

This vulnerability was responsibly reported by Dominic Breuker.

CVE-2022-23519

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  • Versions affected: ALL
  • Not affected: NONE
  • Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:

  • allow both "math" and "style" elements,
  • or allow both "svg" and "style" elements

Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:

  1. using application configuration:
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

  1. using a :tags option to the Action View helper sanitize:
<%= sanitize @&#8203;comment.body, tags: ["math", "style"] %>
<%# or %>
<%= sanitize @&#8203;comment.body, tags: ["svg", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

  1. using Rails::Html::SafeListSanitizer class method allowed_tags=:
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"]
  1. using a :tags options to the Rails::Html::SafeListSanitizer instance method sanitize:
# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@&#8203;article.body, tags: ["math", "style"])
# or
Rails::Html::SafeListSanitizer.new.sanitize(@&#8203;article.body, tags: ["svg", "style"])

All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.

Workarounds

Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.

References

Credit

This vulnerability was responsibly reported by Dominic Breuker.

CVE-2022-23517

Summary

Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to rails-html-sanitizer >= 1.4.4.

Severity

The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @​ooooooo-q (https://github.com/ooooooo-q).

Release Notes

rails/rails-html-sanitizer (rails-html-sanitizer)

v1.4.4

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] Update dependency rails-html-sanitizer to v1.4.4 [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency rails-html-sanitizer to v1.4.4 [SECURITY] chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] Dec 17, 2022
@renovate renovate bot force-pushed the renovate/rubygems-rails-html-sanitizer-vulnerability branch from 5b26ad5 to 520b3bc Compare July 27, 2023 22:51
@renovate renovate bot changed the base branch from master to gruppi-old July 27, 2023 22:51
@renovate renovate bot changed the title chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] chore(deps): update dependency rails-html-sanitizer to v1.4.4 [security] - autoclosed Jul 28, 2023
@renovate renovate bot closed this Jul 28, 2023
@renovate renovate bot deleted the renovate/rubygems-rails-html-sanitizer-vulnerability branch July 28, 2023 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants