dep: [security] bump rails-html-sanitizer from 1.4.3 to 1.4.4
Bumps rails-html-sanitizer from 1.4.3 to 1.4.4. This update includes security fixes.
Vulnerabilities fixed
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
- Versions affected: ALL
- Not affected: NONE
- Fixed versions: 1.4.4
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
- Using the Rails configuration
config.action_view.sanitized_allow_tags=:# In config/application.rb config.action_view.sanitized_allowed_tags = ["select", "style"] </tr></table>
... (truncated)
Patched versions: 1.4.4 Affected versions: < 1.4.4
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
- Versions affected: ALL
- Not affected: NONE
- Fixed versions: 1.4.4
Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
- allow both "math" and "style" elements,
- or allow both "svg" and "style" elements
Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
- using application configuration:
... (truncated)
Patched versions: 1.4.4 Affected versions: < 1.4.4
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Summary
rails-html-sanitizer
>= 1.0.3, < 1.4.4is vulnerable to cross-site scripting via data URIs when used in combination with Loofah>= 2.1.0.Mitigation
Upgrade to rails-html-sanitizer
>= 1.4.4.Severity
The maintainers have evaluated this as Medium Severity 6.1.
References
... (truncated)
Patched versions: 1.4.4 Affected versions: >= 1.0.3, < 1.4.4
Inefficient Regular Expression Complexity in rails-html-sanitizer
Summary
Certain configurations of rails-html-sanitizer
< 1.4.4use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.Mitigation
Upgrade to rails-html-sanitizer
>= 1.4.4.Severity
The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
... (truncated)
Patched versions: 1.4.4 Affected versions: < 1.4.4
Release notes
Sourced from rails-html-sanitizer's releases.
1.4.4 / 2022-12-13
Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.
Mike Dalessio
Address improper sanitization of data URIs.
Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.
Mike Dalessio
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.
Mike Dalessio
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.
Mike Dalessio
Changelog
Sourced from rails-html-sanitizer's changelog.
1.4.4 / 2022-12-13
Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.
Mike Dalessio
Address improper sanitization of data URIs.
Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.
Mike Dalessio
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.
Mike Dalessio
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.
Mike Dalessio
Commits
-
fd63deaversion bump to v1.4.4 -
48ae90adep: bump dependency on loofah -
0713caffix: escape CDATA nodes using Loofah's escaping methods -
e6d52d3revert 45a5c10 -
d1223a2fix: use Loofah's scrub_uri_attribute method -
f0e3347fix: replace slow regex attribute check with Loofah method -
df03f2fci: pin system lib test to 20.04 -
3e2a0f3Merge pull request #145 from rails/flavorjones-get-14x-green -
11752a6tests: handle libxml 2.10.0 incorrectly-opened comment parsing - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
@dependabot-bot rebasewill rebase this MR -
@dependabot-bot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts
Allure report
allure-report-publisher generated test report!
rspec:
+------------------------------------------------------------------+
| behaviors summary |
+-------------+--------+--------+---------+-------+-------+--------+
| | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| services | 181 | 0 | 0 | 0 | 181 | ✅ |
| jobs | 14 | 0 | 0 | 0 | 14 | ✅ |
| controllers | 25 | 0 | 0 | 0 | 25 | ✅ |
| models | 4 | 0 | 0 | 0 | 4 | ✅ |
| tasks | 9 | 0 | 0 | 0 | 9 | ✅ |
| system | 10 | 0 | 0 | 0 | 10 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+
| Total | 243 | 0 | 0 | 0 | 243 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+