dep: [security] bump loofah from 2.19.0 to 2.19.1
Bumps loofah from 2.19.0 to 2.19.1. This update includes security fixes.
Vulnerabilities fixed
Uncontrolled Recursion in Loofah
Summary
Loofah
>= 2.2.0, < 2.19.1uses recursion for sanitizingCDATAsections, making it susceptible to stack exhaustion and raising aSystemStackErrorexception. This may lead to a denial of service through CPU resource consumption.Mitigation
Upgrade to Loofah
>= 2.19.1.Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Patched versions: 2.19.1 Affected versions: >= 2.2.0, < 2.19.1
Improper neutralization of data URIs may allow XSS in Loofah
Summary
Loofah
>= 2.1.0, < 2.19.1is vulnerable to cross-site scripting via theimage/svg+xmlmedia type in data URIs.Mitigation
Upgrade to Loofah
>= 2.19.1.Severity
The Loofah maintainers have evaluated this as Medium Severity 6.1.
References
... (truncated)
Patched versions: 2.19.1 Affected versions: >= 2.1.0, < 2.19.1
Inefficient Regular Expression Complexity in Loofah
Summary
Loofah
< 2.19.1contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.Mitigation
Upgrade to Loofah
>= 2.19.1.Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
... (truncated)
Patched versions: 2.19.1 Affected versions: < 2.19.1
Release notes
Sourced from loofah's releases.
2.19.1 / 2022-12-13
Security
- Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
- Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
- Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.
Changelog
Sourced from loofah's changelog.
2.19.1 / 2022-12-13
Security
- Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
- Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
- Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.
Commits
-
3f88063version bump to v2.19.1 -
9a8dadbdocs: preserve the context and decision record -
86f7f63fix: replace recursive approach to cdata with escaping solution -
415677ffix: do not allow "image/svg+xml" in data URIs -
84ca20crefactor: extract scrub_uri_attribute for downstream use -
47a835aci: pin psych to v4 until v5 builds properly on CI -
a6e0a1afix: replace slow regex attribute check with crass parser -
ea853aaMerge pull request #247 from flavorjones/flavorjones-downstream-test-rhs -
e1f2a4bci: test downstream rails-html-sanitizer -
79d65a0Merge pull request #245 from flavorjones/flavorjones-fix-ruby-2.5-ci - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
@dependabot-bot rebasewill rebase this MR -
@dependabot-bot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts
Allure report
allure-report-publisher generated test report!
rspec:
+------------------------------------------------------------------+
| behaviors summary |
+-------------+--------+--------+---------+-------+-------+--------+
| | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| services | 181 | 0 | 0 | 0 | 181 | ✅ |
| controllers | 25 | 0 | 0 | 0 | 25 | ✅ |
| tasks | 9 | 0 | 0 | 0 | 9 | ✅ |
| models | 4 | 0 | 0 | 0 | 4 | ✅ |
| jobs | 14 | 0 | 0 | 0 | 14 | ✅ |
| system | 10 | 0 | 0 | 0 | 10 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+
| Total | 243 | 0 | 0 | 0 | 243 | ✅ |
+-------------+--------+--------+---------+-------+-------+--------+