Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-rails-html-sanitizer for
openSUSE:Factory checked in at 2022-06-15 00:32:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer (Old)
and /work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.1548
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rails-html-sanitizer"
Wed Jun 15 00:32:34 2022 rev:9 rq:982534 version:1.4.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-rails-html-sanitizer/rubygem-rails-html-sanitizer.changes
2021-08-25 20:59:43.657041508 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-rails-html-sanitizer.new.1548/rubygem-rails-html-sanitizer.changes
2022-06-15 00:32:48.734571703 +0200
@@ -1,0 +2,13 @@
+Mon Jun 13 17:09:28 UTC 2022 - Manuel Schnitzer <[email protected]>
+
+- updated to version 1.4.3
+
+ * Address a possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
+
+ Prevent the combination of `select` and `style` as allowed tags in
SafeListSanitizer.
+
+ Fixes CVE-2022-32209
+
+ *Mike Dalessio*
+
+-------------------------------------------------------------------
Old:
----
rails-html-sanitizer-1.4.2.gem
New:
----
rails-html-sanitizer-1.4.3.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-rails-html-sanitizer.spec ++++++
--- /var/tmp/diff_new_pack.7gM25y/_old 2022-06-15 00:32:49.922573450 +0200
+++ /var/tmp/diff_new_pack.7gM25y/_new 2022-06-15 00:32:49.922573450 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rubygem-rails-html-sanitizer
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
#
Name: rubygem-rails-html-sanitizer
-Version: 1.4.2
+Version: 1.4.3
Release: 0
%define mod_name rails-html-sanitizer
%define mod_full_name %{mod_name}-%{version}
++++++ rails-html-sanitizer-1.4.2.gem -> rails-html-sanitizer-1.4.3.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md 2021-08-24 02:16:06.000000000 +0200
+++ new/CHANGELOG.md 2022-06-10 00:23:56.000000000 +0200
@@ -1,3 +1,14 @@
+## 1.4.3 / 2022-06-09
+
+* Address a possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.
+
+ Prevent the combination of `select` and `style` as allowed tags in
SafeListSanitizer.
+
+ Fixes CVE-2022-32209
+
+ *Mike Dalessio*
+
+
## 1.4.2 / 2021-08-23
* Slightly improve performance.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer/version.rb
new/lib/rails/html/sanitizer/version.rb
--- old/lib/rails/html/sanitizer/version.rb 2021-08-24 02:16:06.000000000
+0200
+++ new/lib/rails/html/sanitizer/version.rb 2022-06-10 00:23:56.000000000
+0200
@@ -1,7 +1,7 @@
module Rails
module Html
class Sanitizer
- VERSION = "1.4.2"
+ VERSION = "1.4.3"
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/rails/html/sanitizer.rb
new/lib/rails/html/sanitizer.rb
--- old/lib/rails/html/sanitizer.rb 2021-08-24 02:16:06.000000000 +0200
+++ new/lib/rails/html/sanitizer.rb 2022-06-10 00:23:56.000000000 +0200
@@ -141,8 +141,25 @@
private
+ def loofah_using_html5?
+ # future-proofing, see https://github.com/flavorjones/loofah/pull/239
+ Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
+ end
+
+ def remove_safelist_tag_combinations(tags)
+ if !loofah_using_html5? && tags.include?("select") &&
tags.include?("style")
+ warn("WARNING: #{self.class}: removing 'style' from safelist, should
not be combined with 'select'")
+ tags.delete("style")
+ end
+ tags
+ end
+
def allowed_tags(options)
- options[:tags] || self.class.allowed_tags
+ if options[:tags]
+ remove_safelist_tag_combinations(options[:tags])
+ else
+ self.class.allowed_tags
+ end
end
def allowed_attributes(options)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2021-08-24 02:16:06.000000000 +0200
+++ new/metadata 2022-06-10 00:23:56.000000000 +0200
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: rails-html-sanitizer
version: !ruby/object:Gem::Version
- version: 1.4.2
+ version: 1.4.3
platform: ruby
authors:
- Rafael Mendon??a Fran??a
@@ -9,7 +9,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2021-08-24 00:00:00.000000000 Z
+date: 2022-06-09 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: loofah
@@ -103,9 +103,9 @@
- MIT
metadata:
bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
- changelog_uri:
https://github.com/rails/rails-html-sanitizer/blob/v1.4.2/CHANGELOG.md
- documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.2
- source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.2
+ changelog_uri:
https://github.com/rails/rails-html-sanitizer/blob/v1.4.3/CHANGELOG.md
+ documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.3
+ source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.3
post_install_message:
rdoc_options: []
require_paths:
@@ -121,7 +121,7 @@
- !ruby/object:Gem::Version
version: '0'
requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.3.5
signing_key:
specification_version: 4
summary: This gem is responsible to sanitize HTML fragments in Rails
applications.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/test/sanitizer_test.rb new/test/sanitizer_test.rb
--- old/test/sanitizer_test.rb 2021-08-24 02:16:06.000000000 +0200
+++ new/test/sanitizer_test.rb 2022-06-10 00:23:56.000000000 +0200
@@ -2,6 +2,8 @@
require "rails-html-sanitizer"
require "rails/dom/testing/assertions/dom_assertions"
+puts Nokogiri::VERSION_INFO
+
class SanitizersTest < Minitest::Test
include Rails::Dom::Testing::Assertions::DomAssertions
@@ -12,13 +14,11 @@
end
def test_sanitize_nested_script
- sanitizer = Rails::Html::SafeListSanitizer.new
- assert_equal '<script>alert("XSS");</script>',
sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>',
tags: %w(em))
+ assert_equal '<script>alert("XSS");</script>',
safe_list_sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>',
tags: %w(em))
end
def test_sanitize_nested_script_in_style
- sanitizer = Rails::Html::SafeListSanitizer.new
- assert_equal '<script>alert("XSS");</script>',
sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>',
tags: %w(em))
+ assert_equal '<script>alert("XSS");</script>',
safe_list_sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>',
tags: %w(em))
end
class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
@@ -54,7 +54,8 @@
def test_strip_tags_with_quote
input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
- assert_equal ' hi', full_sanitize(input)
+ expected = libxml_2_9_14_recovery? ? %{<" hi} : %{ hi}
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_invalid_html
@@ -75,15 +76,21 @@
end
def test_remove_unclosed_tags
- assert_equal "This is ", full_sanitize("This is <-- not\n a comment here.")
+ input = "This is <-- not\n a comment here."
+ expected = libxml_2_9_14_recovery? ? %{This is <-- not\n a comment
here.} : %{This is }
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_cdata
- assert_equal "This has a ]]> here.", full_sanitize("This has a
<![CDATA[<section>]]> here.")
+ input = "This has a <![CDATA[<section>]]> here."
+ expected = libxml_2_9_14_recovery? ? %{This has a <![CDATA[]]>
here.} : %{This has a ]]> here.}
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_unclosed_cdata
- assert_equal "This has an unclosed ]] here...", full_sanitize("This has an
unclosed <![CDATA[<section>]] here...")
+ input = "This has an unclosed <![CDATA[<section>]] here..."
+ expected = libxml_2_9_14_recovery? ? %{This has an unclosed <![CDATA[]]
here...} : %{This has an unclosed ]] here...}
+ assert_equal(expected, full_sanitize(input))
end
def test_strip_blank_string
@@ -414,8 +421,25 @@
end
def test_should_sanitize_div_background_image_unicode_encoded
- raw =
%(background-image:\u0075\u0072\u006C\u0028\u0027\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003a\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0032\u0033\u0034\u0029\u0027\u0029)
- assert_equal '', sanitize_css(raw)
+ [
+ convert_to_css_hex("url(javascript:alert(1))", false),
+ convert_to_css_hex("url(javascript:alert(1))", true),
+ convert_to_css_hex("url(https://example.com)", false),
+ convert_to_css_hex("url(https://example.com)", true),
+ ].each do |propval|
+ raw = "background-image:" + propval
+ assert_empty(sanitize_css(raw))
+ end
+ end
+
+ def test_should_allow_div_background_image_unicode_encoded_safe_functions
+ [
+ convert_to_css_hex("rgb(255,0,0)", false),
+ convert_to_css_hex("rgb(255,0,0)", true),
+ ].each do |propval|
+ raw = "background-image:" + propval
+ assert_includes(sanitize_css(raw), "background-image")
+ end
end
def test_should_sanitize_div_style_expression
@@ -433,11 +457,15 @@
end
def test_should_sanitize_cdata_section
- assert_sanitized "<![CDATA[<span>section</span>]]>", "section]]>"
+ input = "<![CDATA[<span>section</span>]]>"
+ expected = libxml_2_9_14_recovery? ?
%{<![CDATA[<span>section</span>]]>} : %{section]]>}
+ assert_sanitized(input, expected)
end
def test_should_sanitize_unterminated_cdata_section
- assert_sanitized "<![CDATA[<span>neverending...", "neverending..."
+ input = "<![CDATA[<span>neverending..."
+ expected = libxml_2_9_14_recovery? ?
%{<![CDATA[<span>neverending...</span>} : %{neverending...}
+ assert_sanitized(input, expected)
end
def test_should_not_mangle_urls_with_ampersand
@@ -488,7 +516,13 @@
text = safe_list_sanitize(html)
- assert_equal %{<a
href=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ # nokogiri w/ system libxml2
+ %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
@@ -498,7 +532,13 @@
text = safe_list_sanitize(html)
- assert_equal %{<a
src=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ # nokogiri w/system libxml2
+ %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
@@ -508,7 +548,13 @@
text = safe_list_sanitize(html)
- assert_equal %{<a
name=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ # nokogiri w/system libxml2
+ %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
@@ -518,7 +564,13 @@
text = safe_list_sanitize(html, attributes: ['action'])
- assert_equal %{<a
action=\"examp<!--%22%20unsafeattr=foo()>-->le.com\">test</a>}, text
+ acceptable_results = [
+ # nokogiri w/vendored+patched libxml2
+ %{<a
action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ # nokogiri w/system libxml2
+ %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+ ]
+ assert_includes(acceptable_results, text)
end
def test_exclude_node_type_processing_instructions
@@ -529,6 +581,25 @@
assert_equal("<div>text</div><b>text</b>",
safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
end
+ def test_disallow_the_dangerous_safelist_combination_of_select_and_style
+ input = "<select><style><script>alert(1)</script></style></select>"
+ tags = ["select", "style"]
+ warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from
safelist/
+ sanitized = nil
+ invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }
+
+ if html5_mode?
+ # if Loofah is using an HTML5 parser,
+ # then "style" should be removed by the parser as an invalid child of
"select"
+ assert_silent(&invocation)
+ else
+ # if Loofah is using an HTML4 parser,
+ # then SafeListSanitizer should remove "style" from the safelist
+ assert_output(nil, warning, &invocation)
+ end
+ refute_includes(sanitized, "style")
+ end
+
protected
def xpath_sanitize(input, options = {})
@@ -574,4 +645,23 @@
ensure
Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
end
+
+ # note that this is used for testing CSS hex encoding: \\[0-9a-f]{1,6}
+ def convert_to_css_hex(string, escape_parens=false)
+ string.chars.map do |c|
+ if !escape_parens && (c == "(" || c == ")")
+ c
+ else
+ format('\00%02X', c.ord)
+ end
+ end.join
+ end
+
+ def libxml_2_9_14_recovery?
+ Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?(">=
2.9.14")
+ end
+
+ def html5_mode?
+ ::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
+ end
end
