loofah 2.2.0 → 2.2.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of loofah might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6656f9e5edc815b2c5ee676d1c4fb818b2dc03f4
4
- data.tar.gz: 7bea1d04f8af479fd825c7adf687f0ca0c624830
3
+ metadata.gz: 55986c6edc7d96bf6301f01ed6c8474a0e0eedc3
4
+ data.tar.gz: e1e5ef44e194bd9333cfc92f9d182bedaac5799c
5
5
  SHA512:
6
- metadata.gz: 42f030b7228867ebf322c9d8e286349e1288ef3d60f90fe404b0d9250cc626ea6fad84ff1325cd2754ea4a7fdf80802a4bdae5a9b7121ac312e56d96c280d1a3
7
- data.tar.gz: 8a67c56281a65b6e89d8623f40423ae41ed2628eeb0a90193196cfb87aeb4efccbe23c961b05ab26a247bac0117a55b68dea97ab6b67076e272ebad8471e33cb
6
+ metadata.gz: 7d45dbc3cb1e275e81f127e92107ba540da3f8294d486e927325cd9a8cb8c742ba1f34c14101b46437242b3778911c3f7392bf822b2dbeccd835410f52ca757f
7
+ data.tar.gz: 70318ae204e34718bbdf818c6be1d302e5377eec163ff1380556e219443d1d0c42887f5e6e69b4d2ef8876e6cbbaa4f2f7f84d73fe71e13bbe1b2d10b199e072
@@ -1,5 +1,12 @@
1
1
  # Changelog
2
2
 
3
+ ## 2.2.1 / 2018-03-19
4
+
5
+ Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
6
+
7
+ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
8
+
9
+
3
10
  ## 2.2.0 / 2018-02-11
4
11
 
5
12
  Features:
@@ -5,6 +5,7 @@ MIT-LICENSE.txt
5
5
  Manifest.txt
6
6
  README.md
7
7
  Rakefile
8
+ SECURITY.md
8
9
  benchmark/benchmark.rb
9
10
  benchmark/fragment.html
10
11
  benchmark/helper.rb
@@ -14,6 +15,7 @@ lib/loofah/elements.rb
14
15
  lib/loofah/helpers.rb
15
16
  lib/loofah/html/document.rb
16
17
  lib/loofah/html/document_fragment.rb
18
+ lib/loofah/html5/libxml2_workarounds.rb
17
19
  lib/loofah/html5/scrub.rb
18
20
  lib/loofah/html5/whitelist.rb
19
21
  lib/loofah/instance_methods.rb
data/README.md CHANGED
@@ -310,14 +310,22 @@ And the IRC channel is \#loofah on freenode.
310
310
 
311
311
  ## Security
312
312
 
313
- Some tools may incorrectly report loofah is a potential security
314
- vulnerability. Loofah depends on Nokogiri, and it's possible to use
315
- Nokogiri in a dangerous way (by enabling its DTDLOAD option and
316
- disabling its NONET option). This dangerous Nokogiri configuration,
317
- which is sometimes used by other components, can create an XML
318
- External Entity (XXE) vulnerability if the XML data is not trusted.
319
- However, loofah never enables this dangerous Nokogiri configuration;
320
- loofah never enables DTDLOAD, and it never disables NONET.
313
+ See [`SECURITY.md`](SECURITY.md) for vulnerability reporting details.
314
+
315
+
316
+ ### "Secure by Default"
317
+
318
+ Some tools may incorrectly report Loofah as a potential security
319
+ vulnerability.
320
+
321
+ Loofah depends on Nokogiri, and it's _possible_ to use Nokogiri in a
322
+ dangerous way (by enabling its DTDLOAD option and disabling its NONET
323
+ option). This specifically allows the opportunity for an XML External
324
+ Entity (XXE) vulnerability if the XML data is untrusted.
325
+
326
+ However, Loofah __never enables this Nokogiri configuration__; Loofah
327
+ never enables DTDLOAD, and it never disables NONET, thereby protecting
328
+ you by default from this XXE vulnerability.
321
329
 
322
330
 
323
331
  ## Related Links
@@ -345,7 +353,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
345
353
 
346
354
  ## Thank You
347
355
 
348
- The following people have generously donated via the Pledgie[http://pledgie.com] badge on the {Loofah github page}[https://github.com/flavorjones/loofah]:
356
+ The following people have generously donated via the [Pledgie](http://pledgie.com) badge on the [Loofah github page](https://github.com/flavorjones/loofah):
349
357
 
350
358
  * Bill Harding
351
359
 
data/Rakefile CHANGED
@@ -12,9 +12,9 @@ Hoe.spec "loofah" do
12
12
  developer "Mike Dalessio", "mike.dalessio@gmail.com"
13
13
  developer "Bryan Helmkamp", "bryan@brynary.com"
14
14
 
15
- self.extra_rdoc_files = FileList["*.rdoc"]
15
+ self.extra_rdoc_files = FileList["*.md"]
16
16
  self.history_file = "CHANGELOG.md"
17
- self.readme_file = "README.rdoc"
17
+ self.readme_file = "README.md"
18
18
  self.license "MIT"
19
19
 
20
20
  extra_deps << ["nokogiri", ">=1.5.9"]
@@ -0,0 +1,18 @@
1
+ # Security and Vulnerability Reporting
2
+
3
+ The Loofah core contributors take security very seriously and investigate all reported vulnerabilities.
4
+
5
+ If you would like to report a vulnerablity or have a security concern regarding Loofah, please [report it via HackerOne](https://hackerone.com/loofah/reports/new).
6
+
7
+ Your report will be acknowledged within 24 hours, and you'll receive a more detailed response within 72 hours indicating next steps in handling your report.
8
+
9
+ If you have not received a reply to your submission within 48 hours, there are a few steps you can take:
10
+
11
+ * Contact the current security coordinator (Mike Dalessio <mike.dalessio@gmail.com>)
12
+ * Email the Loofah user group at loofah@librelist.com (archive at http://librelist.com)
13
+
14
+ Please note, the user group list is a public area. When escalating in that venue, please do not discuss your issue. Simply say that you're trying to get a hold of someone from the core team.
15
+
16
+ The information you share with the Loofah core contributors as part of this process will be kept confidential within the team, unless or until we need to share information upstream with our dependent libraries' core teams, at which point we will notify you.
17
+
18
+ If a vulnerability is first reported by you, we will credit you with the discovery in the public disclosure.
@@ -6,6 +6,7 @@ require 'loofah/metahelpers'
6
6
  require 'loofah/elements'
7
7
 
8
8
  require 'loofah/html5/whitelist'
9
+ require 'loofah/html5/libxml2_workarounds'
9
10
  require 'loofah/html5/scrub'
10
11
 
11
12
  require 'loofah/scrubber'
@@ -27,7 +28,7 @@ require 'loofah/html/document_fragment'
27
28
  #
28
29
  module Loofah
29
30
  # The version of Loofah you are using
30
- VERSION = '2.2.0'
31
+ VERSION = '2.2.1'
31
32
 
32
33
  class << self
33
34
  # Shortcut for Loofah::HTML::Document.parse
@@ -0,0 +1,26 @@
1
+ # coding: utf-8
2
+ require 'set'
3
+
4
+ module Loofah
5
+ #
6
+ # constants related to working around unhelpful libxml2 behavior
7
+ #
8
+ # ಠ_ಠ
9
+ #
10
+ module LibxmlWorkarounds
11
+ #
12
+ # these attributes and qualifying parent tags are determined by the code at:
13
+ #
14
+ # https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714
15
+ #
16
+ # see comments about CVE-2018-8048 within the tests for more information
17
+ #
18
+ BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
19
+ href
20
+ action
21
+ src
22
+ name
23
+ ]
24
+ BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
25
+ end
26
+ end
@@ -1,5 +1,3 @@
1
- #encoding: US-ASCII
2
-
3
1
  require 'cgi'
4
2
  require 'crass'
5
3
 
@@ -65,6 +63,8 @@ module Loofah
65
63
  node.attribute_nodes.each do |attr_node|
66
64
  node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
67
65
  end
66
+
67
+ force_correct_attribute_escaping! node
68
68
  end
69
69
 
70
70
  def scrub_css_attribute node
@@ -100,6 +100,35 @@ module Loofah
100
100
 
101
101
  Crass::Parser.stringify sanitized_tree
102
102
  end
103
+
104
+ private
105
+
106
+ #
107
+ # libxml2 >= 2.9.2 fails to escape comments within some attributes.
108
+ #
109
+ # see comments about CVE-2018-8048 within the tests for more information
110
+ #
111
+ def force_correct_attribute_escaping! node
112
+ return unless Nokogiri::VersionInfo.instance.libxml2?
113
+
114
+ node.attribute_nodes.each do |attr_node|
115
+ next unless LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES.include?(attr_node.name)
116
+
117
+ tag_name = LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG[attr_node.name]
118
+ next unless tag_name.nil? || tag_name == node.name
119
+
120
+ #
121
+ # this block is just like CGI.escape in Ruby 2.4, but
122
+ # only encodes space and double-quote, to mimic
123
+ # pre-2.9.2 behavior
124
+ #
125
+ encoding = attr_node.value.encoding
126
+ attr_node.value = attr_node.value.gsub(/[ "]/) do |m|
127
+ '%' + m.unpack('H2' * m.bytesize).join('%').upcase
128
+ end.force_encoding(encoding)
129
+ end
130
+ end
131
+
103
132
  end
104
133
  end
105
134
  end
@@ -188,6 +188,71 @@ mso-bidi-language:#0400;}
188
188
  html = "<p>Foo</p>\n<p>Bar</p>"
189
189
  assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
190
190
  end
191
+
192
+ #
193
+ # tests for CVE-2018-8048 (see https://github.com/flavorjones/loofah/issues/144)
194
+ #
195
+ # libxml2 >= 2.9.2 fails to escape comments within some attributes. It
196
+ # wants to ensure these comments can be treated as "server-side includes",
197
+ # but as a result fails to ensure that serialization is well-formed,
198
+ # resulting in an opportunity for XSS injection of code into a final
199
+ # re-parsed document (presumably in a browser).
200
+ #
201
+ # we'll test this by parsing the HTML, serializing it, then
202
+ # re-parsing it to ensure there isn't any ambiguity in the output
203
+ # that might allow code injection into a browser consuming
204
+ # "sanitized" output.
205
+ #
206
+ [
207
+ #
208
+ # these tags and attributes are determined by the code at:
209
+ #
210
+ # https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714
211
+ #
212
+ {tag: "a", attr: "href"},
213
+ {tag: "div", attr: "href"},
214
+ {tag: "a", attr: "action"},
215
+ {tag: "div", attr: "action"},
216
+ {tag: "a", attr: "src"},
217
+ {tag: "div", attr: "src"},
218
+ {tag: "a", attr: "name"},
219
+ #
220
+ # note that div+name is _not_ affected by the libxml2 issue.
221
+ # but we test it anyway to ensure our logic isn't modifying
222
+ # attributes that don't need modifying.
223
+ #
224
+ {tag: "div", attr: "name", unescaped: true},
225
+ ].each do |config|
226
+
227
+ define_method "test_uri_escaping_of_#{config[:attr]}_attr_in_#{config[:tag]}_tag" do
228
+ html = %{<#{config[:tag]} #{config[:attr]}='examp<!--" unsafeattr=foo()>-->le.com'>test</#{config[:tag]}>}
229
+
230
+ reparsed = Loofah.fragment(Loofah.fragment(html).scrub!(:prune).to_html)
231
+ attributes = reparsed.at_css(config[:tag]).attribute_nodes
232
+
233
+ assert_equal [config[:attr]], attributes.collect(&:name)
234
+ if Nokogiri::VersionInfo.new.libxml2?
235
+ if config[:unescaped]
236
+ #
237
+ # this attribute was emitted wrapped in single-quotes, so a double quote is A-OK.
238
+ # assert that this attribute's serialization is unaffected.
239
+ #
240
+ assert_equal %{examp<!--" unsafeattr=foo()>-->le.com}, attributes.first.value
241
+ else
242
+ #
243
+ # let's match the behavior in libxml < 2.9.2.
244
+ # test that this attribute's serialization is well-formed and sanitized.
245
+ #
246
+ assert_equal %{examp<!--%22%20unsafeattr=foo()>-->le.com}, attributes.first.value
247
+ end
248
+ else
249
+ #
250
+ # yay for consistency in javaland. move along, nothing to see here.
251
+ #
252
+ assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value
253
+ end
254
+ end
255
+
256
+ end
191
257
  end
192
258
  end
193
-
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: loofah
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.0
4
+ version: 2.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2018-02-11 00:00:00.000000000 Z
12
+ date: 2018-03-19 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: nokogiri
@@ -193,7 +193,18 @@ dependencies:
193
193
  - - "~>"
194
194
  - !ruby/object:Gem::Version
195
195
  version: '3.16'
196
- description: ''
196
+ description: |-
197
+ Loofah is a general library for manipulating and transforming HTML/XML
198
+ documents and fragments. It's built on top of Nokogiri and libxml2, so
199
+ it's fast and has a nice API.
200
+
201
+ Loofah excels at HTML sanitization (XSS prevention). It includes some
202
+ nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
203
+ most likely won't make your codes less secure. (These statements have
204
+ not been evaluated by Netexperts.)
205
+
206
+ ActiveRecord extensions for sanitization are available in the
207
+ [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
197
208
  email:
198
209
  - mike.dalessio@gmail.com
199
210
  - bryan@brynary.com
@@ -204,6 +215,7 @@ extra_rdoc_files:
204
215
  - MIT-LICENSE.txt
205
216
  - Manifest.txt
206
217
  - README.md
218
+ - SECURITY.md
207
219
  files:
208
220
  - ".gemtest"
209
221
  - CHANGELOG.md
@@ -212,6 +224,7 @@ files:
212
224
  - Manifest.txt
213
225
  - README.md
214
226
  - Rakefile
227
+ - SECURITY.md
215
228
  - benchmark/benchmark.rb
216
229
  - benchmark/fragment.html
217
230
  - benchmark/helper.rb
@@ -221,6 +234,7 @@ files:
221
234
  - lib/loofah/helpers.rb
222
235
  - lib/loofah/html/document.rb
223
236
  - lib/loofah/html/document_fragment.rb
237
+ - lib/loofah/html5/libxml2_workarounds.rb
224
238
  - lib/loofah/html5/scrub.rb
225
239
  - lib/loofah/html5/whitelist.rb
226
240
  - lib/loofah/instance_methods.rb
@@ -242,14 +256,14 @@ files:
242
256
  - test/unit/test_helpers.rb
243
257
  - test/unit/test_scrubber.rb
244
258
  - test/unit/test_scrubbers.rb
245
- homepage:
259
+ homepage: https://github.com/flavorjones/loofah
246
260
  licenses:
247
261
  - MIT
248
262
  metadata: {}
249
263
  post_install_message:
250
264
  rdoc_options:
251
265
  - "--main"
252
- - README.rdoc
266
+ - README.md
253
267
  require_paths:
254
268
  - lib
255
269
  required_ruby_version: !ruby/object:Gem::Requirement
@@ -267,5 +281,6 @@ rubyforge_project:
267
281
  rubygems_version: 2.6.12
268
282
  signing_key:
269
283
  specification_version: 4
270
- summary: ''
284
+ summary: Loofah is a general library for manipulating and transforming HTML/XML documents
285
+ and fragments
271
286
  test_files: []