RubyGems - loofah - Versions diffs - 2.2.2 → 2.2.3 - Mend

loofah 2.2.2 → 2.2.3

Potentially problematic release.

This version of loofah might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +53 -32
data/Manifest.txt +1 -0
data/README.md +5 -4
data/SECURITY.md +1 -1
data/lib/loofah.rb +1 -1
data/lib/loofah/html5/whitelist.rb +1 -1
data/test/assets/msword.html +63 -0
data/test/integration/test_ad_hoc.rb +12 -66
metadata +14 -7

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9445f9115cb9fbe0677be8a93170729ddc04cfaa
-  data.tar.gz: b39cfde37a7ee10027da8e29052785b41965299e
+SHA256:
+  metadata.gz: c22c1a749ff878b96f0c4a53e789834fa8072775c5abdccb68c388d6218b1bce
+  data.tar.gz: e8d00e6ff5d623b3f3d03ce83ee780a88e92138fcb71efff28194f8a7d87e5fc
 SHA512:
-  metadata.gz: ffb7c7bdec7a1fb813ccd81d8841779d57304d32e7b34f99d3bdec2407aafd96562d7a15a8758b0abe63dbbb8b1b078b396ab5ce55ed2a168f5f8fff4dce5c50
-  data.tar.gz: 3ed294bf7beaeb073c688a46c8bbc2d6ef870afe09e1ca0c09ad144b93f06ef02638757176a53baf86eb3f1311833acf18fe94f47ad8d55d63302fb19c7ec666
+  metadata.gz: 0d5a0160010d61a51dad8e31bc644e03454311b99b1d71c6eaea5458cfaaa228671b82db52cf2369b42c48b636b912ca0d812191ac886a5c1499c44fc5221239
+  data.tar.gz: ac479e283ef08b0df14938ec577a3aa4008d07ba3288232541928794cd0b9fe2512da88ac7fd2d123666dcad67d09c1a07307442610f61adbfd65f143ae339b5

data/CHANGELOG.md CHANGED

@@ -1,5 +1,24 @@
 # Changelog
+## 2.2.3 / 2018-10-30
+### Security
+Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+## Meta / 2018-10-27
+The mailing list is now on Google Groups [#146](https://github.com/flavorjones/loofah/issues/146):
+* Mail: loofah-talk@googlegroups.com
+* Archive: https://groups.google.com/forum/#!forum/loofah-talk
+This change was made because librelist no longer appears to be maintained.
 ## 2.2.2 / 2018-03-22
 Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
@@ -10,6 +29,8 @@ attribute scrubbers should they need to address CVE-2018-8048.
 ## 2.2.1 / 2018-03-19
+### Security
 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
 This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
@@ -17,7 +38,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ## 2.2.0 / 2018-02-11
-Features:
+### Features:
 * Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
 * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
@@ -25,32 +46,32 @@ Features:
 * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
 * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
-Bugfixes:
+### Bugfixes:
 * Properly handle nested `script` tags. #127.
 ## 2.1.1 / 2017-09-24
-Bugfixes:
+### Bugfixes:
 * Removed warning for unused variable. #124 (Thanks, @y-yagi!)
 ## 2.1.0 / 2017-09-24
-Notes:
+### Notes:
 * Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
-Features:
+### Features:
 * Added :noopener HTML scrubber (Thanks, @tastycode!)
 * Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
-Bugfixes:
+### Bugfixes:
 * The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
 * Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
@@ -58,14 +79,14 @@ Bugfixes:
 ## 2.0.3 / 2015-08-17
-Bug fixes:
+### Bug fixes:
 * Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
 ## 2.0.2 / 2015-05-05
-Bug fixes:
+### Bug fixes:
 * Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
 * Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
@@ -74,24 +95,24 @@ Bug fixes:
 ## 2.0.1 / 2014-08-21
-Bug fixes:
+### Bug fixes:
 * Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
-Notes:
+### Notes:
 * Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
 ## 2.0.0 / 2014-05-09
-Compatibility notes:
+### Compatibility notes:
 * ActionView helpers now must be required explicitly: `require "loofah/helpers"`
 * Support for Ruby 1.8.7 and prior has been dropped
-Enhancements:
+### Enhancements:
 * HTML5 whitelist allows the following ...
   * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
@@ -101,7 +122,7 @@ Enhancements:
 * `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
 * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
-Bug fixes:
+### Bug fixes:
 * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
 * HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
@@ -114,7 +135,7 @@ Bug fixes:
 ## 1.2.0 (2011-08-08)
-Enhancements:
+### Enhancements:
 * Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper.
 * Improving ActionView integration.
@@ -122,7 +143,7 @@ Enhancements:
 ## 1.1.0 (2011-08-08)
-Enhancements:
+### Enhancements:
 * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
   Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
@@ -132,7 +153,7 @@ Enhancements:
 ## 1.0.0 (2010-10-26)
-Notes:
+### Notes:
 * Moved ActiveRecord functionality into `loofah-activerecord` gem.
 * Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
@@ -140,7 +161,7 @@ Notes:
 ## 0.4.7 (2010-03-09)
-Enhancements:
+### Enhancements:
 * New methods Loofah::HTML::Document#to_text and
   Loofah::HTML::DocumentFragment#to_text do the right thing with
@@ -153,23 +174,23 @@ Enhancements:
 ## 0.4.4, 0.4.5, 0.4.6 (2010-02-01)
-Enhancements:
+### Enhancements:
 * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.
-Bug fixes:
+### Bug fixes:
 * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
 ## 0.4.3 (2010-01-29)
-Enhancements:
+### Enhancements:
 * All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
 * Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
-Miscellaneous:
+### Miscellaneous:
 * Modified documentation for bootstrapping XssFoliate in a Rails app,
   since the use of Bundler breaks the previously-documented method. To
@@ -178,18 +199,18 @@ Miscellaneous:
 ## 0.4.2 (2010-01-22)
-Enhancements:
+### Enhancements:
 * Implemented Node#scrub! for scrubbing subtrees.
 * Implemented NodeSet#scrub! for scrubbing a set of subtrees.
 * Document.text now only serializes <body> contents (ignores <head>)
 * <head>, <html> and <body> added to the HTML5lib whitelist.
-Bug fixes:
+### Bug fixes:
 * Supporting Rails apps that aren't loading ActiveRecord. GH #10
-Miscellaneous:
+### Miscellaneous:
 * Mailing list is now loofah@librelist.com / http://librelist.com
 * IRC channel is now \#loofah on freenode.
@@ -197,14 +218,14 @@ Miscellaneous:
 ## 0.4.1 (2009-11-23)
-Bugfix:
+### Bugfix:
 * Manifest fixed. Whoops.
 ## 0.4.0 (2009-11-21)
-Enhancements:
+### Enhancements:
 * Scrubber class introduced, allowing development of custom scrubbers.
 * Added support for XML documents and fragments.
@@ -215,20 +236,20 @@ Enhancements:
 ## 0.3.1 (2009-10-12)
-Bug fixes:
+### Bug fixes:
 * Scrubbed Documents properly render html, head and body tags when serialized.
 ## 0.3.0 (2009-10-06)
-Enhancements:
+### Enhancements:
 * New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master].
 * Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.
 * Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.
-Deprecations:
+### Deprecations:
 * The methods strip_tags, whitewash, whitewash_document, sanitize, and
   sanitize_document have been deprecated. See DEPRECATED.rdoc for
@@ -237,7 +258,7 @@ Deprecations:
 ## 0.2.2 (2009-09-30)
-Enhancements:
+### Enhancements:
 * ActiveRecord extension scrubs fields in a before_validation callback
   (was previously in a before_save)
@@ -245,12 +266,12 @@ Enhancements:
 ## 0.2.1 (2009-09-19)
-Enhancements:
+### Enhancements:
 * when loaded in a Rails app, automatically extend ActiveRecord::Base
   with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
-Bugfixes:
+### Bugfixes:
 * ActiveRecord scrubbing should generate strings instead of Document or
   DocumentFragment objects. GH #5

data/Manifest.txt CHANGED

@@ -24,6 +24,7 @@ lib/loofah/scrubber.rb
 lib/loofah/scrubbers.rb
 lib/loofah/xml/document.rb
 lib/loofah/xml/document_fragment.rb
+test/assets/msword.html
 test/assets/testdata_sanitizer_tests1.dat
 test/helper.rb
 test/html5/test_sanitizer.rb

data/README.md CHANGED

@@ -1,8 +1,8 @@
 # Loofah
 * https://github.com/flavorjones/loofah
-* http://rubydoc.info/github/flavorjones/loofah/master/frames
-* http://librelist.com/browser/loofah
+* Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
+* Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
 ## Status
@@ -301,9 +301,10 @@ The bug tracker is available here:
 * https://github.com/flavorjones/loofah/issues
-And the mailing list is on librelist:
+And the mailing list is on Google Groups:
-* loofah@librelist.com / http://librelist.com
+* Mail: loofah-talk@googlegroups.com
+* Archive: https://groups.google.com/forum/#!forum/loofah-talk
 And the IRC channel is \#loofah on freenode.

data/SECURITY.md CHANGED

@@ -9,7 +9,7 @@ Your report will be acknowledged within 24 hours, and you'll receive a more deta
 If you have not received a reply to your submission within 48 hours, there are a few steps you can take:
 * Contact the current security coordinator (Mike Dalessio <mike.dalessio@gmail.com>)
-* Email the Loofah user group at loofah@librelist.com (archive at http://librelist.com)
+* Email the Loofah user group at loofah-talk@googlegroups.com (archive at https://groups.google.com/forum/#!forum/loofah-talk)
 Please note, the user group list is a public area. When escalating in that venue, please do not discuss your issue. Simply say that you're trying to get a hold of someone from the core team.

data/lib/loofah.rb CHANGED

@@ -28,7 +28,7 @@ require 'loofah/html/document_fragment'
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '2.2.2'
+  VERSION = '2.2.3'
   class << self
     # Shortcut for Loofah::HTML::Document.parse

data/lib/loofah/html5/whitelist.rb CHANGED

@@ -92,7 +92,7 @@ module Loofah
        color-interpolation-filters color-rendering content cx cy d dx
        dy descent display dur end fill fill-opacity fill-rule
        filterRes filterUnits font-family
-       font-size font-stretch font-style font-variant font-weight from fx fy g1
+       font-size font-stretch font-style font-variant font-weight fx fy g1
        g2 glyph-name gradientUnits hanging height horiz-adv-x horiz-origin-x id
        ideographic k keyPoints keySplines keyTimes lang marker-end
        marker-mid marker-start markerHeight markerUnits markerWidth

data/test/assets/msword.html ADDED

@@ -0,0 +1,63 @@
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
+<w:WordDocument>
+ <w:View>Normal</w:View>
+ <w:Zoom>0</w:Zoom>
+ <w:PunctuationKerning/>
+ <w:ValidateAgainstSchemas/>
+ <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
+ <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
+ <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
+ <w:Compatibility>
+  <w:BreakWrappedTables/>
+  <w:SnapToGridInCell/>
+  <w:WrapTextWithPunct/>
+  <w:UseAsianBreakRules/>
+  <w:DontGrowAutofit/>
+ </w:Compatibility>
+ <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
+</w:WordDocument>
+</xml><![endif]--><!--[if gte mso 9]><xml>
+<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
+</w:LatentStyles>
+</xml><![endif]--><style>
+<!--
+/* Style Definitions */
+p.MsoNormal, li.MsoNormal, div.MsoNormal
+{mso-style-parent:"";
+margin:0in;
+margin-bottom:.0001pt;
+mso-pagination:widow-orphan;
+font-size:12.0pt;
+font-family:"Times New Roman";
+mso-fareast-font-family:"Times New Roman";}
+@page Section1
+{size:8.5in 11.0in;
+margin:1.0in 1.25in 1.0in 1.25in;
+mso-header-margin:.5in;
+mso-footer-margin:.5in;
+mso-paper-source:0;}
+div.Section1
+{page:Section1;}
+-->
+</style><!--[if gte mso 10]>
+<style>
+/* Style Definitions */
+table.MsoNormalTable
+{mso-style-name:"Table Normal";
+mso-tstyle-rowband-size:0;
+mso-tstyle-colband-size:0;
+mso-style-noshow:yes;
+mso-style-parent:"";
+mso-padding-alt:0in 5.4pt 0in 5.4pt;
+mso-para-margin:0in;
+mso-para-margin-bottom:.0001pt;
+mso-pagination:widow-orphan;
+font-size:10.0pt;
+font-family:"Times New Roman";
+mso-ansi-language:#0400;
+mso-fareast-language:#0400;
+mso-bidi-language:#0400;}
+</style>
+<![endif]-->
+<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>

data/test/integration/test_ad_hoc.rb CHANGED

@@ -17,6 +17,8 @@ class IntegrationTestAdHoc < Loofah::TestCase
   end
   context "tests" do
+    MSWORD_HTML = File.read(File.join(File.dirname(__FILE__), "..", "assets", "msword.html")).freeze
     def test_removal_of_illegal_tag
       html = <<-HTML
       following this there should be no jim tag
@@ -76,72 +78,6 @@ class IntegrationTestAdHoc < Loofah::TestCase
       assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
     end
-    MSWORD_HTML = <<-EOHTML
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word 11"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if gte mso 9]><xml>
-<w:WordDocument>
- <w:View>Normal</w:View>
- <w:Zoom>0</w:Zoom>
- <w:PunctuationKerning/>
- <w:ValidateAgainstSchemas/>
- <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
- <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
- <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
- <w:Compatibility>
-  <w:BreakWrappedTables/>
-  <w:SnapToGridInCell/>
-  <w:WrapTextWithPunct/>
-  <w:UseAsianBreakRules/>
-  <w:DontGrowAutofit/>
- </w:Compatibility>
- <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-</w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
-<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
-</w:LatentStyles>
-</xml><![endif]--><style>
-<!--
-/* Style Definitions */
-p.MsoNormal, li.MsoNormal, div.MsoNormal
-{mso-style-parent:"";
-margin:0in;
-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:12.0pt;
-font-family:"Times New Roman";
-mso-fareast-font-family:"Times New Roman";}
-@page Section1
-{size:8.5in 11.0in;
-margin:1.0in 1.25in 1.0in 1.25in;
-mso-header-margin:.5in;
-mso-footer-margin:.5in;
-mso-paper-source:0;}
-div.Section1
-{page:Section1;}
--->
-</style><!--[if gte mso 10]>
-<style>
-/* Style Definitions */
-table.MsoNormalTable
-{mso-style-name:"Table Normal";
-mso-tstyle-rowband-size:0;
-mso-tstyle-colband-size:0;
-mso-style-noshow:yes;
-mso-style-parent:"";
-mso-padding-alt:0in 5.4pt 0in 5.4pt;
-mso-para-margin:0in;
-mso-para-margin-bottom:.0001pt;
-mso-pagination:widow-orphan;
-font-size:10.0pt;
-font-family:"Times New Roman";
-mso-ansi-language:#0400;
-mso-fareast-language:#0400;
-mso-bidi-language:#0400;}
-</style>
-<![endif]-->
-<p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>
-  EOHTML
     def test_fragment_whitewash_on_microsofty_markup
       whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
       assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip
@@ -252,7 +188,17 @@ mso-bidi-language:#0400;}
           assert_equal %{examp<!--%22 unsafeattr=foo()>-->le.com}, attributes.first.value
         end
       end
+    end
+    # see:
+    # - https://github.com/flavorjones/loofah/issues/154
+    # - https://hackerone.com/reports/429267
+    context "xss protection from svg xmlns:xlink animate attribute" do
+      it "sanitizes appropriate attributes" do
+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+        sanitized = Loofah.scrub_fragment(html, :escape)
+        assert_nil sanitized.at_css("animate")["from"]
+      end
     end
   end
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 2.2.3
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-03-22 00:00:00.000000000 Z
+date: 2018-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -169,30 +169,36 @@ dependencies:
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '7'
 - !ruby/object:Gem::Dependency
   name: hoe
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.16'
+        version: '3.17'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.16'
+        version: '3.17'
 description: |-
   Loofah is a general library for manipulating and transforming HTML/XML
   documents and fragments. It's built on top of Nokogiri and libxml2, so
@@ -243,6 +249,7 @@ files:
 - lib/loofah/scrubbers.rb
 - lib/loofah/xml/document.rb
 - lib/loofah/xml/document_fragment.rb
+- test/assets/msword.html
 - test/assets/testdata_sanitizer_tests1.dat
 - test/helper.rb
 - test/html5/test_sanitizer.rb
@@ -278,7 +285,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.12
+rubygems_version: 2.7.7
 signing_key:
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents