loofah 2.3.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 521948af26b151c0584b5eabd8e60c8c31ff451d2b134da4bc632256feeb87f4
-  data.tar.gz: 9b699d079c84a6c498fcb5be0e56f7c68ad7049bb0aa498e3413343803fcf585
+  metadata.gz: 1196afab25d29644d1961e4516ac317a2c38dee3295f35354c468e6a9318fa55
+  data.tar.gz: 2e07ff641edb37d2b0dce2933288da4667d4b680a586912af9c171db7dfb0a63
 SHA512:
-  metadata.gz: 7781d0db35620637fd69051e3729db36f4d10712bab60038df78f523d72b991b8e8f86009655495b56ef69d5b97aa5a621cc22698bc4eaec06577bece6841ec6
-  data.tar.gz: e42ab470cc2f3fbb5d0c3965b6a60fe698d0d076b3d87d58f6c4fa209531eac82188bef01c8005a94f3caa3f342ae7df4a850a4107fa043b618bdbd9f98c8d86
+  metadata.gz: 37ac2cdb0d136da417cff62e3845c5b71769f044d8150c636a549dc9ca4cf98bcef4c6d2b6e653eff56922b95d812ed39310a406c49366c14791456ca905e8fe
+  data.tar.gz: 0fa3cdd75a3d2950801a1cfe7f8d4cad6bb73bbec67d24ba25980c09a565f6c95c5d664c1789ccd62486d1917c685a5b0f762cc073a054bbb0f02fb0222688f0

data/CHANGELOG.md

@@ -1,6 +1,15 @@
 # Changelog
 
-## 2.3.0 / unreleased
+## 2.3.1 / 2019-10-22
+
+### Security
+
+Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+
+This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171
+
+
+## 2.3.0 / 2019-09-28
 
 ### Features
 

data/README.md

@@ -14,17 +14,11 @@
 
 ## Description
 
-Loofah is a general library for manipulating and transforming HTML/XML
-documents and fragments. It's built on top of Nokogiri and libxml2, so
-it's fast and has a nice API.
+Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
-Loofah excels at HTML sanitization (XSS prevention). It includes some
-nice HTML sanitizers, which are based on HTML5lib's safelist, so it
-most likely won't make your codes less secure. (These statements have
-not been evaluated by Netexperts.)
+Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
 
-ActiveRecord extensions for sanitization are available in the
-[`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
+ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
 
 
 ## Features

data/lib/loofah.rb

@@ -28,7 +28,7 @@ require "loofah/html/document_fragment"
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = "2.3.0"
+  VERSION = "2.3.1"
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse

data/lib/loofah/html5/safelist.rb

@@ -1,4 +1,4 @@
-require 'set'
+require "set"
 
 module Loofah
   module HTML5 # :nodoc:
@@ -45,7 +45,6 @@ module Loofah
     #
     # </html5_license>
     module SafeList
-
       ACCEPTABLE_ELEMENTS = Set.new([
                                       "a",
                                       "abbr",
@@ -361,7 +360,6 @@ module Loofah
                                  "baseProfile",
                                  "bbox",
                                  "begin",
-                                 "by",
                                  "calcMode",
                                  "cap-height",
                                  "class",
@@ -468,7 +466,6 @@ module Loofah
                                  "systemLanguage",
                                  "target",
                                  "text-anchor",
-                                 "to",
                                  "transform",
                                  "type",
                                  "u1",
@@ -478,7 +475,6 @@ module Loofah
                                  "unicode",
                                  "unicode-range",
                                  "units-per-em",
-                                 "values",
                                  "version",
                                  "viewBox",
                                  "visibility",

data/test/integration/test_ad_hoc.rb

@@ -1,7 +1,6 @@
 require "helper"
 
 class IntegrationTestAdHoc < Loofah::TestCase
-
   context "blank input string" do
     context "fragment" do
       it "return a blank string" do
@@ -33,9 +32,9 @@ class IntegrationTestAdHoc < Loofah::TestCase
       html = "<p class=bar foo=bar abbr=bar />"
       sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
       node = sane.xpath("//p").first
-      assert node.attributes['class']
-      assert node.attributes['abbr']
-      assert_nil node.attributes['foo']
+      assert node.attributes["class"]
+      assert node.attributes["abbr"]
+      assert_nil node.attributes["foo"]
     end
 
     def test_removal_of_illegal_url_in_href
@@ -45,14 +44,14 @@ class IntegrationTestAdHoc < Loofah::TestCase
     HTML
       sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
       nodes = sane.xpath("//a")
-      assert_nil nodes.first.attributes['href']
-      assert nodes.last.attributes['href']
+      assert_nil nodes.first.attributes["href"]
+      assert nodes.last.attributes["href"]
     end
 
     def test_css_sanitization
       html = "<p style='background-color: url(\"http://foo.com/\") ; background-color: #000 ;' />"
       sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-      assert_match %r/#000/,    sane.inner_html
+      assert_match %r/#000/, sane.inner_html
       refute_match %r/foo\.com/, sane.inner_html
     end
 
@@ -75,7 +74,7 @@ class IntegrationTestAdHoc < Loofah::TestCase
     def test_whitewash_on_fragment
       html = "safe<frameset rows=\"*\"><frame src=\"http://example.com\"></frameset> <b>description</b>"
       whitewashed = Loofah.scrub_document(html, :whitewash).xpath("/html/body/*").to_s
-      assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
+      assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n", "")
     end
 
     def test_fragment_whitewash_on_microsofty_markup
@@ -86,11 +85,11 @@ class IntegrationTestAdHoc < Loofah::TestCase
     def test_document_whitewash_on_microsofty_markup
       whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
       assert_match %r(<p>Foo <b>BOLD</b></p>), whitewashed.to_s
-      assert_equal "<p>Foo <b>BOLD</b></p>",   whitewashed.xpath("/html/body/*").to_s
+      assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.xpath("/html/body/*").to_s
     end
 
     def test_return_empty_string_when_nothing_left
-      assert_equal "", Loofah.scrub_document('<script>test</script>', :prune).text
+      assert_equal "", Loofah.scrub_document("<script>test</script>", :prune).text
     end
 
     def test_nested_script_cdata_tags_should_be_scrubbed
@@ -145,21 +144,20 @@ class IntegrationTestAdHoc < Loofah::TestCase
       #
       #    https://git.gnome.org/browse/libxml2/tree/HTMLtree.c?h=v2.9.2#n714
       #
-      {tag: "a",   attr: "href"},
-      {tag: "div", attr: "href"},
-      {tag: "a",   attr: "action"},
-      {tag: "div", attr: "action"},
-      {tag: "a",   attr: "src"},
-      {tag: "div", attr: "src"},
-      {tag: "a",   attr: "name"},
+      { tag: "a", attr: "href" },
+      { tag: "div", attr: "href" },
+      { tag: "a", attr: "action" },
+      { tag: "div", attr: "action" },
+      { tag: "a", attr: "src" },
+      { tag: "div", attr: "src" },
+      { tag: "a", attr: "name" },
       #
       #  note that div+name is _not_ affected by the libxml2 issue.
       #  but we test it anyway to ensure our logic isn't modifying
       #  attributes that don't need modifying.
       #
-      {tag: "div", attr: "name", unescaped: true},
+      { tag: "div", attr: "name", unescaped: true },
     ].each do |config|
-
       define_method "test_uri_escaping_of_#{config[:attr]}_attr_in_#{config[:tag]}_tag" do
         html = %{<#{config[:tag]} #{config[:attr]}='examp<!--" unsafeattr=foo()>-->le.com'>test</#{config[:tag]}>}
 
@@ -190,14 +188,32 @@ class IntegrationTestAdHoc < Loofah::TestCase
       end
     end
 
-    # see:
-    # - https://github.com/flavorjones/loofah/issues/154
-    # - https://hackerone.com/reports/429267
-    context "xss protection from svg xmlns:xlink animate attribute" do
-      it "sanitizes appropriate attributes" do
-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+    context "xss protection from svg animate attributes" do
+      # see recommendation from https://html5sec.org/#137
+      # to sanitize "to", "from", "values", and "by" attributes
+
+      it "sanitizes 'from', 'to', and 'by' attributes" do
+        # for CVE-2018-16468
+        # see:
+        # - https://github.com/flavorjones/loofah/issues/154
+        # - https://hackerone.com/reports/429267
+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
+
         sanitized = Loofah.scrub_fragment(html, :escape)
         assert_nil sanitized.at_css("animate")["from"]
+        assert_nil sanitized.at_css("animate")["to"]
+        assert_nil sanitized.at_css("animate")["by"]
+      end
+
+      it "sanitizes 'values' attribute" do
+        # for CVE-2019-15587
+        # see:
+        # - https://github.com/flavorjones/loofah/issues/171
+        # - https://hackerone.com/reports/709009
+        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
+
+        sanitized = Loofah.scrub_fragment(html, :escape)
+        assert_nil sanitized.at_css("animate")["values"]
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-28 00:00:00.000000000 Z
+date: 2019-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -200,17 +200,11 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.18'
 description: |-
-  Loofah is a general library for manipulating and transforming HTML/XML
-  documents and fragments. It's built on top of Nokogiri and libxml2, so
-  it's fast and has a nice API.
+  Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
-  Loofah excels at HTML sanitization (XSS prevention). It includes some
-  nice HTML sanitizers, which are based on HTML5lib's safelist, so it
-  most likely won't make your codes less secure. (These statements have
-  not been evaluated by Netexperts.)
+  Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
 
-  ActiveRecord extensions for sanitization are available in the
-  [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
+  ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
 email:
 - mike.dalessio@gmail.com
 - bryan@brynary.com
@@ -289,5 +283,5 @@ rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Loofah is a general library for manipulating and transforming HTML/XML documents
-  and fragments
+  and fragments, built on top of Nokogiri
 test_files: []