rails-html-sanitizer 1.2.0 → 1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 870e022a24bf7e490864eb68c6676617508060c44cb0fbcfbce1f476b7bfa453
-  data.tar.gz: 280abb7f0ce9d0d311f4a1b8ac84d94dbe009592c32c2364eea594b0d336f5eb
+  metadata.gz: 2f00d9f256478eb753c8d211c3b25efa4204bbdbc9c5abf0415413c811a2e404
+  data.tar.gz: 65d3871aa798dfbbfb1138b666d475b590e347cdb66614d6d39b72ad3531c742
 SHA512:
-  metadata.gz: d3780c7ea8e6e77bafe1486aef16852ba326adf8a9cbcdc5fe2639f8ea47e9bb8a2e50553ecb25bceeeeb1665b5edfab92c1022707c7aa59a4f0d0c605b67223
-  data.tar.gz: 14bba8b83f0e0a6782b0e12a8c29fc73d469cda550104d7ad32b8cf8ef3628d981d4c82637e7826c79e2dc4bfd86c230a74031acf53ec0b10a40d2cabf7eed84
+  metadata.gz: e6e31eaa72b1a2e8356aae50600ac784f85a80828cbc49ce8061384ecd3f21a1d8eaee69845dc08537c5102728c3cc41a72cb3ed8b9789c4921038398afa61e2
+  data.tar.gz: 6b14a49842eaf4c3e0fbae5acd28fdf32a5deb6cd42f769aada848226847180c4d3a67a9dcbc439e1a4855699b0ea694cb4c7b6ee173391ac841bd334ae44b6f

data/CHANGELOG.md

@@ -1,3 +1,52 @@
+## 1.4.3 / 2022-06-09
+
+* Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
+
+  Prevent the combination of `select` and `style` as allowed tags in SafeListSanitizer.
+
+  Fixes CVE-2022-32209
+
+  *Mike Dalessio*
+
+
+## 1.4.2 / 2021-08-23
+
+* Slightly improve performance.
+
+  Assuming elements are more common than comments, make one less method call per node.
+
+  *Mike Dalessio*
+
+## 1.4.1 / 2021-08-18
+
+* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
+
+  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only
+  passed through elements to the scrubber's `keep_node?` method.
+
+  This change once again allows the scrubber to make the decision on comment nodes, but still skips
+  other non-elements like processing instructions (see #115).
+
+  *Mike Dalessio*
+
+## 1.4.0 / 2021-08-18
+
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+  are no known security issues associated with these PIs, but similar to comments it's preferred to
+  omit these nodes when possible from sanitized output.
+
+  Fixes #115.
+
+  *Mike Dalessio*
+
+## 1.3.0
+
+* Address deprecations in Loofah 2.3.0.
+
+  *Josh Goodall*
+
 ## 1.2.0
 
 * Remove needless `white_list_sanitizer` deprecation.

data/README.md

@@ -81,8 +81,10 @@ html_fragment.to_s # => "<a></a>"
 #### `Rails::Html::TargetScrubber`
 
 Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
-`Rails::Html::TargetScrubber` targets them for removal.
+`Rails::Html::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
 
+**Note:** by default, it will scrub anything that is not part of the permitted tags from
+loofah `HTML5::Scrub.allowed_element?`.
 
 ```ruby
 scrubber = Rails::Html::TargetScrubber.new

data/lib/rails/html/sanitizer/version.rb

@@ -1,7 +1,7 @@
 module Rails
   module Html
     class Sanitizer
-      VERSION = "1.2.0"
+      VERSION = "1.4.3"
     end
   end
 end

data/lib/rails/html/sanitizer.rb

@@ -74,7 +74,7 @@ module Rails
     #
     # === Options
     # Sanitizes both html and css via the safe lists found here:
-    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
+    # https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/safelist.rb
     #
     # SafeListSanitizer also accepts options to configure
     # the safe list used when sanitizing html.
@@ -141,8 +141,25 @@ module Rails
 
       private
 
+      def loofah_using_html5?
+        # future-proofing, see https://github.com/flavorjones/loofah/pull/239
+        Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
+      end
+
+      def remove_safelist_tag_combinations(tags)
+        if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
+          warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
+          tags.delete("style")
+        end
+        tags
+      end
+
       def allowed_tags(options)
-        options[:tags] || self.class.allowed_tags
+        if options[:tags]
+          remove_safelist_tag_combinations(options[:tags])
+        else
+          self.class.allowed_tags
+        end
       end
 
       def allowed_attributes(options)

data/lib/rails/html/scrubbers.rb

@@ -68,7 +68,7 @@ module Rails
         end
         return CONTINUE if skip_node?(node)
 
-        unless keep_node?(node)
+        unless (node.element? || node.comment?) && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end
 
@@ -138,17 +138,17 @@ module Rails
                       attr_node.node_name
                     end
 
-        if Loofah::HTML5::WhiteList::ATTR_VAL_IS_URI.include?(attr_name)
+        if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
           # this block lifted nearly verbatim from HTML5 sanitization
           val_unescaped = CGI.unescapeHTML(attr_node.value).gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'').downcase
-          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::WhiteList::PROTOCOL_SEPARATOR)[0])
+          if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && ! Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
             attr_node.remove
           end
         end
-        if Loofah::HTML5::WhiteList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
+        if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
           attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
         end
-        if Loofah::HTML5::WhiteList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
+        if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
           attr_node.remove
         end
 

data/test/sanitizer_test.rb

@@ -2,6 +2,8 @@ require "minitest/autorun"
 require "rails-html-sanitizer"
 require "rails/dom/testing/assertions/dom_assertions"
 
+puts Nokogiri::VERSION_INFO
+
 class SanitizersTest < Minitest::Test
   include Rails::Dom::Testing::Assertions::DomAssertions
 
@@ -12,13 +14,11 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_sanitize_nested_script
-    sanitizer = Rails::Html::SafeListSanitizer.new
-    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
+    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', safe_list_sanitize('<script><script></script>alert("XSS");<script><</script>/</script><script>script></script>', tags: %w(em))
   end
 
   def test_sanitize_nested_script_in_style
-    sanitizer = Rails::Html::SafeListSanitizer.new
-    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', sanitizer.sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
+    assert_equal '&lt;script&gt;alert("XSS");&lt;/script&gt;', safe_list_sanitize('<style><script></style>alert("XSS");<style><</style>/</style><style>script></style>', tags: %w(em))
   end
 
   class XpathRemovalTestSanitizer < Rails::Html::Sanitizer
@@ -54,7 +54,8 @@ class SanitizersTest < Minitest::Test
 
   def test_strip_tags_with_quote
     input = '<" <img src="trollface.gif" onload="alert(1)"> hi'
-    assert_equal ' hi', full_sanitize(input)
+    expected = libxml_2_9_14_recovery? ? %{&lt;"  hi} : %{ hi}
+    assert_equal(expected, full_sanitize(input))
   end
 
   def test_strip_invalid_html
@@ -75,15 +76,21 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_remove_unclosed_tags
-    assert_equal "This is ", full_sanitize("This is <-- not\n a comment here.")
+    input = "This is <-- not\n a comment here."
+    expected = libxml_2_9_14_recovery? ? %{This is &lt;-- not\n a comment here.} : %{This is }
+    assert_equal(expected, full_sanitize(input))
   end
 
   def test_strip_cdata
-    assert_equal "This has a ]]&gt; here.", full_sanitize("This has a <![CDATA[<section>]]> here.")
+    input = "This has a <![CDATA[<section>]]> here."
+    expected = libxml_2_9_14_recovery? ? %{This has a &lt;![CDATA[]]&gt; here.} : %{This has a ]]&gt; here.}
+    assert_equal(expected, full_sanitize(input))
   end
 
   def test_strip_unclosed_cdata
-    assert_equal "This has an unclosed ]] here...", full_sanitize("This has an unclosed <![CDATA[<section>]] here...")
+    input = "This has an unclosed <![CDATA[<section>]] here..."
+    expected = libxml_2_9_14_recovery? ? %{This has an unclosed &lt;![CDATA[]] here...} : %{This has an unclosed ]] here...}
+    assert_equal(expected, full_sanitize(input))
   end
 
   def test_strip_blank_string
@@ -93,7 +100,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_tags_with_plaintext
-    assert_equal "Dont touch me", full_sanitize("Dont touch me")
+    assert_equal "Don't touch me", full_sanitize("Don't touch me")
   end
 
   def test_strip_tags_with_tags
@@ -135,7 +142,7 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_strip_links_with_plaintext
-    assert_equal "Dont touch me", link_sanitize("Dont touch me")
+    assert_equal "Don't touch me", link_sanitize("Don't touch me")
   end
 
   def test_strip_links_with_line_feed_and_uppercase_tag
@@ -181,7 +188,7 @@ class SanitizersTest < Minitest::Test
     assert_sanitized raw, %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}
   end
 
-  tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS - %w(script form)
+  tags = Loofah::HTML5::SafeList::ALLOWED_ELEMENTS - %w(script form)
   tags.each do |tag_name|
     define_method "test_should_allow_#{tag_name}_tag" do
       scope_allowed_tags(tags) do
@@ -271,7 +278,8 @@ class SanitizersTest < Minitest::Test
 
   def test_scrub_style_if_style_attribute_option_is_passed
     input = '<p style="color: #000; background-image: url(http://www.ragingplatypus.com/i/cam-full.jpg);"></p>'
-    assert_equal '<p style="color: #000;"></p>', safe_list_sanitize(input, attributes: %w(style))
+    actual = safe_list_sanitize(input, attributes: %w(style))
+    assert_includes(['<p style="color: #000;"></p>', '<p style="color:#000;"></p>'], actual)
   end
 
   def test_should_raise_argument_error_if_tags_is_not_enumerable
@@ -413,8 +421,25 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_should_sanitize_div_background_image_unicode_encoded
-    raw = %(background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029)
-    assert_equal '', sanitize_css(raw)
+    [
+      convert_to_css_hex("url(javascript:alert(1))", false),
+      convert_to_css_hex("url(javascript:alert(1))", true),
+      convert_to_css_hex("url(https://example.com)", false),
+      convert_to_css_hex("url(https://example.com)", true),
+    ].each do |propval|
+      raw = "background-image:" + propval
+      assert_empty(sanitize_css(raw))
+    end
+  end
+
+  def test_should_allow_div_background_image_unicode_encoded_safe_functions
+    [
+      convert_to_css_hex("rgb(255,0,0)", false),
+      convert_to_css_hex("rgb(255,0,0)", true),
+    ].each do |propval|
+      raw = "background-image:" + propval
+      assert_includes(sanitize_css(raw), "background-image")
+    end
   end
 
   def test_should_sanitize_div_style_expression
@@ -432,11 +457,15 @@ class SanitizersTest < Minitest::Test
   end
 
   def test_should_sanitize_cdata_section
-    assert_sanitized "<![CDATA[<span>section</span>]]>", "section]]&gt;"
+    input = "<![CDATA[<span>section</span>]]>"
+    expected = libxml_2_9_14_recovery? ? %{&lt;![CDATA[<span>section</span>]]&gt;} : %{section]]&gt;}
+    assert_sanitized(input, expected)
   end
 
   def test_should_sanitize_unterminated_cdata_section
-    assert_sanitized "<![CDATA[<span>neverending...", "neverending..."
+    input = "<![CDATA[<span>neverending..."
+    expected = libxml_2_9_14_recovery? ? %{&lt;![CDATA[<span>neverending...</span>} : %{neverending...}
+    assert_sanitized(input, expected)
   end
 
   def test_should_not_mangle_urls_with_ampersand
@@ -487,7 +516,13 @@ class SanitizersTest < Minitest::Test
 
     text = safe_list_sanitize(html)
 
-    assert_equal %{<a href=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a href="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/ system libxml2
+      %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer
@@ -497,7 +532,13 @@ class SanitizersTest < Minitest::Test
 
     text = safe_list_sanitize(html)
 
-    assert_equal %{<a src=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a src="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/system libxml2
+      %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer
@@ -507,7 +548,13 @@ class SanitizersTest < Minitest::Test
 
     text = safe_list_sanitize(html)
 
-    assert_equal %{<a name=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a name="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/system libxml2
+      %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
   end
 
   def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
@@ -517,7 +564,40 @@ class SanitizersTest < Minitest::Test
 
     text = safe_list_sanitize(html, attributes: ['action'])
 
-    assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
+    acceptable_results = [
+      # nokogiri w/vendored+patched libxml2
+      %{<a action="examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com">test</a>},
+      # nokogiri w/system libxml2
+      %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>},
+    ]
+    assert_includes(acceptable_results, text)
+  end
+
+  def test_exclude_node_type_processing_instructions
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+  end
+
+  def test_exclude_node_type_comment
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
+  end
+
+  def test_disallow_the_dangerous_safelist_combination_of_select_and_style
+    input = "<select><style><script>alert(1)</script></style></select>"
+    tags = ["select", "style"]
+    warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from safelist/
+    sanitized = nil
+    invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }
+
+    if html5_mode?
+      # if Loofah is using an HTML5 parser,
+      #   then "style" should be removed by the parser as an invalid child of "select"
+      assert_silent(&invocation)
+    else
+      # if Loofah is using an HTML4 parser,
+      #   then SafeListSanitizer should remove "style" from the safelist
+      assert_output(nil, warning, &invocation)
+    end
+    refute_includes(sanitized, "style")
   end
 
 protected
@@ -565,4 +645,23 @@ protected
   ensure
     Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
   end
+
+  # note that this is used for testing CSS hex encoding: \\[0-9a-f]{1,6}
+  def convert_to_css_hex(string, escape_parens=false)
+    string.chars.map do |c|
+      if !escape_parens && (c == "(" || c == ")")
+        c
+      else
+        format('\00%02X', c.ord)
+      end
+    end.join
+  end
+
+  def libxml_2_9_14_recovery?
+    Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?(">= 2.9.14")
+  end
+
+  def html5_mode?
+    ::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
+  end
 end

data/test/scrubbers_test.rb

@@ -41,6 +41,16 @@ class PermitScrubberTest < ScrubberTest
     assert_scrubbed '<tag>hello</tag>', 'hello'
   end
 
+  def test_default_scrub_removes_comments
+    assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
+                    '<div>one</div><span>three</span>')
+  end
+
+  def test_default_scrub_removes_processing_instructions
+    assert_scrubbed('<div>one</div><?div two><span>three</span>',
+                    '<div>one</div><span>three</span>')
+  end
+
   def test_default_attributes_removal_behavior
     assert_scrubbed '<p cooler="hello">hello</p>', '<p>hello</p>'
   end
@@ -56,6 +66,12 @@ class PermitScrubberTest < ScrubberTest
     assert_scrubbed html, '<tag>leave me now</tag>'
   end
 
+  def test_leaves_comments_when_supplied_as_tag
+    @scrubber.tags = %w(div comment)
+    assert_scrubbed('<div>one</div><!-- two --><span>three</span>',
+                    '<div>one</div><!-- two -->three')
+  end
+
   def test_leaves_only_supplied_tags_nested
     html = '<tag>leave <em>me <span>now</span></em></tag>'
     @scrubber.tags = %w(tag)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-html-sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.3
 platform: ruby
 authors:
 - Rafael Mendonça França
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-08 00:00:00.000000000 Z
+date: 2022-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loofah
@@ -17,20 +17,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -107,7 +101,11 @@ files:
 homepage: https://github.com/rails/rails-html-sanitizer
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/rails/rails-html-sanitizer/issues
+  changelog_uri: https://github.com/rails/rails-html-sanitizer/blob/v1.4.3/CHANGELOG.md
+  documentation_uri: https://www.rubydoc.info/gems/rails-html-sanitizer/1.4.3
+  source_code_uri: https://github.com/rails/rails-html-sanitizer/tree/v1.4.3
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -123,10 +121,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.4
+rubygems_version: 3.3.5
 signing_key: 
 specification_version: 4
 summary: This gem is responsible to sanitize HTML fragments in Rails applications.
 test_files:
-- test/scrubbers_test.rb
 - test/sanitizer_test.rb
+- test/scrubbers_test.rb