yard 0.8.0
Arbitrary path traversal and file access via yard server
>= 0.9.20
A path traversal vulnerability was discovered in YARD <= 0.9.19 when using
yard server
to serve documentation. This bug would allow unsanitized HTTP
requests to access arbitrary files on the machine of a yard server host under
certain conditions.
The issue is resolved in v0.9.20 and later.
Potential arbitrary file read vulnerability in yard server
high severity CVE-2017-17042>= 0.9.11
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
YARD's default template vulnerable to Cross-site Scripting in generated frames.html
medium severity CVE-2024-27285>= 0.9.36
Summary
The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.
Details
The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the "frames.erb" template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.
Snippet from "frames.erb": (v0.9.34)
<script type="text/javascript">
var match = unescape(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
window.top.location = name;
</script>
(v0.9.35)
<script type="text/javascript">
var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
window.top.location.replace(name)
</script>
Impact
This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.