!5 [sync] PR-4: update to 2.10.0

From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek
2022-03-31 01:28:23 +00:00 · 2022-03-31 01:28:23 +00:00 · b2e6733f4a
commit b2e6733f4a
parent ce23804a52 95a55b99d0
5 changed files with 13 additions and 98 deletions
--- a/loofah-2.10.0-test.tar.gz
+++ b/loofah-2.10.0-test.tar.gz
--- a/loofah-2.10.0.gem
+++ b/loofah-2.10.0.gem
--- a/loofah-2.2.3.gem
+++ b/loofah-2.2.3.gem
--- a/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+++ b/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
@ -1,83 +0,0 @@
 From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001
 From: Mike Dalessio <mike.dalessio@gmail.com>
 Date: Wed, 9 Oct 2019 15:36:32 -0400
 Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes
 this addresses CVE-2019-15587
 see #171 for more information
 https://github.com/flavorjones/loofah/issues/171
 ---
 lib/loofah/html5/safelist.rb    |  3 ---
 test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
 2 files changed, 24 insertions(+), 9 deletions(-)
 diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
 index 8abd922..4b2b6dd 100644
 --- a/lib/loofah/html5/whitelist.rb
 +++ b/lib/loofah/html5/whitelist.rb
@@ -88,7 +88,7 @@
       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
        arabic-form ascent attributeName attributeType baseProfile bbox begin
 -       by calcMode cap-height class clip-path clip-rule color
 +       calcMode cap-height class clip-path clip-rule color
        color-interpolation-filters color-rendering content cx cy d dx
        dy descent display dur end fill fill-opacity fill-rule
        filterRes filterUnits font-family
@@ -105,9 +105,9 @@
        stemv stop-color stop-opacity strikethrough-position
        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
 -       stroke-width systemLanguage target text-anchor to transform type u1
 +       stroke-width systemLanguage target text-anchor transform type u1
        u2 underline-position underline-thickness unicode unicode-range
 -       units-per-em values version viewBox visibility width widths x
 +       units-per-em version viewBox visibility width widths x
        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
        xmlns:xlink y y1 y2 zoomAndPan]
 diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
 index 16fccbb..cc6fc65 100644
 --- a/test/integration/test_ad_hoc.rb
 +++ b/test/integration/test_ad_hoc.rb
@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags
       end
     end
 -    # see:
 -    # - https://github.com/flavorjones/loofah/issues/154
 -    # - https://hackerone.com/reports/429267
 -    context "xss protection from svg xmlns:xlink animate attribute" do
 -      it "sanitizes appropriate attributes" do
 -        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
 +    context "xss protection from svg animate attributes" do
 +      # see recommendation from https://html5sec.org/#137
 +      # to sanitize "to", "from", "values", and "by" attributes
 +
 +      it "sanitizes 'from', 'to', and 'by' attributes" do
 +        # for CVE-2018-16468
 +        # see:
 +        # - https://github.com/flavorjones/loofah/issues/154
 +        # - https://hackerone.com/reports/429267
 +        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
 +
         sanitized = Loofah.scrub_fragment(html, :escape)
         assert_nil sanitized.at_css("animate")["from"]
 +        assert_nil sanitized.at_css("animate")["to"]
 +        assert_nil sanitized.at_css("animate")["by"]
 +      end
 +
 +      it "sanitizes 'values' attribute" do
 +        # for CVE-2019-15587
 +        # see:
 +        # - https://github.com/flavorjones/loofah/issues/171
 +        # - https://hackerone.com/reports/709009
 +        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
 +
 +        sanitized = Loofah.scrub_fragment(html, :escape)
 +        assert_nil sanitized.at_css("animate")["values"]
       end
     end
   end
--- a/rubygem-loofah.spec
+++ b/rubygem-loofah.spec
@ -1,15 +1,17 @@
 %bcond_with bootstrap
 %global gem_name loofah
 Name:                rubygem-%{gem_name}
-Version:             2.2.3
+Version:             2.10.0
-Release:             2
+Release:             1
 Summary:             Manipulate and transform HTML/XML documents and fragments
 License:             MIT
 URL:                 https://github.com/flavorjones/loofah
 Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
-Patch0:              rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+# git clone https://github.com/flavorjones/loofah.git && cd loofah
 # git archive -v -o loofah-2.10.0-test.tar.gz v2.10.0 test/
 Source1:             %{gem_name}-%{version}-test.tar.gz
 BuildRequires:       ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest)
-BuildRequires:       rubygem(crass)
+BuildRequires:       rubygem(crass) rubygem(rr) ruby
 BuildArch:           noarch
 %description
 Loofah is a general library for manipulating and transforming HTML/XML
@ -27,8 +29,7 @@ BuildArch:           noarch
 Documentation for %{name}.
 %prep
-%setup -q -n %{gem_name}-%{version}
+%setup -q -n %{gem_name}-%{version} -b1
 %patch0 -p1
 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -38,16 +39,15 @@ gem build ../%{gem_name}-%{version}.gemspec
 mkdir -p %{buildroot}%{gem_dir}
 cp -a .%{gem_dir}/* \
        %{buildroot}%{gem_dir}/
-%if %{with bootstrap}
+
 %check
 pushd .%{gem_instdir}
 cp -a %{_builddir}/test .
 ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
 popd
 %endif
 %files
 %dir %{gem_instdir}
 %exclude %{gem_instdir}/.*
 %license %{gem_instdir}/MIT-LICENSE.txt
 %{gem_libdir}
 %exclude %{gem_cache}
@ -56,15 +56,13 @@ popd
 %files doc
 %doc %{gem_docdir}
 %doc %{gem_instdir}/CHANGELOG.md
 %{gem_instdir}/Gemfile
 %doc %{gem_instdir}/Manifest.txt
 %doc %{gem_instdir}/README.md
 %{gem_instdir}/Rakefile
 %doc %{gem_instdir}/SECURITY.md
 %{gem_instdir}/benchmark
 %{gem_instdir}/test
 %changelog
 * Thu Mar 03 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.10.0-1
 - update to 2.10.0
 * Sat Sep 5 2020 yanan li <liyanan032@huawei.com> - 2.2.3-2
 - Fix build fail