first push

2020-08-21 15:11:18 +08:00 · 2020-08-21 15:11:18 +08:00 · b56ddee557
commit b56ddee557
parent d1eaaa06b4
4 changed files with 154 additions and 0 deletions
--- a/loofah-2.2.3.gem
+++ b/loofah-2.2.3.gem
--- a/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+++ b/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
@ -0,0 +1,83 @@
+From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001
+From: Mike Dalessio <mike.dalessio@gmail.com>
+Date: Wed, 9 Oct 2019 15:36:32 -0400
+Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes
+
+this addresses CVE-2019-15587
+
+see #171 for more information
+
+https://github.com/flavorjones/loofah/issues/171
+---
+ lib/loofah/html5/safelist.rb    |  3 ---
+ test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
+ 2 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
+index 8abd922..4b2b6dd 100644
+--- a/lib/loofah/html5/whitelist.rb
+++ b/lib/loofah/html5/whitelist.rb
+@@ -88,7 +88,7 @@
+ 
+       SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
+        arabic-form ascent attributeName attributeType baseProfile bbox begin
+-       by calcMode cap-height class clip-path clip-rule color
+       calcMode cap-height class clip-path clip-rule color
+        color-interpolation-filters color-rendering content cx cy d dx
+        dy descent display dur end fill fill-opacity fill-rule
+        filterRes filterUnits font-family
+@@ -105,9 +105,9 @@
+        stemv stop-color stop-opacity strikethrough-position
+        strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
+        stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
+-       stroke-width systemLanguage target text-anchor to transform type u1
+       stroke-width systemLanguage target text-anchor transform type u1
+        u2 underline-position underline-thickness unicode unicode-range
+-       units-per-em values version viewBox visibility width widths x
+       units-per-em version viewBox visibility width widths x
+        x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
+        xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
+        xmlns:xlink y y1 y2 zoomAndPan]
+diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
+index 16fccbb..cc6fc65 100644
+--- a/test/integration/test_ad_hoc.rb
+++ b/test/integration/test_ad_hoc.rb
+@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags
+       end
+     end
+ 
+-    # see:
+-    # - https://github.com/flavorjones/loofah/issues/154
+-    # - https://hackerone.com/reports/429267
+-    context "xss protection from svg xmlns:xlink animate attribute" do
+-      it "sanitizes appropriate attributes" do
+-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+    context "xss protection from svg animate attributes" do
+      # see recommendation from https://html5sec.org/#137
+      # to sanitize "to", "from", "values", and "by" attributes
+
+      it "sanitizes 'from', 'to', and 'by' attributes" do
+        # for CVE-2018-16468
+        # see:
+        # - https://github.com/flavorjones/loofah/issues/154
+        # - https://hackerone.com/reports/429267
+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
+
+         sanitized = Loofah.scrub_fragment(html, :escape)
+         assert_nil sanitized.at_css("animate")["from"]
+        assert_nil sanitized.at_css("animate")["to"]
+        assert_nil sanitized.at_css("animate")["by"]
+      end
+
+      it "sanitizes 'values' attribute" do
+        # for CVE-2019-15587
+        # see:
+        # - https://github.com/flavorjones/loofah/issues/171
+        # - https://hackerone.com/reports/709009
+        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
+
+        sanitized = Loofah.scrub_fragment(html, :escape)
+        assert_nil sanitized.at_css("animate")["values"]
+       end
+     end
+   end
--- a/rubygem-loofah.spec
+++ b/rubygem-loofah.spec
@ -0,0 +1,67 @@
+%global gem_name loofah
+Name:                rubygem-%{gem_name}
+Version:             2.2.3
+Release:             1
+Summary:             Manipulate and transform HTML/XML documents and fragments
+License:             MIT
+URL:                 https://github.com/flavorjones/loofah
+Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
+Patch0:              rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
+BuildRequires:       ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest)
+BuildRequires:       rubygem(crass)
+BuildArch:           noarch
+%description
+Loofah is a general library for manipulating and transforming HTML/XML
+documents and fragments. It's built on top of Nokogiri and libxml2, so
+it's fast and has a nice API.
+Loofah excels at HTML sanitization (XSS prevention). It includes some
+nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
+most likely won't make your codes less secure.
+
+%package doc
+Summary:             Documentation for %{name}
+Requires:            %{name} = %{version}-%{release}
+BuildArch:           noarch
+%description doc
+Documentation for %{name}.
+
+%prep
+%setup -q -n %{gem_name}-%{version}
+%patch0 -p1
+
+%build
+gem build ../%{gem_name}-%{version}.gemspec
+%gem_install
+
+%install
+mkdir -p %{buildroot}%{gem_dir}
+cp -a .%{gem_dir}/* \
+        %{buildroot}%{gem_dir}/
+
+%check
+pushd .%{gem_instdir}
+ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
+popd
+
+%files
+%dir %{gem_instdir}
+%exclude %{gem_instdir}/.*
+%license %{gem_instdir}/MIT-LICENSE.txt
+%{gem_libdir}
+%exclude %{gem_cache}
+%{gem_spec}
+
+%files doc
+%doc %{gem_docdir}
+%doc %{gem_instdir}/CHANGELOG.md
+%{gem_instdir}/Gemfile
+%doc %{gem_instdir}/Manifest.txt
+%doc %{gem_instdir}/README.md
+%{gem_instdir}/Rakefile
+%doc %{gem_instdir}/SECURITY.md
+%{gem_instdir}/benchmark
+%{gem_instdir}/test
+
+%changelog
+* Tue Aug 18 2020 geyanan <geyanan2@huawei.com> - 2.2.3-1
+- package init
--- a/rubygem-loofah.yaml
+++ b/rubygem-loofah.yaml
@ -0,0 +1,4 @@
+version_control: github
+src_repo: flavorjones/loofah
+tag_prefix: "v"
+seperator: "."