diff --git a/loofah-2.2.3.gem b/loofah-2.2.3.gem new file mode 100644 index 0000000..4c70d92 Binary files /dev/null and b/loofah-2.2.3.gem differ diff --git a/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch b/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch new file mode 100644 index 0000000..6e099e2 --- /dev/null +++ b/rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch @@ -0,0 +1,83 @@ +From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001 +From: Mike Dalessio +Date: Wed, 9 Oct 2019 15:36:32 -0400 +Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes + +this addresses CVE-2019-15587 + +see #171 for more information + +https://github.com/flavorjones/loofah/issues/171 +--- + lib/loofah/html5/safelist.rb | 3 --- + test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------ + 2 files changed, 24 insertions(+), 9 deletions(-) + +diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb +index 8abd922..4b2b6dd 100644 +--- a/lib/loofah/html5/whitelist.rb ++++ b/lib/loofah/html5/whitelist.rb +@@ -88,7 +88,7 @@ + + SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic + arabic-form ascent attributeName attributeType baseProfile bbox begin +- by calcMode cap-height class clip-path clip-rule color ++ calcMode cap-height class clip-path clip-rule color + color-interpolation-filters color-rendering content cx cy d dx + dy descent display dur end fill fill-opacity fill-rule + filterRes filterUnits font-family +@@ -105,9 +105,9 @@ + stemv stop-color stop-opacity strikethrough-position + strikethrough-thickness stroke stroke-dasharray stroke-dashoffset + stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity +- stroke-width systemLanguage target text-anchor to transform type u1 ++ stroke-width systemLanguage target text-anchor transform type u1 + u2 underline-position underline-thickness unicode unicode-range +- units-per-em values version viewBox visibility width widths x ++ units-per-em version viewBox visibility width widths x + x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role + xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns + xmlns:xlink y y1 y2 zoomAndPan] +diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb +index 16fccbb..cc6fc65 100644 +--- a/test/integration/test_ad_hoc.rb ++++ b/test/integration/test_ad_hoc.rb +@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags + end + end + +- # see: +- # - https://github.com/flavorjones/loofah/issues/154 +- # - https://hackerone.com/reports/429267 +- context "xss protection from svg xmlns:xlink animate attribute" do +- it "sanitizes appropriate attributes" do +- html = %Q{} ++ context "xss protection from svg animate attributes" do ++ # see recommendation from https://html5sec.org/#137 ++ # to sanitize "to", "from", "values", and "by" attributes ++ ++ it "sanitizes 'from', 'to', and 'by' attributes" do ++ # for CVE-2018-16468 ++ # see: ++ # - https://github.com/flavorjones/loofah/issues/154 ++ # - https://hackerone.com/reports/429267 ++ html = %Q{} ++ + sanitized = Loofah.scrub_fragment(html, :escape) + assert_nil sanitized.at_css("animate")["from"] ++ assert_nil sanitized.at_css("animate")["to"] ++ assert_nil sanitized.at_css("animate")["by"] ++ end ++ ++ it "sanitizes 'values' attribute" do ++ # for CVE-2019-15587 ++ # see: ++ # - https://github.com/flavorjones/loofah/issues/171 ++ # - https://hackerone.com/reports/709009 ++ html = %Q{ } ++ ++ sanitized = Loofah.scrub_fragment(html, :escape) ++ assert_nil sanitized.at_css("animate")["values"] + end + end + end diff --git a/rubygem-loofah.spec b/rubygem-loofah.spec new file mode 100644 index 0000000..11977ea --- /dev/null +++ b/rubygem-loofah.spec @@ -0,0 +1,67 @@ +%global gem_name loofah +Name: rubygem-%{gem_name} +Version: 2.2.3 +Release: 1 +Summary: Manipulate and transform HTML/XML documents and fragments +License: MIT +URL: https://github.com/flavorjones/loofah +Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem +Patch0: rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch +BuildRequires: ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest) +BuildRequires: rubygem(crass) +BuildArch: noarch +%description +Loofah is a general library for manipulating and transforming HTML/XML +documents and fragments. It's built on top of Nokogiri and libxml2, so +it's fast and has a nice API. +Loofah excels at HTML sanitization (XSS prevention). It includes some +nice HTML sanitizers, which are based on HTML5lib's whitelist, so it +most likely won't make your codes less secure. + +%package doc +Summary: Documentation for %{name} +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +%description doc +Documentation for %{name}. + +%prep +%setup -q -n %{gem_name}-%{version} +%patch0 -p1 + +%build +gem build ../%{gem_name}-%{version}.gemspec +%gem_install + +%install +mkdir -p %{buildroot}%{gem_dir} +cp -a .%{gem_dir}/* \ + %{buildroot}%{gem_dir}/ + +%check +pushd .%{gem_instdir} +ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)' +popd + +%files +%dir %{gem_instdir} +%exclude %{gem_instdir}/.* +%license %{gem_instdir}/MIT-LICENSE.txt +%{gem_libdir} +%exclude %{gem_cache} +%{gem_spec} + +%files doc +%doc %{gem_docdir} +%doc %{gem_instdir}/CHANGELOG.md +%{gem_instdir}/Gemfile +%doc %{gem_instdir}/Manifest.txt +%doc %{gem_instdir}/README.md +%{gem_instdir}/Rakefile +%doc %{gem_instdir}/SECURITY.md +%{gem_instdir}/benchmark +%{gem_instdir}/test + +%changelog +* Tue Aug 18 2020 geyanan - 2.2.3-1 +- package init diff --git a/rubygem-loofah.yaml b/rubygem-loofah.yaml new file mode 100644 index 0000000..6c0e639 --- /dev/null +++ b/rubygem-loofah.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: flavorjones/loofah +tag_prefix: "v" +seperator: "."