packages/rubygem-loofah
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first push

Browse Source
This commit is contained in:
GYN 2020-08-21 15:11:18 +08:00
parent d1eaaa06b4
commit b56ddee557
4 changed files with 154 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
loofah-2.2.3.gem Normal file
View File

Binary file not shown.

83
rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch Normal file
View File

@ -0,0 +1,83 @@
From 0c6617af440879ce97440f6eb6c58636456dc8ec Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Wed, 9 Oct 2019 15:36:32 -0400
Subject: [PATCH] mitigate XSS vulnerability in SVG animate attributes
this addresses CVE-2019-15587
see #171 for more information
https://github.com/flavorjones/loofah/issues/171
---
lib/loofah/html5/safelist.rb | 3 ---
test/integration/test_ad_hoc.rb | 30 ++++++++++++++++++++++++------
2 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/lib/loofah/html5/safelist.rb b/lib/loofah/html5/safelist.rb
index 8abd922..4b2b6dd 100644
--- a/lib/loofah/html5/whitelist.rb
+++ b/lib/loofah/html5/whitelist.rb
@@ -88,7 +88,7 @@
SVG_ATTRIBUTES = Set.new %w[accent-height accumulate additive alphabetic
arabic-form ascent attributeName attributeType baseProfile bbox begin
- by calcMode cap-height class clip-path clip-rule color
+ calcMode cap-height class clip-path clip-rule color
color-interpolation-filters color-rendering content cx cy d dx
dy descent display dur end fill fill-opacity fill-rule
filterRes filterUnits font-family
@@ -105,9 +105,9 @@
stemv stop-color stop-opacity strikethrough-position
strikethrough-thickness stroke stroke-dasharray stroke-dashoffset
stroke-linecap stroke-linejoin stroke-miterlimit stroke-opacity
- stroke-width systemLanguage target text-anchor to transform type u1
+ stroke-width systemLanguage target text-anchor transform type u1
u2 underline-position underline-thickness unicode unicode-range
- units-per-em values version viewBox visibility width widths x
+ units-per-em version viewBox visibility width widths x
x-height x1 x2 xlink:actuate xlink:arcrole xlink:href xlink:role
xlink:show xlink:title xlink:type xml:base xml:lang xml:space xmlns
xmlns:xlink y y1 y2 zoomAndPan]
diff --git a/test/integration/test_ad_hoc.rb b/test/integration/test_ad_hoc.rb
index 16fccbb..cc6fc65 100644
--- a/test/integration/test_ad_hoc.rb
+++ b/test/integration/test_ad_hoc.rb
@@ -190,14 +190,32 @@ def test_dont_remove_whitespace_between_tags
end
end
- # see:
- # - https://github.com/flavorjones/loofah/issues/154
- # - https://hackerone.com/reports/429267
- context "xss protection from svg xmlns:xlink animate attribute" do
- it "sanitizes appropriate attributes" do
- html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+ context "xss protection from svg animate attributes" do
+ # see recommendation from https://html5sec.org/#137
+ # to sanitize "to", "from", "values", and "by" attributes
+
+ it "sanitizes 'from', 'to', and 'by' attributes" do
+ # for CVE-2018-16468
+ # see:
+ # - https://github.com/flavorjones/loofah/issues/154
+ # - https://hackerone.com/reports/429267
+ html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
+
sanitized = Loofah.scrub_fragment(html, :escape)
assert_nil sanitized.at_css("animate")["from"]
+ assert_nil sanitized.at_css("animate")["to"]
+ assert_nil sanitized.at_css("animate")["by"]
+ end
+
+ it "sanitizes 'values' attribute" do
+ # for CVE-2019-15587
+ # see:
+ # - https://github.com/flavorjones/loofah/issues/171
+ # - https://hackerone.com/reports/709009
+ html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
+
+ sanitized = Loofah.scrub_fragment(html, :escape)
+ assert_nil sanitized.at_css("animate")["values"]
end
end
end

67
rubygem-loofah.spec Normal file
View File

@ -0,0 +1,67 @@
%global gem_name loofah
Name: rubygem-%{gem_name}
Version: 2.2.3
Release: 1
Summary: Manipulate and transform HTML/XML documents and fragments
License: MIT
URL: https://github.com/flavorjones/loofah
Source0: https://rubygems.org/gems/%{gem_name}-%{version}.gem
Patch0: rubygem-loofah-2.3.1-CVE-2019-15587-mitigate-XSS-vulnerability-in-SVG-animate-attributes.patch
BuildRequires: ruby(release) rubygems-devel rubygem(nokogiri) >= 1.6.6.2 rubygem(minitest)
BuildRequires: rubygem(crass)
BuildArch: noarch
%description
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure.
%package doc
Summary: Documentation for %{name}
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description doc
Documentation for %{name}.
%prep
%setup -q -n %{gem_name}-%{version}
%patch0 -p1
%build
gem build ../%{gem_name}-%{version}.gemspec
%gem_install
%install
mkdir -p %{buildroot}%{gem_dir}
cp -a .%{gem_dir}/* \
%{buildroot}%{gem_dir}/
%check
pushd .%{gem_instdir}
ruby -Itest -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
popd
%files
%dir %{gem_instdir}
%exclude %{gem_instdir}/.*
%license %{gem_instdir}/MIT-LICENSE.txt
%{gem_libdir}
%exclude %{gem_cache}
%{gem_spec}
%files doc
%doc %{gem_docdir}
%doc %{gem_instdir}/CHANGELOG.md
%{gem_instdir}/Gemfile
%doc %{gem_instdir}/Manifest.txt
%doc %{gem_instdir}/README.md
%{gem_instdir}/Rakefile
%doc %{gem_instdir}/SECURITY.md
%{gem_instdir}/benchmark
%{gem_instdir}/test
%changelog
* Tue Aug 18 2020 geyanan <geyanan2@huawei.com> - 2.2.3-1
- package init

4
rubygem-loofah.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: github
src_repo: flavorjones/loofah
tag_prefix: "v"
seperator: "."