🚨 [security] Update kaminari: 1.1.1 → 1.2.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ kaminari (1.1.1 → 1.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Cross-Site Scripting in Kaminari via `original_script_name` parameter

Impact

There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.

For example, an attacker could craft pagination links that link to other domain or host:
https://example.com/posts?page=4&original_script_name=https://another-host.example.com

In addition, an attacker could also craft pagination links that include JavaScript code that runs when a user clicks the link:
https://example.com/posts?page=4&original_script_name=javascript:alert(42)%3b//

Releases

The 1.2.1 gem including the patch has already been released.
All past released versions are affected by this vulnerability.

Workarounds

Application developers who can't update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST constant.

module Kaminari::Helpers
  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end

Release Notes

1.2.1 (from changelog)

Security Fixes:

• Added original_script_name parameter to the ignore list: #1020 [@viseztrance] See CVE-2020-11082 for full details.

Bug Fixes:

• Fixed a couple of grouped total_count regressions by reverting #979

1.2.0 (from changelog)

Deprecations:

• Deprecated current_per_page in favor of limit_value

Enhancements:

• Added #url_to_next_page and #url_to_prev_page helper methods: 38e95a2
• Extracted url helper methods and packed them in Kaminari::Helpers::UrlHelper: ff38bee
• Improved performance of total_count for grouped queries by explicitly giving SQL select clause #979 [@MmKolodziej]
• Added LIMIT to total_count query when max_pages presents #981 [@rymai]

Bug Fixes:

• Fixed a bug where the kaminari-mongoid gem was not loaded properly: kaminari/kaminari-mongoid#9 [@DenniJensen]
• Fixed a bug where the #total_count method incorrectly calculates the total count: #932 [@tumayun]
• Fixed a bug where empty? breaks subsequent last_page? in without_count mode #1009 [@montdidier]
• Fixed kwargs warnings on Ruby 2.7 #1010 [@connorshea]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog

↗️ crass (indirect, 1.0.4 → 1.0.6) · Repo · Changelog

Release Notes

1.0.6

• Number values are now limited to a maximum of Float::MAX and a minimum of negative Float::MAX. (#11)

• Added project metadata to the gemspec. (#9 - @orien)

1.0.5

• Removed test files from the gem. (#8 - @t-richards)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kaminari-actionview (indirect, 1.1.1 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Security Fixes:

• Added original_script_name parameter to the ignore list: #1020 [@viseztrance] See CVE-2020-11082 for full details.

Bug Fixes:

• Fixed a couple of grouped total_count regressions by reverting #979

1.2.0 (from changelog)

Deprecations:

• Deprecated current_per_page in favor of limit_value

Enhancements:

• Added #url_to_next_page and #url_to_prev_page helper methods: 38e95a2
• Extracted url helper methods and packed them in Kaminari::Helpers::UrlHelper: ff38bee
• Improved performance of total_count for grouped queries by explicitly giving SQL select clause #979 [@MmKolodziej]
• Added LIMIT to total_count query when max_pages presents #981 [@rymai]

Bug Fixes:

• Fixed a bug where the kaminari-mongoid gem was not loaded properly: kaminari/kaminari-mongoid#9 [@DenniJensen]
• Fixed a bug where the #total_count method incorrectly calculates the total count: #932 [@tumayun]
• Fixed a bug where empty? breaks subsequent last_page? in without_count mode #1009 [@montdidier]
• Fixed kwargs warnings on Ruby 2.7 #1010 [@connorshea]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kaminari-activerecord (indirect, 1.1.1 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Security Fixes:

• Added original_script_name parameter to the ignore list: #1020 [@viseztrance] See CVE-2020-11082 for full details.

Bug Fixes:

• Fixed a couple of grouped total_count regressions by reverting #979

1.2.0 (from changelog)

Deprecations:

• Deprecated current_per_page in favor of limit_value

Enhancements:

• Added #url_to_next_page and #url_to_prev_page helper methods: 38e95a2
• Extracted url helper methods and packed them in Kaminari::Helpers::UrlHelper: ff38bee
• Improved performance of total_count for grouped queries by explicitly giving SQL select clause #979 [@MmKolodziej]
• Added LIMIT to total_count query when max_pages presents #981 [@rymai]

Bug Fixes:

• Fixed a bug where the kaminari-mongoid gem was not loaded properly: kaminari/kaminari-mongoid#9 [@DenniJensen]
• Fixed a bug where the #total_count method incorrectly calculates the total count: #932 [@tumayun]
• Fixed a bug where empty? breaks subsequent last_page? in without_count mode #1009 [@montdidier]
• Fixed kwargs warnings on Ruby 2.7 #1010 [@connorshea]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kaminari-core (indirect, 1.1.1 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Security Fixes:

• Added original_script_name parameter to the ignore list: #1020 [@viseztrance] See CVE-2020-11082 for full details.

Bug Fixes:

• Fixed a couple of grouped total_count regressions by reverting #979

1.2.0 (from changelog)

Deprecations:

• Deprecated current_per_page in favor of limit_value

Enhancements:

• Added #url_to_next_page and #url_to_prev_page helper methods: 38e95a2
• Extracted url helper methods and packed them in Kaminari::Helpers::UrlHelper: ff38bee
• Improved performance of total_count for grouped queries by explicitly giving SQL select clause #979 [@MmKolodziej]
• Added LIMIT to total_count query when max_pages presents #981 [@rymai]

Bug Fixes:

• Fixed a bug where the kaminari-mongoid gem was not loaded properly: kaminari/kaminari-mongoid#9 [@DenniJensen]
• Fixed a bug where the #total_count method incorrectly calculates the total count: #932 [@tumayun]
• Fixed a bug where empty? breaks subsequent last_page? in without_count mode #1009 [@montdidier]
• Fixed kwargs warnings on Ruby 2.7 #1010 [@connorshea]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.2.3 → 2.5.0) · Repo · Changelog

Security Advisories 🚨

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.

Release Notes

2.5.0 (from changelog)

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width [#175] (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. [#118]

2.3.1

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at #171

2.3.0 (from changelog)

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
• Allow CSS property list-style [#162] (Thanks, @jaredbeck!)
• Allow CSS keywords thick and thin [#168] (Thanks, @georgeclaghorn!)
• Allow HTML property contenteditable [#167] (Thanks, @andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.11.3 → 5.14.1) · Repo · Changelog

Release Notes

5.14.0 (from changelog)

• 2 minor enhancements:

  • Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)

  • Changed assert_raises to only catch Assertion since that covers Skip and friends.

• 3 bug fixes:

  • Added example for value wrapper with block to Expectations module. (stomar)

  • Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)

  • Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)

5.13.0 (from changelog)

• 9 minor enhancements:

  • Added Minitest::Guard#osx?

  • Added examples to documentation for assert_raises. (lxxxvi)

  • Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.

  • Added fail_after(year, month, day, msg) to allow time-bombing after a deadline.

  • Added skip_until(year, month, day, msg) to allow deferring until a deadline.

  • Deprecated Minitest::Guard#maglev?

  • Deprecated Minitest::Guard#rubinius?

  • Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)

  • Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)

• 3 bug fixes:

  • Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)

  • Improved documentation for _/value/expect, especially for blocks. (svoop)

  • Support new Proc#to_s format. (ko1)

5.12.2 (from changelog)

• 1 bug fix:

  • After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.

5.12.1 (from changelog)

• 1 minor enhancement:

  • Added documentation for Reporter classes. (sshaw)

• 3 bug fixes:

  • Avoid using 'match?' to support older ruby versions. (y-yagi)

  • Fixed broken link to reference on goodness-of-fit testing. (havenwood)

  • Update requirements in readme and Rakefile/hoe spec.

5.12.0 (from changelog)

• 8 minor enhancements:

  • Added a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)

  • Changed mu_pp_for_diff to make having both n and \n easier to debug.

  • Deprecated $N for specifying number of parallel test runners. Use MT_CPU.

  • Deprecated use of global expectations. To be removed from MT6.

  • Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.

  • Extended Assertions#mu_pp to output encoding and validity if invalid to improve diffs.

  • Extended Assertions#mu_pp_for_diff to make escaped newlines more obvious in diffs.

  • Fail gracefully when expectation used outside of `it`.

• 3 bug fixes:

  • Check `option` klass before match. Fixes 2.6 warning. (y-yagi)

  • Fixed Assertions#diff from recalculating if set to nil

  • Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.1 → 1.10.9) · Repo · Changelog

Security Advisories 🚨

🚨 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

🚨 Nokogiri gem, via libxslt, is affected by multiple vulnerabilities

Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
[#1943] #1943.

---

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

---

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

---

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

🚨 Nokogiri Command Injection Vulnerability

🚨 Nokogiri gem, via libxslt, is affected by improper access control vulnerability

Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as
"Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time, though
you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet (as
of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue
[#1892] #1892.

---

CVE-2019-11068

Permalinks are:

• Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068
• Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068

Description:

libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.

Canonical rates this as "Priority: Medium".

Debian rates this as "NVD Severity: High (attack range: remote)".

Release Notes

1.10.9

1.10.9 / 2020-03-01

Fixed

• [MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [#1985, #2001]
• [JRuby] Change NodeSet#to_a to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [#1968, #1969] (Thanks, @headius!)

1.10.8

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

1.10.6

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @nurse!)

1.10.5

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is #1915

1.10.3

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. [#1060]
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.0.4 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0

• Address deprecations in Loofah 2.3.0.

  Josh Goodall

1.2.0

• Remove needless white_list_sanitizer deprecation.

  By deprecating this, we were forcing Rails 5.2 to be updated or spew
  deprecations that users could do nothing about.

  That's pointless and I'm sorry for adding that!

  Now there's no deprecation warning and Rails 5.2 works out of the box, while
  Rails 6 can use the updated naming.

  Kasper Timm Hansen

1.1.0

• Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed
  in 1.2.0. #87

  Juanito Fatas

• Remove href from LinkScrubber's tags as it's not an element.
  #92

  Juanito Fatas

• Explain that we don't need to bump Loofah here if there's CVEs.
  d4d823c

  Kasper Timm Hansen

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.5 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #193.