🚨 [security] Update httparty 0.13.3 → 0.21.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ httparty (indirect, 0.13.3 → 0.21.0) · Repo · Changelog

Security Advisories 🚨

🚨 httparty has multipart/form-data request tampering vulnerability

"multipart/form-data request tampering vulnerability"
caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

httparty/lib/httparty/request/body.rb

Line 43 in 4416141

    <tbody>

memo << %(; filename="#{file_name(value)}") if file?(value)

By exploiting this problem, the following attacks are possible

• An attack that rewrites the "name" field according to the crafted file
  name, impersonating (overwriting) another field.
• Attacks that rewrite the filename extension at the time multipart/form-data
  is generated by tampering with the filename.

🚨 httparty has multipart/form-data request tampering vulnerability

HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0,
due to lack of proper escaping of double quotes within the filename attribute
of the Content-Disposition header. If the Content-Disposition header is set to
"form-data" and contains the "filename" attribute, and the "filename"
attribute contains a double quote followed by additional attributes, then
those attributes will be parsed as Content-Disposition attributes and will
override the Content-Disposition header's previous attributes.

Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

Release Notes

0.21.0 (from changelog)

• escape filename in the multipart/form-data Content-Disposition header
• Fix request marshaling
• Replace mime-types with mini_mime

0.20.0 (from changelog)

Breaking changes

• Require Ruby >= 2.3.0

Fixes

• Marshal.dump fails on response objects when request option :logger is set or :parser is a proc
• Switch :pem option to to OpenSSL::PKey.read to support other algorithms

0.19.1 (from changelog)

• Remove use of unary + method for creating non-frozen string to increase compatibility with older versions of ruby

0.19.0 (from changelog)

• Multipart/Form-Data: rewind files after read
• add frozen_string_literal pragma to all files
• Better handling of Accept-Encoding / Content-Encoding decompression (fixes #562)

0.18.1 (from changelog)

• Rename cop Lint/HandleExceptions to Lint/SuppressedException.
• Encode keys in query params.
• Fixed SSL doc example.
• Add a build status badge.

0.18.0 (from changelog)

• Support gzip/deflate transfer encoding when explicit headers are set.
• Support edge case cookie format with a blank attribute.

0.17.3 (from changelog)

0.17.2 is broken #681

0.17.2 (from changelog)

• Add Response#nil? deprecetion warning

0.17.1 (from changelog)

• Pass options to dynamic block headers
• Normalize urls with URI adapter to allow International Domain Names support
• Add max_retries support
• Minize gem size by removing test files

0.17.0 (from changelog)

• Fix encoding of streamed chunk
• Avoid modifying frozen strings
• Expose .connection on fragment block param
• Add support for Net::HTTP#write_timeout method (Ruby 2.6.0)

0.16.4 (from changelog)

• Add support for Ruby 2.6
• Fix a few multipart issues
• Improve a memory usage for https requests
• Add response code to streamed body

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ multi_xml (indirect, 0.5.5 → 0.6.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)