🚨 [security] Update jquery-rails: 4.3.3 → 4.4.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jquery-rails (4.3.3 → 4.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 Potential XSS vulnerability in jQuery

Impact

Passing HTML containing <option> elements from untrusted sources - even after
sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(),
.append(), and others) may execute untrusted code.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a
jQuery method.

🚨 Prototype pollution attack through jQuery $.extend

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of
bject.prototype pollution. If an unsanitized source object contained an
enumerable proto property, it could extend the native Object.prototype.

Release Notes

4.4.0 (from changelog)

• update jquery to 3.5.1 (note: 3.5.0 contains important security updates)
• unescape dollar signs and backticks in assert_select_jquery to match Rails updated behavior.

4.3.5 (from changelog)

• update jquery to 3.4.1

4.3.4 (from changelog)

• update jquery to 3.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog

↗️ crass (indirect, 1.0.4 → 1.0.6) · Repo · Changelog

Release Notes

1.0.6

• Number values are now limited to a maximum of Float::MAX and a minimum of negative Float::MAX. (#11)

• Added project metadata to the gemspec. (#9 - @orien)

1.0.5

• Removed test files from the gem. (#8 - @t-richards)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.2.3 → 2.5.0) · Repo · Changelog

Security Advisories 🚨

🚨 Loofah XSS Vulnerability

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.

Release Notes

2.5.0 (from changelog)

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width [#175] (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. [#118]

2.3.1

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at #171

2.3.0 (from changelog)

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
• Allow CSS property list-style [#162] (Thanks, @jaredbeck!)
• Allow CSS keywords thick and thin [#168] (Thanks, @georgeclaghorn!)
• Allow HTML property contenteditable [#167] (Thanks, @andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.11.3 → 5.14.0) · Repo · Changelog

Release Notes

5.14.0 (from changelog)

• 2 minor enhancements:

  • Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)

  • Changed assert_raises to only catch Assertion since that covers Skip and friends.

• 3 bug fixes:

  • Added example for value wrapper with block to Expectations module. (stomar)

  • Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)

  • Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)

5.13.0 (from changelog)

• 9 minor enhancements:

  • Added Minitest::Guard#osx?

  • Added examples to documentation for assert_raises. (lxxxvi)

  • Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.

  • Added fail_after(year, month, day, msg) to allow time-bombing after a deadline.

  • Added skip_until(year, month, day, msg) to allow deferring until a deadline.

  • Deprecated Minitest::Guard#maglev?

  • Deprecated Minitest::Guard#rubinius?

  • Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)

  • Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)

• 3 bug fixes:

  • Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)

  • Improved documentation for _/value/expect, especially for blocks. (svoop)

  • Support new Proc#to_s format. (ko1)

5.12.2 (from changelog)

• 1 bug fix:

  • After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.

5.12.1 (from changelog)

• 1 minor enhancement:

  • Added documentation for Reporter classes. (sshaw)

• 3 bug fixes:

  • Avoid using 'match?' to support older ruby versions. (y-yagi)

  • Fixed broken link to reference on goodness-of-fit testing. (havenwood)

  • Update requirements in readme and Rakefile/hoe spec.

5.12.0 (from changelog)

• 8 minor enhancements:

  • Added a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)

  • Changed mu_pp_for_diff to make having both n and \n easier to debug.

  • Deprecated $N for specifying number of parallel test runners. Use MT_CPU.

  • Deprecated use of global expectations. To be removed from MT6.

  • Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.

  • Extended Assertions#mu_pp to output encoding and validity if invalid to improve diffs.

  • Extended Assertions#mu_pp_for_diff to make escaped newlines more obvious in diffs.

  • Fail gracefully when expectation used outside of `it`.

• 3 bug fixes:

  • Check `option` klass before match. Fixes 2.6 warning. (y-yagi)

  • Fixed Assertions#diff from recalculating if set to nil

  • Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.1 → 1.10.9) · Repo · Changelog

Security Advisories 🚨

🚨 xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

🚨 Nokogiri gem, via libxslt, is affected by multiple vulnerabilities

Nokogiri v1.10.5 has been released.

This is a security release. It addresses three CVEs in upstream libxml2,
for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
these vulnerabilities.

Full details about the security update are available in Github Issue
[#1943] #1943.

---

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

---

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

---

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

🚨 Nokogiri Command Injection Vulnerability

🚨 Nokogiri gem, via libxslt, is affected by improper access control vulnerability

Nokogiri v1.10.3 has been released.

This is a security release. It addresses a CVE in upstream libxslt rated as
"Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
details are available below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time, though
you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that this patch is not yet (as
of 2019-04-22) in an upstream release of libxslt.

Full details about the security update are available in Github Issue
[#1892] #1892.

---

CVE-2019-11068

Permalinks are:

• Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068
• Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068

Description:

libxslt through 1.1.33 allows bypass of a protection mechanism
because callers of xsltCheckRead and xsltCheckWrite permit access
even upon receiving a -1 error code. xsltCheckRead can return -1 for
a crafted URL that is not actually invalid and is subsequently
loaded.

Canonical rates this as "Priority: Medium".

Debian rates this as "NVD Severity: High (attack range: remote)".

Release Notes

1.10.9

1.10.9 / 2020-03-01

Fixed

• [MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [#1985, #2001]
• [JRuby] Change NodeSet#to_a to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [#1968, #1969] (Thanks, @headius!)

1.10.8

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

1.10.6

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @nurse!)

1.10.5

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is #1915

1.10.3

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. [#1060]
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 1.6.11 → 1.6.13) · Repo · Changelog

Security Advisories 🚨

🚨 Possible information leak / session hijack vulnerability

There's a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks
targeting the session id. Session ids are usually stored and indexed in a
database that uses some kind of scheme for speeding up lookups of that
session id. By carefully measuring the amount of time it takes to look up
a session, an attacker may be able to find a valid session id and hijack
the session.

The session id itself may be generated randomly, but the way the session is
indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying
the backing session storage engine. Most storage mechanisms (for example a
database) use some sort of indexing in order to speed up the lookup of that
id. By carefully timing requests and session lookup failures, an attacker
may be able to perform a timing attack to determine an existing session id
and hijack that session.

Release Notes

1.6.12 (from changelog)

• [CVE-2019-16782] Prevent timing attacks targeted at session ID lookup. (@tenderlove, @rafaelfranca)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.0.4 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0

• Address deprecations in Loofah 2.3.0.

  Josh Goodall

1.2.0

• Remove needless white_list_sanitizer deprecation.

  By deprecating this, we were forcing Rails 5.2 to be updated or spew
  deprecations that users could do nothing about.

  That's pointless and I'm sorry for adding that!

  Now there's no deprecation warning and Rails 5.2 works out of the box, while
  Rails 6 can use the updated naming.

  Kasper Timm Hansen

1.1.0

• Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed
  in 1.2.0. #87

  Juanito Fatas

• Remove href from LinkScrubber's tags as it's not an element.
  #92

  Juanito Fatas

• Explain that we don't need to bump Loofah here if there's CVEs.
  d4d823c

  Kasper Timm Hansen

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 12.3.2 → 13.0.1) · Repo · Changelog

Security Advisories 🚨

🚨 OS Command Injection in Rake

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in
Rake::FileList when supplying a filename that begins with the pipe character
|.

Release Notes

13.0.1 (from changelog)

Bug fixes

• Fixed bug: Reenabled task raises previous exception on second invokation Pull Request #271 by thorsteneckel

• Fix an incorrectly resolved arg pattern Pull Request #327 by mjbellantoni

13.0.0 (from changelog)

Enhancements

• Follows recent changes on keyword arguments in ruby 2.7. Pull Request #326 by nobu

• Make `PackageTask` be able to omit parent directory while packing files Pull Request #310 by tonytonyjan

• Add order only dependency Pull Request #269 by take-cheeze

Compatibility changes

• Drop old ruby versions(< 2.2)

12.3.3 (from changelog)

Bug fixes

• Use the application's name in error message if a task is not found. Pull Request #303 by tmatilai

Enhancements:

• Use File.open explicitly.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 0.20.3 → 1.0.1) · Repo · Changelog

Release Notes

1.0.1 (from changelog)

• Fix thor when thor/base and thor/group are required without thor.rb.
• Handle relative source path in create_link.

1.0.0 (from changelog)

• Drop support to Ruby 1.8 and 1.9.

• Deprecate relying on default exit_on_failure?. In preparation to make Thor commands exit when there is a failure we are deprecating defining a command without defining what behavior is expected when there is a failure.

  To fix the deprecation you need to define a class method called exit_on_failure? returning

  false if you want the current behavior or true if you want the new behavior.

• Deprecate defining an option with the default value using a different type as defined in the option.

• Allow options to be repeatable. See #674.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.5 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #204.