🚨 [security] Update yard 0.9.35 → 0.9.42 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ yard (indirect, 0.9.35 → 0.9.42) · Repo · Changelog

Security Advisories 🚨

🚨 yard: Possible arbitrary path traversal and file access via yard server

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in GHSA-xfhh-rx56-rxcr was incorrectly applied.

Patches

Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on --docroot.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

🚨 YARD's default template vulnerable to Cross-site Scripting in generated frames.html

Summary

The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.

Details

The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the "frames.erb" template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.

Snippet from "frames.erb":
(v0.9.34)

<script type="text/javascript">
  var match = unescape(window.location.hash).match(/^#!(.+)/);
  var name = match ? match[1] : '<%= url_for_main %>';
  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
  window.top.location = name;
</script>

(v0.9.35)

<script type="text/javascript">
  var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
  var name = match ? match[1] : '<%= url_for_main %>';
  name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
  window.top.location.replace(name)
</script>

PoC (Proof of Concept)

To exploit this vulnerability:

1. Gain access to the generated Yard Doc.
2. Locate and access the "frames.html" file.
3. Construct a URL containing the malicious payload in the hash segment, for instance: #!javascript:xss for v0.9.34, and #:javascript:xss for v0.9.35

Impact

This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.

Release Notes

0.9.42

• Fix alternating rows when loading a module in default HTML templates with subelements in the nav frame
• Fix reliability of keypresses and copy/paste in search box (#1174)
• Fix regression in yard server search box styling
• Fix possible path traversal with document_root (--docroot) set in yard server (GHSA-xfhh-rx56-rxcr)

0.9.41

• Add support for rdoc-image:... syntax in HybridMarkup (#1676)
• Add support for colon suffix code blocks in HybridMarkup (rdoc compatibility)
• Fix responsiveness and state issues with nav frame links in yard server

0.9.40

• Add support for Ruby .rbs files (docstrings included) (#1673)
• Add built-in hybrid RDoc/Markdown renderer (HybridMarkdown) requiring no external gems (#1674)
• Add support for #- as a comment-block separator. See Getting Started Guide.
• Add support for commonmarker version >= 1.0.
• Remove usage of jQuery in default templates. jQuery library is still packaged in templates for backward compatibility (#1675)
• Fix false self-referential mixin when bare name matches ancestor namespace (#1672)
• Fix bracket/brace map corruption from Ruby 3.0+ pattern matching deconstruction (#1671)
• Fix @!scope class on attributes (#1582, #1655, #1666)
• Fix @!parse directives not including source for block (#1665)
• Fix inherited methods not appearing in groups (#1656)

0.9.39

• Add support for Ruby 4.0 (#1663)
• Add changelog URI to gemspec metadata (#1641)
• Fix issues with source ranges (#1642)
• Fix an issue loading relative links from file list in HTML template (#1660)
• Various test fixes (#1650, #1651)

0.9.38

• Add support for complex constant assignment (#1599)
• Add support for Data type structs (#1600)
• Support multi method duck type syntax in type explainer (#1631)
• Improve Ruby 3.5 compatibility (#1616)
• Update documentation for various type annotations (#1615)
• JavaScript frontend updates (resizer, JS bugs, reduce console verbosity) for default template
• Fix beginless/endless range errors (#1549, #1625)
• Fix path structure in Templates.md documentation (#1588)
• Fix signature handling in overload (#1590)
• Fix handling of **nil with named block (#1623)
• Fix directives in empty class bodies (#1624)
• Fix parsing of array within array syntax (#1604)
• Fix parsing of visibility keywords in front of class methods (#1632)

0.9.37

• Fix JavaScript errors in --one-file template (#1426)
• Fix heredoc parsing and add support for squiggly heredocs (#1315, #1495)
• Accessibility improvements to the default template (#1501)
• Improved YARD documentation (#1410, #1512, #1516, #1544)
• Fix error when parsing @option tags (#1515)
• Fix issue parsing UTF-8 filenames (#1517)
• Replace OpenStruct with optimized YARD::OpenStruct to avoid ostruct performance warnings (#1545)
• Add support for private attr_* syntax (#1541)
• Remove logger dependency (#1546)

0.9.36

• Further XSS fixes for generated frameset pages (#1538)
• Improve tests for Ruby 3.3 compatibility (#1519, #1531)
• Documentation improvements (#1524)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)