Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Rouge formatters to Rouge::Formatters namespace #708

Closed
wants to merge 1 commit into from
Closed

Restrict Rouge formatters to Rouge::Formatters namespace #708

wants to merge 1 commit into from

Conversation

stanhu
Copy link
Contributor

@stanhu stanhu commented Mar 14, 2021
edited
Loading

ff0218a added support for specifying custom Rouge formatters with the constraint that the formatter be in theRouge::Formatters namespace, but it did not actually enforce this constraint. For example, this is valid:

Rouge::Formatters.const_get('CSV')
=> CSV

Adding the false parameter to const_get prevents this:

Rouge::Formatters.const_get('CSV', false)
NameError: uninitialized constant Rouge::Formatters::CSV

@stanhu stanhu force-pushed the sh-restrict-rouge-formatter-lookup branch from 71c59ea to fc7872e Compare March 14, 2021 18:26
@stanhu stanhu changed the title Restrict Rouge formatters to values in Rouge::Formatters namespace Restrict Rouge formatters to Rouge::Formatters namespace Mar 14, 2021
@stanhu stanhu force-pushed the sh-restrict-rouge-formatter-lookup branch from fc7872e to 28b725c Compare March 14, 2021 18:45
@stanhu
Restrict Rouge formatters to Rouge::Formatters namespace
d6a1cbc 
ff0218a added support for specifying custom Rouge formatters with the
constraint that the formatter be in theRouge::Formatters namespace, but
it did not actually enforce this constraint. For example, this is valid:

```ruby
Rouge::Formatters.const_get('CSV')
=> CSV
```

Adding the `false` parameter to `const_get` prevents this:

```ruby
Rouge::Formatters.const_get('CSV', false)
NameError: uninitialized constant Rouge::Formatters::CSV
```
@stanhu stanhu force-pushed the sh-restrict-rouge-formatter-lookup branch from 28b725c to d6a1cbc Compare March 14, 2021 18:47
@gettalong
Copy link
Owner

Thanks! I think this makes sense also from a security point of view.

@stanhu
Copy link
Contributor Author

stanhu commented Mar 15, 2021

@gettalong Thanks! Would you mind merging and tagging a new release?

@gettalong
Copy link
Owner

There will be a release in due time.

@gettalong
Copy link
Owner

Thank you - merged and will be in the upcoming release.

@gettalong gettalong closed this Mar 17, 2021
@aleksandrs-ledovskis
Copy link

Source of CVSS 9.9 in GitLab.

I see no reason to keep it disconnected/under wraps once the patch (and consequently the vector) is known.

@rfrohl
Copy link

rfrohl commented Mar 18, 2021
edited
Loading

this issue got CVE-2021-28834 assigned

@ashfurrow ashfurrow mentioned this pull request Mar 31, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stanhu @gettalong @aleksandrs-ledovskis @rfrohl