Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2018-3740] Sanitize HTML injection vulnerability #176

Closed
rgrove opened this issue Mar 20, 2018 · 9 comments
Closed

[CVE-2018-3740] Sanitize HTML injection vulnerability #176

rgrove opened this issue Mar 20, 2018 · 9 comments
Labels
security

Comments

@rgrove
Copy link
Owner

rgrove commented Mar 20, 2018
edited
Loading

This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.

Description

A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.

Affected Versions

Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2

Mitigation

Upgrade to Sanitize 4.6.3 or higher.

History of this vulnerability

  • 2018-03-19: Reported by Shopify Application Security Team via email
  • 2018-03-19: Sanitize 4.6.3 released with a fix
  • 2018-03-19: Initial vulnerability report published
@rgrove rgrove closed this as completed in 01629a1 Mar 20, 2018
@rgrove rgrove changed the title Placeholder Sanitize HTML injection vulnerability Mar 20, 2018
@reedloden
Copy link

@rgrove Is there a CVE for this? If not, can assign one.

@rgrove
Copy link
Owner Author

rgrove commented Mar 20, 2018

There isn't. If you could assign one, that'd be great! I tried to figure out how to request one but it was taking me too long, so I figured I'd get the fix out first.

@reedloden
Copy link

Sure, CVE-2018-3740.

Since Shopify (the reporter) is a HackerOne customer, I can assign one for you under our CNA scope. :-)

@rgrove
Copy link
Owner Author

rgrove commented Mar 20, 2018

Much appreciated!

@rgrove rgrove changed the title Sanitize HTML injection vulnerability [CVE-2018-3740] Sanitize HTML injection vulnerability Mar 20, 2018
@rgrove
Copy link
Owner Author

rgrove commented Mar 20, 2018

It looks like the root cause of this issue is being discussed in this libxml2 bug: https://bugzilla.gnome.org/show_bug.cgi?id=769760

@dependabot-preview dependabot-preview bot mentioned this issue Mar 20, 2018
Closed
@flavorjones
Copy link
Contributor

@rgrove I've noted this CVE in that upstream bug report.

@rgrove
Copy link
Owner Author

rgrove commented Mar 20, 2018

Thanks @flavorjones! Also thanks for providing a good example for me to follow in terms of announcing a vuln and getting the word out to the community. First time I've done that, so it was a learning experience. 😬

@flavorjones
Copy link
Contributor

Ha ha! Well, we have a good process for all this at my day job, so "I'm just following procedure."

@dependabot-preview dependabot-preview bot mentioned this issue Mar 21, 2018
Merged
@captn3m0 captn3m0 mentioned this issue Mar 21, 2018
Closed
amatriain added a commit to amatriain/feedbunch that referenced this issue Mar 21, 2018
@amatriain
Updated sanitize gem 4.6.0 -> 4.6.4
0929b1c 
Fixes vulnerability CVE-2018-3740
rgrove/sanitize#176
h-lame added a commit to alphagov/govspeak that referenced this issue Mar 21, 2018
@h-lame
Bump sanitize gem dependency to 4.6
cbe5677 
This fixes CVE-2018-2740 (See: rgrove/sanitize#176)

We also have to fix some tests around table tags, because as of sanitize
3.x it uses a parser more like a browser which means it will strip invalid
HTML and correct it when it's less-broken.  Tables are one of the things
it does this for.
@h-lame h-lame mentioned this issue Mar 21, 2018
Merged
This was referenced Mar 21, 2018
Merged
Merged
Merged
@flavorjones flavorjones mentioned this issue Mar 23, 2018
Closed
rgrove added a commit to rgrove/gollum-lib that referenced this issue Mar 23, 2018
@rgrove
Upgrade Sanitize to 4.6.4 to fix CVE-2018-3740
1c21ef2 
See rgrove/sanitize#176

Fixes gollum#295
@rgrove rgrove mentioned this issue Mar 23, 2018
Closed
@dmarcotte dmarcotte mentioned this issue May 21, 2018
Merged
pravi added a commit to pravi/html-pipeline that referenced this issue Jun 27, 2018
@pravi
update ruby-sanitize (fixes CVE-2018-3740)
143770a 
rgrove/sanitize#176
@pravi pravi mentioned this issue Jun 27, 2018
Merged
gjtorikian pushed a commit to gjtorikian/html-pipeline that referenced this issue Jun 27, 2018
@pravi @gjtorikian
update ruby-sanitize (fixes CVE-2018-3740)
ac5a114 
rgrove/sanitize#176
@rgrove
Copy link
Owner Author

rgrove commented Sep 30, 2018

FYI if you're still on the Sanitize 2.x line and can't upgrade to 4.x, @dometto was kind enough to backport this fix to the 2.x line in Sanitize 2.1.1.

reedloden added a commit to reedloden/ruby-advisory-db that referenced this issue Oct 18, 2018
@reedloden
Sanitize 2.1.1 includes this fix, as per
3ca19de 
rgrove/sanitize#176 (comment)
reedloden added a commit to reedloden/ruby-advisory-db that referenced this issue Oct 18, 2018
@reedloden
Sanitize 2.1.1 includes this fix, as per
b07c486 
rgrove/sanitize#176 (comment)
@flavorjones flavorjones mentioned this issue Aug 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rgrove @flavorjones @reedloden