🚨 [security] [ruby] Update css_parser 1.14.0 → 2.1.0 (major)

Depfu Botrequested to merge
depfu/update/css_parser-2.1.0 into master

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ css_parser (indirect, 1.14.0 → 2.1.0) · Repo · Changelog
Security Advisories 🚨

🚨 CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content

Summary

The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meaning any HTTPS certificate—even entirely untrusted—will be accepted without validation.

Details

In lib/css_parser/parser.rb, the HTTP client sets:

    <tbody>
http.verify_mode = OpenSSL::SSL::VERIFY_NONE 

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

As a result, the library does not validate the authenticity of HTTPS connections and does not protect against man-in-the-middle attacks. Any attacker in a position to intercept network traffic can inject or modify CSS loaded via HTTPS URLs without detection or warning.

PoC

  1. Set up a test Ruby project that uses the CSS Parser gem and loads an external stylesheet over HTTPS.
  2. Use a local proxy (such as mitmproxy or Burp Suite) to intercept outgoing HTTPS requests.
  3. Present a fake self-signed certificate to the client.
  4. Inject custom CSS into the intercepted HTTPS response.

The request will succeed and the injected CSS will be delivered to the application, as the connection is not validated.

Resources

#185

Impact

Applications using CSS Parser to load remote stylesheets over HTTPS are vulnerable to CSS injection and content manipulation, regardless of the trust status of the remote server. All users who use CSS Parser to fetch external CSS over HTTPS may be impacted.

Credit

This vulnerability was uncovered by @JLLeitschuh of the @braze-inc security team.

Release Notes

2.1.0 (from changelog)

  • Validate ssl when pulling files via https

2.0.0 (from changelog)

  • Drop ruby <3.2, fix a memory leak

1.21.1 (from changelog)

  • Prefer !important rules over non-!important rules in the same ruleset
  • Minor performance improvements

1.21.0 (from changelog)

  • Minor performance improvements

1.20.0 (from changelog)

  • Remove iconv conditional require

1.19.0 (from changelog)

  • Deprecate load_uri!, load_file! and load_string! positional arguments over keyword argument
  • Deprecate add_rule! (positional arguments)and add_rule_with_offsets! for add_rule! (keyword argument)
  • RuleSet initialize now takes keyword argument, positional arguments are still supported but deprecated
  • Removed OffsetAwareRuleSet, it's a RuleSet with optional attributes filename and offset
  • Improved performance of block parsing by using StringScanner
  • Improve RuleSet#parse_declarations! performance by using substring search istead of regexps

1.15.0 (from changelog)

  • Fix parsing background shorthands in ruby 3.2 #140

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ addressable (2.8.1 → 2.9.0) · Repo · Changelog
Security Advisories 🚨

🚨 Addressable has a Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:

  1. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI.
  2. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables.

When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0.

Users of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected.

Affected Versions

This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0.

The vulnerability is more exploitable on MRI Ruby < 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns.

This has been confirmed on the following runtimes:

Runtime Status
MRI Ruby 2.6 Vulnerable
MRI Ruby 2.7 Vulnerable
MRI Ruby 3.0 Vulnerable
MRI Ruby 3.1 Vulnerable
MRI Ruby 3.2 Partially vulnerable
MRI Ruby 3.3 Partially vulnerable
MRI Ruby 3.4 Partially vulnerable
MRI Ruby 4.0 Partially vulnerable
JRuby 10.0 Vulnerable
TruffleRuby 21.2 Vulnerable

Workarounds

  • Upgrade to MRI Ruby 3.2 or later, if your application does not use JRuby or TruffleRuby. The Onigmo memoization introduced in MRI Ruby 3.2 prevents catastrophic backtracking from nested unbounded quantifiers (pattern 1 above — templates using the * modifier). It does not reliably mitigate the O(n^k) multi-variable case (pattern 2), so upgrading Ruby alone may not be sufficient if your templates use {+v1,v2,...} or {#v1,v2,...} syntax.

  • Avoid using vulnerable template patterns when matching user-supplied input on unpatched versions of the library:

    • Templates using the * (explode) modifier: {foo*}, {+var*}, {#var*}, {.var*}, {/var*}, {;var*}, {?var*}, {&var*}
    • Templates using multiple variables with the + or # operators: {+v1,v2}, {#v1,v2,v3}, etc.

  • Apply a short timeout around any call to Template#match or Template#extract that processes user-supplied data.

References

Credits

Discovered in collaboration with @jamfish.

For more information

If you have any questions or comments about this advisory:

Release Notes

2.9.0 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

2.8.10 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match

2.8.9 (from changelog)

  • Reduce gem size by excluding test files (#569)
  • No need for bundler as development dependency (#571, 5fc1d93)
  • idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

2.8.8 (from changelog)

  • Replace the unicode.data blob by a ruby constant (#561)
  • Allow public_suffix 7 (#558)

2.8.7 (from changelog)

  • Allow public_suffix 6 (#535)

2.8.6 (from changelog)

  • Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

  • Fix thread safety issue with encoding tables (#515)
  • Define URI::NONE as a module to avoid serialization issues (#509)
  • Fix YAML serialization (#508)

2.8.4 (from changelog)

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

  • Improve cache hits and JIT friendliness (#486)
  • Improve code style and test coverage (#482)
  • Ensure reset of deferred validation (#481)
  • Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
  • Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

Does any of this look wrong? Please let us know.

✳️ bundler-audit (0.9.1 → 0.9.3) · Repo · Changelog
Release Notes

0.9.3

  • Officially support Ruby 3.4, 3.5, and 4.0.
  • Added support for Bundler 4.x.
  • Fixed typos in API documentation.

CLI

  • Ensure that the bundler-audit check command honors the BUNDLER_AUDIT_DB environment variable.

0.9.2

  • Officially support Ruby 3.2 and 3.3.
  • Corrected the gemspec license to indicate GPL-3.0 or later.

CLI

  • Correctly handle Bundler::Audit::Database::UpdateFailed exceptions in bundle-audit update.
  • Changed wording from "upgrade to" to "update to" in bundle-audit check output.

Rake Task

  • Fixed empty bundle:audit:update rake task.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 56 commits:

✳️ fog-aliyun (0.4.0 → 0.4.1) · Repo · Changelog
Release Notes

0.4.1 (from changelog)

BUG FIXES:

  • bump addressable dependency GH-159

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ public_suffix (indirect, 5.0.0 → 7.0.5) · Repo · Changelog
Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

Merge request reports