🚨 [security] [ruby] Update view_component 3.6.0 → 3.9.0 (minor)
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳ ️ view_component (3.6.0 → 3.9.0) · Repo · Changelog
Security Advisories 🚨
🚨 view_component Cross-site Scripting vulnerability
Impact
What kind of vulnerability is it? Who is impacted?
This is an XSS vulnerability that has the potential to impact
anyone rendering a component directly from a controller with the
view_component gem. Note that only components that define a
#call
method
(i.e. instead of using a sidecar template) are affected. The return
value of the#call
method is not sanitized and can include
user-defined content.In addition, the return value of the
#output_postamble
method
is not sanitized, which can also lead to XSS issues.Patches
Has the problem been patched? What versions should users upgrade to?
Versions 3.9.0 has been released and fully mitigates both the
#call
and the#output_postamble
vulnerabilities.Workarounds
Is there a way for users to fix or remediate the vulnerability
without upgrading?Sanitize the return value of
#call
, eg:class MyComponent < ApplicationComponent def call html_escape("<div>#{user_input}</div>") end endReferences
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Open an issue in the
github/view_component project.
Release Notes
3.7.0
Support Rails 7.1 in CI.
Reegan Viljoen
Cameron DutroDocument the capture compatibility patch on the Known issues page.
Simon Fish
Add Simundia to list of companies using ViewComponent.
Alexandre Ignjatovic
Reduce UnboundMethod objects by memoizing initialize_parameters.
Rainer Borene
Improve docs about inline templates interpolation.
Hans Lemuet
Update generators.md to clarify the way of changing
config.view_component.view_component_path
.Shozo Hatta
Attempt to fix Ferrum timeout errors by creating driver with unique name.
Cameron Dutro
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 57 commits:
release 3.9.0 (#1952)
Ensure HTML output safety (#1950)
Don't break "rails stats" if app/components is missing (#1927)
Avoid allocating new string when output_postamble is blank (#1911)
Add deprecation warnings for EOL Rails and Ruby and the associated work arounds (#1902)
Add support for ruby3.3 (#1948)
Bump standard from 1.32.1 to 1.33.0 (#1949)
Bump net-imap from 0.4.8 to 0.4.9 (#1946)
Bump debug from 1.9.0 to 1.9.1 (#1947)
Adding example for 3.x migration (#1876)
Bump debug from 1.8.0 to 1.9.0 (#1928)
Allow translations to be inherited and overridden in subclasses (#1934)
Update benchmark-ips requirement from ~> 2.12.0 to ~> 2.13.0 (#1942)
Bump net-imap from 0.4.7 to 0.4.8 (#1943)
Clean up console warnings when running tests (#1933)
Bump standard from 1.32.0 to 1.32.1 (#1929)
Bump haml from 6.2.3 to 6.3.0 (#1930)
Fix spelling of local variable (#1925)
Bump net-imap from 0.4.5 to 0.4.7 (#1923)
Bump rubocop-md from 1.2.1 to 1.2.2 (#1924)
release 3.8.0 (#1921)
Fix show_exceptions setting for Rails main (#1920)
Bump slim from 5.1.1 to 5.2.0 (#1907)
Bump standard from 1.31.2 to 1.32.0 (#1908)
Bump net-imap from 0.4.4 to 0.4.5 (#1914)
Remove support for unsupported versions of ruby and rails (#1898)
Raise error uncountable slot names in plural slots (#1904)
Fix invalid rubocop errors (#1896)
Use native String#end_with?, not the Rails wrapper (#1905)
Don't add ActionDispatch::Static middleware continued (#1892)
Allow setting method when using the test helper (#1805)
Bump cuprite from 0.14.3 to 0.15 (#1900)
Bump net-imap from 0.4.2 to 0.4.4 (#1901)
Fix slot names that start with call (#1828)
Add new helper API (#1860)
Search for the Rails module in the root namespace (#1894)
set request full path manually for tests with request url (#1893)
Bump appraisal from 2.4.1 to 2.5.0 (#1803)
release 3.7.0 (#1890)
Support Rails 7.1 (#1889)
Bump rake from 13.0.6 to 13.1.0 (#1886)
Bump m from 1.6.1 to 1.6.2 (#1853)
Bump actions/checkout from 3 to 4 (#1843)
Bump net-imap from 0.3.7 to 0.4.2 (#1879)
Bump actions/setup-node from 3 to 4 (#1887)
Bump rubocop-md from 1.2.0 to 1.2.1 (#1880)
Bump standard from 1.31.1 to 1.31.2 (#1881)
Bump haml from 6.1.2 to 6.2.3 (#1866)
Bump net-smtp from 0.3.3 to 0.4.0 (#1859)
fix: reduce UnboundMethod objects by memoizing initialize_parameters (#1868)
Attempt to fix Ferrum timeout errors (#1877)
Bump puma from 6.3.1 to 6.4.0 (#1858)
[Docs]Update document for changing view_component_path (#1870)
Bump errata-ai/vale-action (#1873)
Add docs about inline templates interpolation (#1874)
Document the capture compatibility patch on the Known issues page (#1864)
Update index.md by adding Simundia to the list of companies using vie… (#1856)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase
.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)