[Security] Update nokogiri requirement from ~> 1.10.4 to >= 1.10.4, < 1.13.0

[dependabot-preview]

Updates the requirements on nokogiri to permit the latest version.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

XXE in Nokogiri

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

... (truncated)

Affected versions: <= 1.10.10

Sourced from The Ruby Advisory Database.

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

... (truncated)

Patched versions: >= 1.11.0.rc4 Unaffected versions: none

Sourced from The GitHub Security Advisory Database.

Update packaged dependency libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

• CVE-2019-20388 (Medium severity)
• CVE-2020-24977 (Medium severity)
• CVE-2021-3517 (Medium severity)
• CVE-2021-3518 (Medium severity)
• CVE-2021-3537 (Low severity)
• CVE-2021-3541 (Low severity)

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

... (truncated)

Affected versions: < 1.11.4

Sourced from The Ruby Advisory Database.

Update packaged dependency libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

• CVE-2019-20388 (Medium severity)
• CVE-2020-24977 (Medium severity)
• CVE-2021-3517 (Medium severity)
• CVE-2021-3518 (Medium severity)
• CVE-2021-3537 (Low severity)
• CVE-2021-3541 (Low severity)

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

... (truncated)

Patched versions: >= 1.11.4 Unaffected versions: none

Release notes

Sourced from nokogiri's releases.

1.12.1 / 2021-08-03

Fixed

• Fix compilation of libgumbo on BSD systems by avoiding GNU-isms. [#2298]

---

Checksums:

194092568135d7897d8df0472c27c82b395a6c09054b8f4e8929805faf9eb877  nokogiri-1.12.1-arm64-darwin.gem
e9e16b36f6528af16c62bcfaeae517badb1ec07f5e856b5c151a913d3b0e6368  nokogiri-1.12.1-java.gem
ee1c497c759fdbbe482ab8a0c497b75d44efce5d2ae20fdb93b8c225508dc75a  nokogiri-1.12.1-x64-mingw32.gem
30c7dff0c9a56a2f03e4e4aa029e14f15282af37d469a0b159446de4c500b28b  nokogiri-1.12.1-x86-linux.gem
fcbdfc03405624ec0a186fa1bb41111a27264f4e7a7398c64c0d4e1e83769739  nokogiri-1.12.1-x86-mingw32.gem
ee4c88c46b8797bc6dbeee233ef0862a34d8a1a799e9fdcdfb0dfd8a42bb629b  nokogiri-1.12.1-x86_64-darwin.gem
f861b04e3268bda45036907f56ceede16b9fe1969099cb8888d378f71706fc63  nokogiri-1.12.1-x86_64-linux.gem
66dc1f0aa02fc62efb166465dfcc520785068cce4a9a3d2822cdea1f1ce66775  nokogiri-1.12.1.gem

1.12.0 / 2021-08-02

Notable Addition: HTML5 Support (CRuby only)

HTML5 support has been added (to CRuby only) by merging Nokogumbo into Nokogiri. The Nokogumbo public API has been preserved, so this functionality is available under the Nokogiri::HTML5 namespace. [#2204]

Please note that HTML5 support is not available for JRuby in this version. However, we feel it is important to think about JRuby and we hope to work on this in the future. If you're interested in helping with HTML5 support on JRuby, please reach out to the maintainers by commenting on issue #2227.

Many thanks to Sam Ruby, Steve Checkoway, and Craig Barnes for creating and maintaining Nokogumbo and supporting the Gumbo HTML5 parser. They're now Nokogiri core contributors with all the powers and privileges pertaining thereto. 🙌

Notable Change: Nokogiri::HTML4 module and namespace

Nokogiri::HTML has been renamed to Nokogiri::HTML4, and Nokogiri::HTML is aliased to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4 parse methods still use libxml2's (or NekoHTML's) HTML4 parser in the v1.12 release series.

Take special note that if you rely on the class name of an object in your code, objects will now report a class of Nokogiri::HTML4::Foo where they previously reported Nokogiri::HTML::Foo. Instead of relying on the string returned by Object#class, prefer Class#=== or Object#is_a? or Object#instance_of?.

Future releases of Nokogiri may deprecate HTML methods or otherwise change this behavior, so please start using HTML4 in place of HTML.

Added

• [CRuby] Nokogiri::VERSION_INFO["libxslt"]["datetime_enabled"] is a new boolean value which describes whether libxslt (or, more properly, libexslt) has compiled-in datetime support. This generally going to be true, but some distros ship without this support (e.g., some mingw UCRT-based packages, see msys2/MINGW-packages#8957). See #2272 for more details.

Changed

• Introduce a new constant, Nokogiri::XML::ParseOptions::DEFAULT_XSLT, which adds the libxslt-preferred options of NOENT | DTDLOAD | DTDATTR | NOCDATA to ParseOptions::DEFAULT_XML.
• Nokogiri.XSLT parses stylesheets using ParseOptions::DEFAULT_XSLT, which should make some edge-case XSL transformations match libxslt's default behavior. [#1940]

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.12.1 / 2021-08-03

Fixed

• Fix compilation of libgumbo on BSD systems by avoiding GNU-isms. [#2298]

1.12.0 / 2021-08-02

Notable Addition: HTML5 Support (CRuby only)

HTML5 support has been added (to CRuby only) by merging Nokogumbo into Nokogiri. The Nokogumbo public API has been preserved, so this functionality is available under the Nokogiri::HTML5 namespace. [#2204]

Please note that HTML5 support is not available for JRuby in this version. However, we feel it is important to think about JRuby and we hope to work on this in the future. If you're interested in helping with HTML5 support on JRuby, please reach out to the maintainers by commenting on issue #2227.

Many thanks to Sam Ruby, Steve Checkoway, and Craig Barnes for creating and maintaining Nokogumbo and supporting the Gumbo HTML5 parser. They're now Nokogiri core contributors with all the powers and privileges pertaining thereto. 🙌

Notable Change: Nokogiri::HTML4 module and namespace

Nokogiri::HTML has been renamed to Nokogiri::HTML4, and Nokogiri::HTML is aliased to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4 parse methods still use libxml2's (or NekoHTML's) HTML4 parser in the v1.12 release series.

Take special note that if you rely on the class name of an object in your code, objects will now report a class of Nokogiri::HTML4::Foo where they previously reported Nokogiri::HTML::Foo. Instead of relying on the string returned by Object#class, prefer Class#=== or Object#is_a? or Object#instance_of?.

Future releases of Nokogiri may deprecate HTML methods or otherwise change this behavior, so please start using HTML4 in place of HTML.

Added

• [CRuby] Nokogiri::VERSION_INFO["libxslt"]["datetime_enabled"] is a new boolean value which describes whether libxslt (or, more properly, libexslt) has compiled-in datetime support. This generally going to be true, but some distros ship without this support (e.g., some mingw UCRT-based packages, see msys2/MINGW-packages#8957). See #2272 for more details.

Changed

• Introduce a new constant, Nokogiri::XML::ParseOptions::DEFAULT_XSLT, which adds the libxslt-preferred options of NOENT | DTDLOAD | DTDATTR | NOCDATA to ParseOptions::DEFAULT_XML.
• Nokogiri.XSLT parses stylesheets using ParseOptions::DEFAULT_XSLT, which should make some edge-case XSL transformations match libxslt's default behavior. [#1940]

Fixed

• [CRuby] Namespaced attributes are handled properly when their parent node is reparented into another document. Previously, the namespace may have gotten dropped. [#2228]
• [CRuby] Reparented nodes no longer inherit their parent's namespace. Previously, a node without a namespace was forced to adopt its parent's namespace. [#1712]

Improved

• [CRuby] Speed up (slightly) the compile time of packaged libraries libiconv, libxml2, and libxslt by using autoconf's --disable-dependency-tracking option. ("ruby" platform gem only.)

Deprecated

... (truncated)

Commits

• 3457f44 version bump to v1.12.1
• 0e5fece Merge pull request #2299 from sparklemotion/flavorjones-bsd-gumbo-support
• 1159a9b ext(gumbo): avoid Gnu-isms in the Makefile
• 2e7ab22 ext(gumbo): Makefile variable override is not necessary
• 66dace2 ci: add coverage for freebsd
• 6e87b67 test: add freebsd to the vagrantfile for testing
• 8cafcee version bump to v1.12.0
• 4baf430 ci: library cache should be keyed on patches
• 9e6e6ac Merge pull request #2290 from sparklemotion/2276-gumbo-parseargs
• b8f4abd fix(gumbo): use C struct pointer directly instead of wrapping
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)