[CVE-2024-28199] Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

[joeldrapper]

We’ve just released Phlex 1.9.1, 1.8.2, 1.7.1, 1.6.2, 1.5.2, 1.4.1, 1.3.3, 1.2.2, 1.1.1, and 1.0.1 with important security fixes.

You can find more details about the vulnerability here. GHSA-242p-4v39-2v8g

I’m opening this discussion thread in case anyone has questions related to this vulnerability and how they can mitigate it. We patched all minor 1.x versions, so you should be able to apply the fix without any breaking changes if you were previously running 1.0.0 or greater. We’ve also patched main for those of us living on the edge.

You probably just need to run bundle update phlex. There are a couple of public PRs applying these patches for reference:

• Feedbin — [Security] Upgrade Phlex to 1.9.1 feedbin/feedbin#720
• RubyGems — [Security] Upgrade Phlex to 1.9.1 rubygems/rubygems.org#4519

If you have any trouble upgrading, please reach out here and we’ll try to help.

[wdiechmann]

tremendous job - and so great that you keep eyes on the ball 🙏

and I really hate to keep nagging - this time it's this "master" piece revolting with undefined method '<<' for nil:NilClass:

  class Components::Navigation::Notification < Views::Components::Form::PhlexBase
    include Phlex::Rails::Helpers::LinkTo
    include Phlex::Rails::Helpers::TurboStreamFrom

    def initialize( **attribs, &block )
      @notifications = attribs[:notifications]
      @user = attribs[:user] rescue false
      @push_enabled = @user.receive_notifications ? true : false rescue false
      @user_notifications_url = attribs[:user_notifications_url] || "#"
      @present = attribs[:present] || 'all'
    end

    def template()
      if @user && @user.can_view_notifications?
        if @present == 'all' 
          all 
        else 
          notifications_list 
        end
      else
        div()
      end
    end

    def all
      debugger 
      turbo_stream_from [ @user, :notifications ] # <--- throws aforementioned error
      div( data_controller: 'notifications', 
      ...
    end
end

I let the debugger rip (in my efforts to not just sit there and bark but actively trying to chip in) and found myself here

[7, 16] in ~/.asdf/installs/ruby/3.2.2/lib/ruby/gems/3.2.0/gems/phlex-rails-0.7.1/lib/phlex/rails/helper_macros.rb
     7|                         # frozen_string_literal: true
     8| 
     9|                         def #{method_name}(...)
    10|                                 output = helpers.#{method_name}(...)
    11| 
=>  12|                                 case output
    13|                                 when ActiveSupport::SafeBuffer
    14|                                         @_target << output
    15|                                 end

at the exact moment in time and space @_target actually is nil which obviously is less of a help to output.

My environment is:
rails: 7.0.8
ruby: ruby 3.2.2 (2023-03-30 revision e51014f9c0) [arm64-darwin22]
phlex: 1.9.1
phlex-rails: 0.7.1

[wdiechmann]

phlex 1.4.0 was as far as I could get without stuff 'falling apart' - will have to go back and try tip-toeing forwards through minors if you need more details on what mishaps bars my path though (but the undefined method << was one of them, I'm sure)

text was another - but that was an easy 'fix' (though I probably should get arrested )

class Views::Components::Form::PhlexBase
  def text txt
    span { txt }
  end
end

-- but the real issue at hand is that I've built an entire forms components lib, back from when, if you recall, phlex would not pick up output from fields_for and friends

I use this lib in an app of mine (and it's a real joy to use Phlex by the way) but with 20+ components (and another 15-20 other components all based off of this, it gets increasing difficult to throw it all out and start all over using your latest and greatest 'phlexings'; tricking form_for into including nested_attributes was quite an effort, and I did give it fair go with your newest inventions but I just couldn't dismantle everything and start another 6 months sprint ATM 😢

Joel - don't think it's worth waisting bandwidth over - move on, and I'll see if somewhen down the road I get some timeslots to rebuild - but thx a bunch again for your attention and interest! It's monumental and so very appreciated ❤️
( and I should have kept my mouth shut on this - 'cause no wars are won going back to bow and arrows )

[joeldrapper]

Okay, here’s what you should do then. Add this to your Gemfile.

gem "phlex", "~> 1.4"

Run

bundle update phlex

This should update you from 1.4.0 to 1.4.1 which has no breaking changes from 1.4.0 but includes the security fix.

[wdiechmann]

😮

this is magic - AFAIKS -

√ src % grep phlex Gemfile*
Gemfile:gem "phlex", "~> 1.4"
Gemfile:gem "phlex-rails" 
Gemfile.lock:    phlex (1.9.1)
Gemfile.lock:    phlex-rails (1.1.1)
Gemfile.lock:      phlex (~> 1.9)
Gemfile.lock:  phlex (~> 1.4)
Gemfile.lock:  phlex-rails

not sure what version I'm on - but so far it is holding up

Huge thanks, @joeldrapper - HUGE!

[joeldrapper]

That’s why we went back and manually patched all 10 minor releases. 😅

[wdiechmann]

which makes it even more HUGE - if I find a way to move my components forward, I promise not to remiss posting on the endeavour getting there affording other junior devs a less malign path

thx again!