Skip to content

v2.17.2

Latest
Latest

Choose a tag to compare

View all tags
@rubiii rubiii released this 10 Jun 17:28
· 1 commit to main since this release
v2.17.2
7fdbe8a

Fix CVE-2026-53510 and restore 2.17.0 cookie regressions

Fixed

  • Fix CVE-2026-53510 Savon::Model generated SOAP operation methods by interpolating operation names into Ruby source passed to module_eval. An attacker who can control the operation names of a WSDL, can inject Ruby code that executes in the application process. This affects only the .all_operations class method provided by Savon::Model to automatically register all operations provided by the WSDL. Configuring Savon::Model with trusted operation names via .operations is safe. Thanks to @connorshea for securely disclosing this, providing a proof and a great report.
  • :cookies request option works again. The 2.17.0 transport refactor reimplemented cookie handling on top of Array#map, which broke callers passing an object that responds to #cookies and lost cookie-name de-duplication via HTTPI::CookieStore. The HTTPI transport delegates to HTTPI::Request#set_cookies again, restoring both shapes.
  • response.http.cookies works again. 2.17.0's Savon::Transport::Response only exposed code, headers, and body. The HTTPI transport now returns Array<HTTPI::Cookie> (matching 2.12.1). The Faraday transport returns Hash<String, String> so Faraday callers do not need HTTPI types.
  • :attachments now works with a user-supplied :xml envelope (#761). Multipart support shipped in 2.13.0 but only wrapped envelopes Savon built itself. When a caller passed their own :xml, attachments were silently dropped.

Added

  • Faraday :cookies option accepts a String or Hash. Strings are used verbatim, Hashes are formatted as "name=value; name=value". Round-trippable with the Faraday response shape.
  • Three Nori response-parsing options exposed as Savon globals: :empty_tag_value (default nil), :convert_dashes_to_underscores (default true), and :scrub_xml (default true). Defaults match Nori's own for backwards compatibility.

Changed

  • Minimum Nori version is now ~> 2.7 (was ~> 2.4). Needed for the new parsing options (:empty_tag_value arrived in Nori 2.6.0, :scrub_xml in 2.7.0). The 2.5–2.7 series also brings fixes callers benefit from automatically: invalid byte sequences parse instead of raising, REXML no longer turns &lt; inside CDATA into <, xs:date/xs:time/xs:dateTime typecasting was corrected, and Nori stopped monkey-patching String and Object.
  • Faraday migration hints are now value-aware and verified. Each hint prints the caller's actual option value and spells out the full gem/require/setup where needed. Fixed several incorrect examples and added tests to verify every hint.

Deprecated

  • Deprecated the global and local :multipart options. They have been no-ops since v2.13.0. Specifically since commit 4e7ae5e. Savon detects multipart responses by checking the Content-Type header.

Security advisory: GHSA-mx5j-mp4f-g8jg
Changelog: https://github.com/savonrb/savon/blob/main/CHANGELOG.md
Commits: v2.17.1...v2.17.2

Contributors

connorshea
Assets 2
Loading