New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency yard to "~> 0.9", ">= 0.9.20" [security] #91

Merged

damacus merged 1 commit into main from renovate/rubygems-yard-vulnerability

Nov 28, 2023

Contributor

renovate bot commented Nov 28, 2023

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
yard (source)	`"~> 0.8"` -> `"~> 0.9", ">= 0.9.20"`

GitHub Vulnerability Alerts

CVE-2017-17042

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

CVE-2019-1020001

Possible arbitrary path traversal and file access via `yard server`

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.19 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

Thanks to CuongMX from Viettel Cyber Security for discovering this vulnerability.

Patches

Please upgrade to YARD v0.9.20 immediately if you are relying on yard server to host documentation in any untrusted environments.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Release Notes

lsegal/yard (yard)

`v0.9.20`

Fix parsing of stringified Symbols in Ruby source (#1256).
Fix path traversal vulnerability in yard server. This bug would allow
unsanitized HTTP requests to access arbitrary files on the machine of a
yard server host under certain conditions. Thanks to CuongMX from
Viettel Cyber Security for discovering this vulnerability.

`v0.9.19`

Fixed bug in browser back button (#1071, #1228)
Fixed handling of ArgumentError in ExtraFileObject (#1198)
Fixed double return tag displaying on boolean methods (#1226)
Removed unused Module#namespace_name function (#1229)
Fixed parsing order of README files. YARD will now prefer README over
README.md over README.x.md or README-x.md (and the like). READMEs will now
also be ordered by filename; the first README is still chosen unless
--readme is provided.
Updated AsciiDoc markup support to use non-deprecated calls.

`v0.9.18`

`v0.9.17`

`v0.9.16`

Documentation fixes (#1175, #1178).
Fixed stack overflow issue when parsing extremely large lists (#1176).

`v0.9.15`

Fixed security issue in parsing of Ruby code that could allow for arbitrary
execution. Credit to Nelson Elhage [email protected] for discovering this
issue.

`v0.9.14`

Fixed a regression in symbol parsing (#1170).

`v0.9.13`

Added support for grouped constants via @!group directive (#1056).
Added support for quoted symbols (#1168).
Added support for i18n in tag text (#1169).
Fixed HTML rendering of inline code blocks (#1152).
Fixed rendering of anchor URLs in rendered HTML (#1154).

`v0.9.12`

Be more explicit about lack of support for absolute paths in extra files
specified by yard doc command.

`v0.9.11`

Fixed security issue in --readme that allowed for arbitrary file reads on
disk. Credit to ztz [email protected] for discovering this issue.
Improved styling for inline code blocks (#1142).

`v0.9.10`

Added --fail-on-warning option for yard doc which exits with a non-zero
code if there are any warnings (#1093).
Added support for parsing inside Struct.new blocks (#1099).
Added support new ripper AST tokens (#1104, #1124).
Fixed an issue where @see (obj) reference tags would fail (#1111)
Fix sorting in yard stats (#1123).

`v0.9.9`

Added gem uninstall hooks to remove YARD documentation files. (#1083)
Added support for C++ namespaces. (#809)
Fixed issue where loading a .html page via an anchor would not scroll to
the anchor section. (#1082)
Hide some Ruby warnings.
Improve progress indicator icons in terminal.

`v0.9.8`

Fixed installed gems not being correctly found in yard server and by plugins.
Fixed tokenization of %w(...) array syntax.

`v0.9.7`

Fixed resolution of absolute object paths with ambiguous names. (#1029)

`v0.9.6`

Removed official support for Ruby 1.x (1.8/1.9). YARD can still be installed
in these versions, but support is not guaranteed. Simple bug fixes may still
be considered via pull request only. Issues without code will be automatically
closed.
Added {YARD::Tags::Tag#explain_types} returning a plain English summary
of the type specification of a given tag. Also adds {YARD::Tags::TypesExplainer}
as an implementation class for the method.
Added support for automatic linking of constants and method calls of
Ruby syntax highlighted source code in generated HTML. Also adds the
{YARD::Parser::Ruby::TokenResolver} implementation class to iterate over
tokenized code with extra resolved object information.
Added support for compound constant assignments (A::B::C = true).
Added LibraryVersion#yardoc_file_for_SOURCE callback method for sources with
a pre-determined yardoc file location. Implement this method instead of
manually setting library.yardoc_file = ... in your load method (you can
still assign the attribute manually).
Use RubyGems 2.x+ API to query gems when available instead of using backport.
Various bug fixes

`v0.9.5`

yard doc will now generate .yardoc/processing and .yardoc/complete files
to allow other tools to properly detect when YARD is in the middle of parsing
source files, and when it has completed writing the database.
Added support for on-demand generation of LibraryVersion objects using the
:disk source type. LibraryVersion objects pointing to a .yardoc database
directory will now auto-generate if there is a source_path attached.
Added warning for macros attached to non-method objects.
Fixed a few more parsing errors.

`v0.9.4`

Minor Ruby file parsing and CSS bug fixes.

`v0.9.3`

Add changelog to yard.gemspec
Fix fork behavior in yard server --fork

`v0.9.2`

Enable table support for CommonMarker (#1443)
Parser performance improvements (#1452, #1453, #1454, #1455)
Fix autoload of RipperParser (#1460)
Remove dependency on webrick for better Ruby 3.1+ support
Improvements for mixin resolution (#1467, #1468)

`v0.9.1`

Fixed bug in browser back button (#1071, #1228)
Fixed handling of ArgumentError in ExtraFileObject (#1198)
Fixed double return tag displaying on boolean methods (#1226)
Removed unused Module#namespace_name function (#1229)
Fixed parsing order of README files. YARD will now prefer README over
README.md over README.x.md or README-x.md (and the like). READMEs will now
also be ordered by filename; the first README is still chosen unless
--readme is provided.
Updated AsciiDoc markup support to use non-deprecated calls.

`v0.9.0`

Special thanks to Alex Dowad, MSP-Greg, and Alex McLain for their extended
contributions to this version.

(Breaking Change): Replaced default template with an updated "frameless" version.
This change may affect backward compatibility if custom templates made modifications
to default/fulldoc/html, specifically the index or navigation lists.
Added support for Ruby 2.1+ decorator style method declaration syntax. YARD now
supports:
private def foo(x, y) end
Metadata headers in extra files can now be escaped from rendering by enclosing them
in HTML comment blocks (). Ensure that the opening
comment tag is alone on the first line of the file to use this functionality.
Improved parsing of various CRuby coding styles.
Fixed issue with binary image assets when using yard server.
Fixed deprecation warnings from Rake 10.x.
Tests updated for RSpec 3.

`v0.8.7.6`

Support using @option tag on keyword arg splat parameter. (#729)
Add .stats_options for YardocTask. (#800, #801)

`v0.8.7.5`

Fix linking of methods in top level namespace in method listing. (#776)
Support using C macros in function declarations. (#810)
YARD will no longer group comment blocks starting on the same column if they
are preceded by code. (#798)
Handle anonymous lambda calls in toplevel scope. (#774)
Support I18n in @overload tags. (#794)
Support yard stats for objects with no file property. (#792)
Support for named arguments in Ruby >= 2.1. (#785)
Exclude README backup files from YARD generation. (#790)
Turned on the lax spacing option in Redcarpet to comply with the
Markdown standard.
Escape HTML in YARD server search placeholder template.
Fix issue with private_class_method support. (#760, #767)
Enable tables support by default in Redcarpet Markdown provider. (#765)

`v0.8.7.4`

Mark C methods as explicit but also remove explicit check in stats. (#727)
Report unresolved parent namespaces as undocumentable errors instead. (#753)
No longer ignore overridden methods from documentation check in stats (#719)
Fix JRuby throwing exception when remove_method called on non-existent method. (#732)
Add basic support for private_class_method (#747)
Ensure namespace is always set when parent module is not found. (#753)
Set overflow as auto on table of contents.
Report 100% documented if nothing is undocumented. (#754)
Added support for RubyGems 2.0.0+. (#742)
Allow users to enter their own YARD RakeTask name. (#705)
Fixed a typo that was causing Windows detection to always fail. (#715)
Add debug information when loading a plugin fails. (#711)

`v0.8.7.3`

Handle Unicode method/class/file names in server URL encoding (lsegal/rubydoc.info#69).
Style keyword style hashes with same symbol color in code highlighting (#707).
Fix broken JS when visiting docs in file:// scheme (#706).
Add support for new AsciiDoc file extensions (#704).
Fix issues where non-Ruby code blocks would not display in Ruby 2 (#702).
Add support for extra Ruby 2 symbol types in Ripper (#701).
Ensure config directory exists before saving config file (#700).

`v0.8.7.2`

Disallow absolute URLs when using frame anchor support.
Support casted functions in CRuby method declarations (#697)

`v0.8.7.1`

Fix potential XSS issue with frame anchor support.
Add support for gettext 3.x gem.

`v0.8.7`

Support using @option tag on keyword arg splat parameter. (#729)
Add .stats_options for YardocTask. (#800, #801)

`v0.8.6.2`

Fixed issue where yard graph was not displaying methods

`v0.8.6.1`

Fixed broken links in File menu on default HTML template
Added --layout switch to yard display to wrap output in layout template.
See {file:docs/WhatsNew.md} for more information on added features.

`v0.8.6`

Fixed issue where yard graph was not displaying methods

`v0.8.5.2`

Support new keyword argument syntax in method signatures (Ruby 2.x)

`v0.8.5.1`

Fix yard diff of gem files with RubyGems 2.x

`v0.8.5`

Support new keyword argument syntax in method signatures (Ruby 2.x)

`v0.8.4.1`

Fix regression that broke loading of existing yardoc dbs (#648)

`v0.8.4`

Fix regression that broke loading of existing yardoc dbs (#648)

`v0.8.3`

Add --non-transitive-tag to disable tag transitivity (#571)
Support --db inside .yardopts for graph/server commands (#583, #586)
Fix handling for =begin/=end docstrings (#577, #578)
Parser only sorts file lists when a glob is provided (#572)
Fix formatting in {include:Object#method} syntax (#569)
Fix @option tag inside of module functions (#563)
Fix to --api and --no-api support (#559)
Fix class nesting issues when path starts with "::" (#552)

`v0.8.2.1`

Fix a set of regressions in yard server search and dynamic generation

`v0.8.2`

Fix a set of regressions in yard server search and dynamic generation

`v0.8.1`

Added --[no-]api switch to generate docs for API sets (see {file:docs/WhatsNew.md} for details) (#532)
The yard list command now uses cache by default (#533)
Fix yardoc generating incorrectly named method list file (#528)
Fix HTML output occasionally showing trailing mdash on options list (#522)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - "before 4am on Monday" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(deps): update dependency yard to "~> 0.9", ">= 0.9.20" [security]

fb73736

damacus merged commit 7e2a90a into main

5 checks passed

damacus deleted the renovate/rubygems-yard-vulnerability branch

November 28, 2023 14:27

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet