nokogiri is a an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors. Affected versions of this Gem are vulnerable to XML External Entity (XXE) attacks when opting into the DTDLOAD option and opting out of the NONET option.
Details
Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries it depends on. When handling the expansion of XML external entities (XXE) in libxml2, you can specify documents to be read. Opting into the DTDLOAD option and opting out of the NONET option in Nokogiri allows unknown documents to be loaded from the network. This can be used by attackers to load specially crafted XML documents on an internal XML parsing service and may lead to unauthorized disclosure of potentially sensitive information.
Note: This vulnerability exists also in versions < 1.5.4 regardless of the options opted into or out of. See information here
Remediation
Nokogiri suggests not to opt-out of NONET unless only trusted documents are being parsed. There currently is no fix in libxml2 as of September 17th, 2017. Nokogiri will be waiting for a fix upstream to update.
Posted on Utopian.io - Rewarding Open Source Contributors
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-20299
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Your contribution cannot be approved because it does not follow the Utopian Rules, and is considered as plagiarism. Plagiarism is not allowed on Utopian, and posts that engage in plagiarism will be flagged and hidden forever.
You can contact us on Discord.
[utopian-moderator]
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit