Update dependency yard to v0.9.36 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
yard (source)	0.9.28 -> 0.9.36

GitHub Vulnerability Alerts

CVE-2024-27285

Summary

The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.

Details

The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the "frames.erb" template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.

Snippet from "frames.erb":
(v0.9.34)

<script type="text/javascript">
  var match = unescape(window.location.hash).match(/^#!(.+)/);
  var name = match ? match[1] : '<%= url_for_main %>';
  name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
  window.top.location = name;
</script>

(v0.9.35)

<script type="text/javascript">
  var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
  var name = match ? match[1] : '<%= url_for_main %>';
  name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
  window.top.location.replace(name)
</script>

PoC (Proof of Concept)

To exploit this vulnerability:

1. Gain access to the generated Yard Doc.
2. Locate and access the "frames.html" file.
3. Construct a URL containing the malicious payload in the hash segment, for instance: #!javascript:xss for v0.9.34, and #:javascript:xss for v0.9.35

Impact

This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.

---

Release Notes

lsegal/yard (yard)

v0.9.36

Compare Source

• Further XSS fixes for generated frameset pages (#​1538)
• Improve tests for Ruby 3.3 compatibility (#​1519, #​1531)
• Documentation improvements (#​1524)

v0.9.35

Compare Source

• Fix possible XSS on generated YARD frameset pages (thanks to @​RedYetiDev for finding and patching) (2069e2b).
• Fix errors when using @option on non-method objects (#​1508)
• Support Ruby 3.3 changes in Ripper parser (#​1510)

v0.9.34

Compare Source

• Add changelog to yard.gemspec
• Fix fork behavior in yard server --fork

v0.9.33

Compare Source

• Ensure .yardopts is present in gem package (internal YARD documentation change)

v0.9.32

Compare Source

• Fix issue with custom Rack::Request attributes in yard server

v0.9.31

Compare Source

• Remove dependency on webrick in YARD::Server::Commands::StaticFileHelpers

v0.9.30

Compare Source

• Hot release fix to correct issue with gem packaging missing templates (#​1490)

v0.9.29

Compare Source

• Enable table support for CommonMarker (#​1443)
• Parser performance improvements (#​1452, #​1453, #​1454, #​1455)
• Fix autoload of RipperParser (#​1460)
• Remove dependency on webrick for better Ruby 3.1+ support
• Improvements for mixin resolution (#​1467, #​1468)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.