-
-
Notifications
You must be signed in to change notification settings - Fork 221
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b89b08b
commit 17f0423
Showing
1 changed file
with
65 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| --- | ||
| gem: view_component | ||
| cve: 2024-21636 | ||
| ghsa: wf2x-8w6j-qw37 | ||
| url: https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37 | ||
| title: view_component Cross-site Scripting vulnerability | ||
| date: 2024-01-04 | ||
| description: | | ||
| ### Impact | ||
| _What kind of vulnerability is it? Who is impacted?_ | ||
| This is an XSS vulnerability that has the potential to impact | ||
| anyone rendering a component directly from a controller with the | ||
| view_component gem. Note that only components that define a | ||
| [`#call` method](https://viewcomponent.org/guide/templates.html#call) | ||
| (i.e. instead of using a sidecar template) are affected. The return | ||
| value of the `#call` method is not sanitized and can include | ||
| user-defined content. | ||
| In addition, the return value of the | ||
| [`#output_postamble` method](https://viewcomponent.org/api.html#output_postamble--string) | ||
| is not sanitized, which can also lead to XSS issues. | ||
| ### Patches | ||
| _Has the problem been patched? What versions should users upgrade to?_ | ||
| Versions 3.9.0 has been released and fully mitigates both the | ||
| `#call` and the `#output_postamble` vulnerabilities. | ||
| ### Workarounds | ||
| _Is there a way for users to fix or remediate the vulnerability | ||
| without upgrading?_ | ||
| Sanitize the return value of `#call`, eg: | ||
| ```ruby | ||
| class MyComponent < ApplicationComponent | ||
| def call | ||
| html_escape("<div>#{user_input}</div>") | ||
| end | ||
| end | ||
| ``` | ||
| ### References | ||
| _Are there any links users can visit to find out more?_ | ||
| https://github.com/ViewComponent/view_component/pull/1950 | ||
| ### For more information | ||
| If you have any questions or comments about this advisory: | ||
| Open an issue in the | ||
| [github/view_component](https://github.com/github/view_component) project. | ||
| cvss_v3: 6.1 | ||
| patched_versions: | ||
| - ">= 3.9.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2024-21636 | ||
| - https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37 | ||
| - https://github.com/ViewComponent/view_component/pull/1950 | ||
| - https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017 | ||
| - https://github.com/advisories/GHSA-wf2x-8w6j-qw37 |