Headline
CVE-2022-23476: fix(cruby): XML::Reader#attribute_hash returns nil on error · sparklemotion/nokogiri@9fe0761
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
@@ -681,6 +681,38 @@ def test_nonexistent_attribute reader.read # el assert_nil(reader.attribute(“other”)) end
def test_broken_markup_attribute_hash xml = <<~XML <root><foo bar="asdf" xmlns:quux="qwer"> XML reader = Nokogiri::XML::Reader(xml) reader.read # root reader.read # foo
assert_equal(“foo", reader.name) if Nokogiri.jruby? assert_equal({ “bar” => “asdf” }, reader.attribute_hash) else assert_nil(reader.attribute_hash) end end
def test_broken_markup_namespaces xml = <<~XML <root><foo bar="asdf” xmlns:quux="qwer"> XML reader = Nokogiri::XML::Reader(xml) reader.read # root reader.read # foo
assert_equal("foo", reader.name) if Nokogiri.jruby? assert_equal({ “xmlns:quux” => “qwer” }, reader.namespaces) else assert_nil(reader.namespaces) end end end end end
Related news
Gentoo Linux Security Advisory 202408-13 - A vulnerability has been discovered in Nokogiri, which can lead to a denial of service. Versions greater than or equal to 1.13.10 are affected.
## Summary Nokogiri `1.13.8, 1.13.9` fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. ## Mitigation Upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. ## Severity The Nokogiri maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-252: Unchecked Return Value (4.9)](https://cwe.mitre.org/data/definitions/252.html) - [CWE - CWE-476: NULL Pointer Dereference (4.9)](https://cwe.mitre.org/data/definitions/476.html) ## Credit This vulnerability was respo...