Description
CVE-2019-5477 - Nokogiri Command Injection Vulnerability
This issue has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).
I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Nokogiri maintainers.
Severity
Nokogiri maintainers have evaluated this as High (CVSS3 8.1)
Description
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Affected Versions
Nokogiri < v1.10.4
Mitigation
Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.
Further Mitigating Actions Taken
This vulnerability could have been easily detected using Rubocop's Security cop, and so the Security cop has been introduced into the test suite. If for any reason Rubocop flags something as "insecure" in the future, that will fail the test suite and block release.
References
- (private) https://hackerone.com/reports/650835
- CVE-2019-5477 - Nokogiri Command Injection Vulnerability #1915
- https://ruby-doc.org/core-2.6.3/Kernel.html#method-i-open
- https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
History of this public disclosure
- 2019-07-20T19:42+00:00: empty issue-of-record created, all information is embargoed
- 2019-08-11T19:28+00:00: embargo ends, full information made available