Critical severityOSV Advisory· Published Aug 16, 2019· Updated Aug 4, 2024

CVE-2019-5477

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A command injection vulnerability in Nokogiri v1.10.3 and earlier via `Nokogiri::CSS::Tokenizer#load_file` using `Kernel.open` allows arbitrary command execution.

Vulnerability

Overview

CVE-2019-5477 is a command injection vulnerability in the Nokogiri gem, versions 1.10.3 and earlier. The root cause lies in the lexical scanner code generated by the Rexical gem (versions 1.0.6 and earlier). Nokogiri uses Rexical to generate the Nokogiri::CSS::Tokenizer class [1]. The generated code uses Ruby's Kernel.open method in the load_file function [3]. When Kernel.open is passed a filename that starts with a pipe character (e.g., |command), Ruby executes the string as a shell command instead of opening a file, leading to command injection.

Exploitation and

Attack Surface

The vulnerability is present only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is called with unsanitized user input as the filename argument [1]. This method is not part of the standard public API and is not normally invoked directly by typical Nokogiri usage. However, if an application or library that uses Nokogiri mistakenly passes attacker-controlled input to this method, an attacker can achieve command injection. The exploit requires no authentication if the attacker can control the filename parameter passed to load_file [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the Ruby process. This can lead to full compromise of the application, data exfiltration, or further lateral movement within the affected infrastructure, depending on the environment's security posture.

Mitigation

The vulnerability is resolved in Nokogiri version 1.10.4, which incorporates the fix from Rexical version 1.0.7 [1]. The fix replaces the dangerous Kernel.open call with File.open in the generated tokenizer code, eliminating the command injection vector [3][4]. Users should upgrade to Nokogiri v1.10.4 or later. There is no known workaround as the vulnerable method is generated code that cannot be easily overridden.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nokogiriRubyGems	< 1.10.4	1.10.4
rexicalRubyGems	< 1.0.7	1.0.7

Affected products

180

Sparklemotion/NokogiriOSV
Range: 1.7.0.1-linux-binary1, REL_1.0.0, REL_1.0.1, …
ghsa-coords179 versions
pkg:gem/nokogiri pkg:gem/rexical pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-horizon&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-input-model&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-tempest&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/galera-3&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/galera-3&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/galera-3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/grafana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/mariadb-connector-c&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/mariadb-connector-c&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/mariadb-connector-c&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/mariadb&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/mariadb&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/mariadb&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/novnc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/novnc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/novnc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/novnc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-glance&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-glance-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-glance-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-glance-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-horizon-plugin-neutron-vpnaas-ui&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-horizon-plugin-neutron-vpnaas-ui&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-horizon-plugin-neutron-vpnaas-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-installer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-gbp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-lbaas&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-lbaas&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-lbaas&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-lbaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-tempest&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-amqp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-ovs&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-ovs&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-pysaml2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-python-engineio&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-python-engineio&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-urllib3&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/release-notes-hpe-helion-openstack&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-chef&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/rubygem-chef&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-easy_diff&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/rubygem-easy_diff&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-easy_diff&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015 pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1 pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2 pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/sleshammer&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/sleshammer&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
< 1.10.4+ 178 more
- (no CPE)range: < 1.10.4
- (no CPE)range: < 1.0.7
- (no CPE)range: < 8.0+git.1566374355.c509923-3.67.3
- (no CPE)range: < 8.0+git.1566374355.c509923-3.67.3
- (no CPE)range: < 8.0+git.1566376789.be0fe01-3.17.3
- (no CPE)range: < 8.0+git.1566376789.be0fe01-3.17.3
- (no CPE)range: < 8.0+git.1565816064.5d4f73f-3.18.3
- (no CPE)range: < 8.0+git.1565816064.5d4f73f-3.18.3
- (no CPE)range: < 8.0+git.1566517401.98450e6-3.33.3
- (no CPE)range: < 8.0+git.1566517401.98450e6-3.33.3
- (no CPE)range: < 8.0+git.1568835837.2452e7a-1.21.3
- (no CPE)range: < 8.0+git.1568835837.2452e7a-1.21.3
- (no CPE)range: < 8.0+git.1568220097.74ee4b4-3.33.3
- (no CPE)range: < 8.0+git.1568220097.74ee4b4-3.33.3
- (no CPE)range: < 8.0+git.1566902754.c58ff69-3.35.3
- (no CPE)range: < 8.0+git.1566902754.c58ff69-3.35.3
- (no CPE)range: < 8.0+git.1568373448.bcaee7e-3.20.3
- (no CPE)range: < 8.0+git.1568373448.bcaee7e-3.20.3
- (no CPE)range: < 8.0+git.1566471887.fd2fec7-3.27.3
- (no CPE)range: < 8.0+git.1566471887.fd2fec7-3.27.3
- (no CPE)range: < 4.0+git.1570463621.40b11cd48-9.54.1
- (no CPE)range: < 4.0+git.1570463621.40b11cd48-9.54.1
- (no CPE)range: < 5.0+git.1569597589.1f025c557-3.32.2
- (no CPE)range: < 5.0+git.1567673535.607aada-3.26.2
- (no CPE)range: < 4.0+git.1569429513.e7016b2b6-9.59.1
- (no CPE)range: < 5.0+git.1570141351.058c8bd44-4.31.2
- (no CPE)range: < 1.2.0+git.1568396400.0344a727-3.12.3
- (no CPE)range: < 25.3.25-4.6.3
- (no CPE)range: < 25.3.25-4.6.3
- (no CPE)range: < 25.3.25-4.6.3
- (no CPE)range: < 4.6.5-4.6.3
- (no CPE)range: < 4.6.5-1.11.2
- (no CPE)range: < 4.6.5-4.6.3
- (no CPE)range: < 4.6.5-4.6.3
- (no CPE)range: < 3.1.2-3.12.3
- (no CPE)range: < 3.1.2-3.12.3
- (no CPE)range: < 3.1.2-3.12.3
- (no CPE)range: < 10.2.25-4.14.2
- (no CPE)range: < 10.2.25-4.14.2
- (no CPE)range: < 10.2.25-4.14.2
- (no CPE)range: < 1.0.0-3.6.3
- (no CPE)range: < 1.0.0-12.1
- (no CPE)range: < 1.0.0-3.6.3
- (no CPE)range: < 1.0.0-3.6.3
- (no CPE)range: < 11.2.3~dev16-3.21.4
- (no CPE)range: < 11.2.3~dev16-3.21.4
- (no CPE)range: < 11.2.3~dev16-3.21.4
- (no CPE)range: < 11.2.3~dev16-3.21.3
- (no CPE)range: < 11.2.3~dev16-3.21.3
- (no CPE)range: < 11.2.3~dev16-3.21.3
- (no CPE)range: < 15.0.3~dev3-3.12.4
- (no CPE)range: < 15.0.3~dev3-3.12.4
- (no CPE)range: < 15.0.3~dev3-3.12.4
- (no CPE)range: < 15.0.3~dev3-3.12.3
- (no CPE)range: < 15.0.3~dev3-3.12.3
- (no CPE)range: < 15.0.3~dev3-3.12.3
- (no CPE)range: < 9.0.8~dev13-3.24.4
- (no CPE)range: < 9.0.8~dev13-3.24.4
- (no CPE)range: < 9.0.8~dev13-3.24.4
- (no CPE)range: < 9.0.8~dev13-3.24.3
- (no CPE)range: < 9.0.8~dev13-3.24.3
- (no CPE)range: < 9.0.8~dev13-3.24.3
- (no CPE)range: < 1.0.1~dev3-3.6.4
- (no CPE)range: < 1.0.1~dev3-3.6.4
- (no CPE)range: < 1.0.1~dev3-3.6.4
- (no CPE)range: < 12.0.4~dev4-5.27.4
- (no CPE)range: < 10.0.3~dev9-7.18.2
- (no CPE)range: < 12.0.4~dev4-5.27.4
- (no CPE)range: < 12.0.4~dev4-5.27.4
- (no CPE)range: < 12.0.4~dev4-5.27.3
- (no CPE)range: < 10.0.3~dev9-7.18.2
- (no CPE)range: < 12.0.4~dev4-5.27.3
- (no CPE)range: < 12.0.4~dev4-5.27.3
- (no CPE)range: < 20190923_16.32-3.9.3
- (no CPE)range: < 20190923_16.32-3.9.3
- (no CPE)range: < 20190923_16.32-3.9.3
- (no CPE)range: < 11.0.9~dev51-3.24.5
- (no CPE)range: < 9.4.2~dev21-7.32.1
- (no CPE)range: < 11.0.9~dev51-3.24.5
- (no CPE)range: < 11.0.9~dev51-3.24.5
- (no CPE)range: < 11.0.9~dev51-3.24.4
- (no CPE)range: < 9.4.2~dev21-7.32.1
- (no CPE)range: < 11.0.9~dev51-3.24.4
- (no CPE)range: < 11.0.9~dev51-3.24.4
- (no CPE)range: < 7.3.1~dev56-3.9.4
- (no CPE)range: < 7.3.1~dev56-3.9.4
- (no CPE)range: < 7.3.1~dev56-3.9.4
- (no CPE)range: < 11.0.4~dev6-3.15.4
- (no CPE)range: < 9.2.2~dev11-4.18.3
- (no CPE)range: < 11.0.4~dev6-3.15.4
- (no CPE)range: < 11.0.4~dev6-3.15.4
- (no CPE)range: < 11.0.4~dev6-3.15.4
- (no CPE)range: < 9.2.2~dev11-4.18.3
- (no CPE)range: < 11.0.4~dev6-3.15.4
- (no CPE)range: < 11.0.4~dev6-3.15.4
- (no CPE)range: < 16.1.9~dev7-3.29.3
- (no CPE)range: < 14.0.11~dev13-4.34.3
- (no CPE)range: < 16.1.9~dev7-3.29.3
- (no CPE)range: < 16.1.9~dev7-3.29.3
- (no CPE)range: < 16.1.9~dev7-3.29.3
- (no CPE)range: < 14.0.11~dev13-4.34.2
- (no CPE)range: < 16.1.9~dev7-3.29.3
- (no CPE)range: < 16.1.9~dev7-3.29.3
- (no CPE)range: < 12.2.1~a0~dev177-4.6.3
- (no CPE)range: < 2.2.2-3.6.3
- (no CPE)range: < 2.2.2-3.6.3
- (no CPE)range: < 2.2.2-3.6.3
- (no CPE)range: < 2.7.2-3.6.1
- (no CPE)range: < 2.7.2-3.6.1
- (no CPE)range: < 4.0.2-5.3.3
- (no CPE)range: < 4.0.2-3.11.3
- (no CPE)range: < 4.0.2-5.3.3
- (no CPE)range: < 4.0.2-5.3.3
- (no CPE)range: < 2.0.2-3.3.3
- (no CPE)range: < 2.0.2-3.3.3
- (no CPE)range: < 1.22-5.9.3
- (no CPE)range: < 1.16-3.9.2
- (no CPE)range: < 1.22-5.9.3
- (no CPE)range: < 1.22-5.9.3
- (no CPE)range: < 8.20190911-3.20.3
- (no CPE)range: < 8.20190911-3.20.3
- (no CPE)range: < 8.20190911-3.20.3
- (no CPE)range: < 10.32.2-5.12.1
- (no CPE)range: < 10.32.2-5.12.1
- (no CPE)range: < 1.0.0-3.3.1
- (no CPE)range: < 1.0.0-3.3.1
- (no CPE)range: < 1.0.0-3.4.2
- (no CPE)range: < 1.8.5-3.6.1
- (no CPE)range: < 1.8.5-3.6.1
- (no CPE)range: < 1.8.5-3.6.1
- (no CPE)range: < 1.6.1-5.3.1
- (no CPE)range: < 1.6.1-5.3.1
- (no CPE)range: < 1.6.1-5.3.1
- (no CPE)range: < 0.7.0-0.18.12.3
- (no CPE)range: < 0.7.0-0.18.12.3
- (no CPE)range: < 5.1.1~dev7-12.20.2
- (no CPE)range: < 5.1.1~dev7-12.20.2
- (no CPE)range: < 5.0.2~dev3-12.21.2
- (no CPE)range: < 5.0.2~dev3-12.21.2
- (no CPE)range: < 9.0.8~dev7-12.18.2
- (no CPE)range: < 9.0.8~dev7-12.18.2
- (no CPE)range: < 11.2.3~dev16-14.21.2
- (no CPE)range: < 11.2.3~dev16-14.21.2
- (no CPE)range: < 5.0.3~dev7-12.19.2
- (no CPE)range: < 5.0.3~dev7-12.19.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.16.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.16.2
- (no CPE)range: < 15.0.3~dev3-12.19.2
- (no CPE)range: < 15.0.3~dev3-12.19.2
- (no CPE)range: < 9.0.8~dev13-12.21.2
- (no CPE)range: < 9.0.8~dev13-12.21.2
- (no CPE)range: < 12.0.4~dev6-14.26.2
- (no CPE)range: < 12.0.4~dev6-14.26.2
- (no CPE)range: < 9.1.8~dev7-12.21.2
- (no CPE)range: < 9.1.8~dev7-12.21.2
- (no CPE)range: < 12.0.4~dev4-11.22.3
- (no CPE)range: < 12.0.4~dev4-11.22.3
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.20.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.20.2
- (no CPE)range: < 5.1.1~dev2-12.23.2
- (no CPE)range: < 5.1.1~dev2-12.23.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.16.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.16.2
- (no CPE)range: < 2.2.2~dev1-11.18.2
- (no CPE)range: < 2.2.2~dev1-11.18.2
- (no CPE)range: < 4.0.2~dev2-12.16.2
- (no CPE)range: < 4.0.2~dev2-12.16.2
- (no CPE)range: < 11.0.9~dev51-13.24.3
- (no CPE)range: < 11.0.9~dev51-13.24.3
- (no CPE)range: < 16.1.9~dev7-11.22.3
- (no CPE)range: < 16.1.9~dev7-11.22.3
- (no CPE)range: < 1.0.6~dev2-12.21.2
- (no CPE)range: < 1.0.6~dev2-12.21.2
- (no CPE)range: < 7.0.4~dev1-11.20.2
- (no CPE)range: < 7.0.4~dev1-11.20.2
- (no CPE)range: < 2.15.2-11.13.3
- (no CPE)range: < 2.15.2-11.13.3
- (no CPE)range: < 8.0.1~dev13-11.20.2
- (no CPE)range: < 8.0.1~dev13-11.20.2

Patches

5d3012834357

Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x

https://github.com/sparklemotion/nokogiriMike DalessioAug 11, 2019via ghsa

commit

6 files changed · +240 −202

CHANGELOG.md+13 −0 modified

@@ -1,5 +1,18 @@
 # Nokogiri Changelog
 
+## 1.10.4 / 2019-08-07
+
+### Security
+
+#### Address CVE-2019-5477 (#1915)
+
+A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
+
+This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
+
+This CVE's public notice is https://github.com/sparklemotion/nokogiri/issues/1915
+
+
 ## 1.10.3 / 2019-04-22
 
 ### Security Notes

Gemfile+1 −0 modified

@@ -17,6 +17,7 @@ gem "rake", "~>12.0", :group => [:development, :test]
 gem "rake-compiler", "~>1.0.3", :group => [:development, :test]
 gem "rake-compiler-dock", "~>0.7.0", :group => [:development, :test]
 gem "rexical", "~>1.0.5", :group => [:development, :test]
+gem "rubocop", "~>0.73", :group => [:development, :test]
 gem "simplecov", "~>0.16", :group => [:development, :test]
 gem "rdoc", ">=4.0", "<7", :group => [:development, :test]
 gem "hoe", "~>3.17", :group => [:development, :test]

lib/nokogiri/css/tokenizer.rb+104 −103 modified

@@ -1,151 +1,152 @@
 #--
 # DO NOT MODIFY!!!!
-# This file is automatically generated by rex 1.0.5
+# This file is automatically generated by rex 1.0.7
 # from lexical definition file "lib/nokogiri/css/tokenizer.rex".
 #++
 
 module Nokogiri
 module CSS
 class Tokenizer # :nodoc:
-  require 'strscan'
+      require 'strscan'
 
-  class ScanError < StandardError ; end
+      class ScanError < StandardError ; end
 
-  attr_reader   :lineno
-  attr_reader   :filename
-  attr_accessor :state
+      attr_reader   :lineno
+      attr_reader   :filename
+      attr_accessor :state
 
-  def scan_setup(str)
-    @ss = StringScanner.new(str)
-    @lineno =  1
-    @state  = nil
-  end
+      def scan_setup(str)
+        @ss = StringScanner.new(str)
+        @lineno =  1
+        @state  = nil
+      end
 
-  def action
-    yield
-  end
+      def action
+        yield
+      end
 
-  def scan_str(str)
-    scan_setup(str)
-    do_parse
-  end
-  alias :scan :scan_str
+      def scan_str(str)
+        scan_setup(str)
+        do_parse
+      end
+      alias :scan :scan_str
 
-  def load_file( filename )
-    @filename = filename
-    open(filename, "r") do |f|
-      scan_setup(f.read)
-    end
-  end
+      def load_file( filename )
+        @filename = filename
+        File.open(filename, "r") do |f|
+          scan_setup(f.read)
+        end
+      end
 
-  def scan_file( filename )
-    load_file(filename)
-    do_parse
-  end
+      def scan_file( filename )
+        load_file(filename)
+        do_parse
+      end
 
 
-  def next_token
-    return if @ss.eos?
-    
-    # skips empty actions
-    until token = _next_token or @ss.eos?; end
-    token
-  end
+        def next_token
+          return if @ss.eos?
 
-  def _next_token
-    text = @ss.peek(1)
-    @lineno  +=  1  if text == "\n"
-    token = case @state
-    when nil
-      case
-      when (text = @ss.scan(/has\([\s]*/))
-         action { [:HAS, text] }
+          # skips empty actions
+          until token = _next_token or @ss.eos?; end
+          token
+        end
 
-      when (text = @ss.scan(/[-@]?([_A-Za-z]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])([_A-Za-z0-9-]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*\([\s]*/))
-         action { [:FUNCTION, text] }
+        def _next_token
+          text = @ss.peek(1)
+          @lineno  +=  1  if text == "\n"
+          token = case @state
+            when nil
+          case
+                  when (text = @ss.scan(/has\([\s]*/))
+                     action { [:HAS, text] }
 
-      when (text = @ss.scan(/[-@]?([_A-Za-z]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])([_A-Za-z0-9-]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*/))
-         action { [:IDENT, text] }
+                  when (text = @ss.scan(/[-@]?([_A-Za-z]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])([_A-Za-z0-9-]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*\([\s]*/))
+                     action { [:FUNCTION, text] }
 
-      when (text = @ss.scan(/\#([_A-Za-z0-9-]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])+/))
-         action { [:HASH, text] }
+                  when (text = @ss.scan(/[-@]?([_A-Za-z]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])([_A-Za-z0-9-]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*/))
+                     action { [:IDENT, text] }
 
-      when (text = @ss.scan(/[\s]*~=[\s]*/))
-         action { [:INCLUDES, text] }
+                  when (text = @ss.scan(/\#([_A-Za-z0-9-]|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])+/))
+                     action { [:HASH, text] }
 
-      when (text = @ss.scan(/[\s]*\|=[\s]*/))
-         action { [:DASHMATCH, text] }
+                  when (text = @ss.scan(/[\s]*~=[\s]*/))
+                     action { [:INCLUDES, text] }
 
-      when (text = @ss.scan(/[\s]*\^=[\s]*/))
-         action { [:PREFIXMATCH, text] }
+                  when (text = @ss.scan(/[\s]*\|=[\s]*/))
+                     action { [:DASHMATCH, text] }
 
-      when (text = @ss.scan(/[\s]*\$=[\s]*/))
-         action { [:SUFFIXMATCH, text] }
+                  when (text = @ss.scan(/[\s]*\^=[\s]*/))
+                     action { [:PREFIXMATCH, text] }
 
-      when (text = @ss.scan(/[\s]*\*=[\s]*/))
-         action { [:SUBSTRINGMATCH, text] }
+                  when (text = @ss.scan(/[\s]*\$=[\s]*/))
+                     action { [:SUFFIXMATCH, text] }
 
-      when (text = @ss.scan(/[\s]*!=[\s]*/))
-         action { [:NOT_EQUAL, text] }
+                  when (text = @ss.scan(/[\s]*\*=[\s]*/))
+                     action { [:SUBSTRINGMATCH, text] }
 
-      when (text = @ss.scan(/[\s]*=[\s]*/))
-         action { [:EQUAL, text] }
+                  when (text = @ss.scan(/[\s]*!=[\s]*/))
+                     action { [:NOT_EQUAL, text] }
 
-      when (text = @ss.scan(/[\s]*\)/))
-         action { [:RPAREN, text] }
+                  when (text = @ss.scan(/[\s]*=[\s]*/))
+                     action { [:EQUAL, text] }
 
-      when (text = @ss.scan(/\[[\s]*/))
-         action { [:LSQUARE, text] }
+                  when (text = @ss.scan(/[\s]*\)/))
+                     action { [:RPAREN, text] }
 
-      when (text = @ss.scan(/[\s]*\]/))
-         action { [:RSQUARE, text] }
+                  when (text = @ss.scan(/\[[\s]*/))
+                     action { [:LSQUARE, text] }
 
-      when (text = @ss.scan(/[\s]*\+[\s]*/))
-         action { [:PLUS, text] }
+                  when (text = @ss.scan(/[\s]*\]/))
+                     action { [:RSQUARE, text] }
 
-      when (text = @ss.scan(/[\s]*>[\s]*/))
-         action { [:GREATER, text] }
+                  when (text = @ss.scan(/[\s]*\+[\s]*/))
+                     action { [:PLUS, text] }
 
-      when (text = @ss.scan(/[\s]*,[\s]*/))
-         action { [:COMMA, text] }
+                  when (text = @ss.scan(/[\s]*>[\s]*/))
+                     action { [:GREATER, text] }
 
-      when (text = @ss.scan(/[\s]*~[\s]*/))
-         action { [:TILDE, text] }
+                  when (text = @ss.scan(/[\s]*,[\s]*/))
+                     action { [:COMMA, text] }
 
-      when (text = @ss.scan(/\:not\([\s]*/))
-         action { [:NOT, text] }
+                  when (text = @ss.scan(/[\s]*~[\s]*/))
+                     action { [:TILDE, text] }
 
-      when (text = @ss.scan(/-?([0-9]+|[0-9]*\.[0-9]+)/))
-         action { [:NUMBER, text] }
+                  when (text = @ss.scan(/\:not\([\s]*/))
+                     action { [:NOT, text] }
 
-      when (text = @ss.scan(/[\s]*\/\/[\s]*/))
-         action { [:DOUBLESLASH, text] }
+                  when (text = @ss.scan(/-?([0-9]+|[0-9]*\.[0-9]+)/))
+                     action { [:NUMBER, text] }
 
-      when (text = @ss.scan(/[\s]*\/[\s]*/))
-         action { [:SLASH, text] }
+                  when (text = @ss.scan(/[\s]*\/\/[\s]*/))
+                     action { [:DOUBLESLASH, text] }
 
-      when (text = @ss.scan(/U\+[0-9a-f?]{1,6}(-[0-9a-f]{1,6})?/))
-         action {[:UNICODE_RANGE, text] }
+                  when (text = @ss.scan(/[\s]*\/[\s]*/))
+                     action { [:SLASH, text] }
 
-      when (text = @ss.scan(/[\s]+/))
-         action { [:S, text] }
+                  when (text = @ss.scan(/U\+[0-9a-f?]{1,6}(-[0-9a-f]{1,6})?/))
+                     action {[:UNICODE_RANGE, text] }
 
-      when (text = @ss.scan(/"([^\n\r\f"]|\n|\r\n|\r|\f|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*(?<!\\)(?:\\{2})*"|'([^\n\r\f']|\n|\r\n|\r|\f|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*(?<!\\)(?:\\{2})*'/))
-         action { [:STRING, text] }
+                  when (text = @ss.scan(/[\s]+/))
+                     action { [:S, text] }
 
-      when (text = @ss.scan(/./))
-         action { [text, text] }
+                  when (text = @ss.scan(/"([^\n\r\f"]|\n|\r\n|\r|\f|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*(?<!\\)(?:\\{2})*"|'([^\n\r\f']|\n|\r\n|\r|\f|[^\0-\177]|\\[0-9A-Fa-f]{1,6}(\r\n|[\s])?|\\[^\n\r\f0-9A-Fa-f])*(?<!\\)(?:\\{2})*'/))
+                     action { [:STRING, text] }
 
-      else
-        text = @ss.string[@ss.pos .. -1]
-        raise  ScanError, "can not match: '" + text + "'"
-      end  # if
+                  when (text = @ss.scan(/./))
+                     action { [text, text] }
 
-    else
-      raise  ScanError, "undefined state: '" + state.to_s + "'"
-    end  # case state
-    token
-  end  # def _next_token
+          
+          else
+            text = @ss.string[@ss.pos .. -1]
+            raise  ScanError, "can not match: '" + text + "'"
+          end  # if
+
+        else
+          raise  ScanError, "undefined state: '" + state.to_s + "'"
+        end  # case state
+          token
+        end  # def _next_token
 
 end # class
 end

lib/nokogiri/xml/builder.rb+33 −30 modified

@@ -213,7 +213,7 @@ module XML
     #       xml.foo
     #     end
     #   end
-    #   
+    #
     #   puts builder.to_xml
     #
     # Will output this xml:
@@ -250,7 +250,7 @@ class Builder
       #     xml.awesome # add the "awesome" tag below "some_tag"
       #   end
       #
-      def self.with root, &block
+      def self.with(root, &block)
         new({}, root, &block)
       end
 
@@ -263,31 +263,33 @@ def self.with root, &block
       #   Nokogiri::XML::Builder.new(:encoding => 'UTF-8') do |xml|
       #     ...
       #   end
-      def initialize options = {}, root = nil, &block
-
+      def initialize(options = {}, root = nil, &block)
         if root
-          @doc    = root.document
+          @doc = root.document
           @parent = root
         else
-          namespace     = self.class.name.split('::')
-          namespace[-1] = 'Document'
-          @doc          = eval(namespace.join('::')).new
-          @parent       = @doc
+          klassname = "::" + (self.class.name.split("::")[0..-2] + ["Document"]).join("::")
+          klass = begin
+                    Object.const_get(klassname)
+                  rescue NameError
+                    Nokogiri::XML::Document
+                  end
+          @parent = @doc = klass.new
         end
 
-        @context  = nil
-        @arity    = nil
-        @ns       = nil
+        @context = nil
+        @arity = nil
+        @ns = nil
 
-        options.each do |k,v|
+        options.each do |k, v|
           @doc.send(:"#{k}=", v)
         end
 
         return unless block_given?
 
         @arity = block.arity
         if @arity <= 0
-          @context = eval('self', block.binding)
+          @context = eval("self", block.binding)
           instance_eval(&block)
         else
           yield self
@@ -298,26 +300,26 @@ def initialize options = {}, root = nil, &block
 
       ###
       # Create a Text Node with content of +string+
-      def text string
+      def text(string)
         insert @doc.create_text_node(string)
       end
 
       ###
       # Create a CDATA Node with content of +string+
-      def cdata string
+      def cdata(string)
         insert doc.create_cdata(string)
       end
 
       ###
       # Create a Comment Node with content of +string+
-      def comment string
+      def comment(string)
         insert doc.create_comment(string)
       end
 
       ###
       # Build a tag that is associated with namespace +ns+.  Raises an
       # ArgumentError if +ns+ has not been defined higher in the tree.
-      def [] ns
+      def [](ns)
         if @parent != @doc
           @ns = @parent.namespace_definitions.find { |x| x.prefix == ns.to_s }
         end
@@ -348,15 +350,15 @@ def to_xml(*args)
 
       ###
       # Append the given raw XML +string+ to the document
-      def << string
+      def <<(string)
         @doc.fragment(string).children.each { |x| insert(x) }
       end
 
-      def method_missing method, *args, &block # :nodoc:
+      def method_missing(method, *args, &block) # :nodoc:
         if @context && @context.respond_to?(method)
           @context.send(method, *args, &block)
         else
-          node = @doc.create_element(method.to_s.sub(/[_!]$/, ''),*args) { |n|
+          node = @doc.create_element(method.to_s.sub(/[_!]$/, ""), *args) { |n|
             # Set up the namespace
             if @ns.is_a? Nokogiri::XML::Namespace
               n.namespace = @ns
@@ -377,13 +379,14 @@ def method_missing method, *args, &block # :nodoc:
       end
 
       private
+
       ###
       # Insert +node+ as a child of the current Node
       def insert(node, &block)
         node = @parent.add_child(node)
         if block_given?
           old_parent = @parent
-          @parent    = node
+          @parent = node
           @arity ||= block.arity
           if @arity <= 0
             instance_eval(&block)
@@ -396,36 +399,36 @@ def insert(node, &block)
       end
 
       class NodeBuilder # :nodoc:
-        def initialize node, doc_builder
+        def initialize(node, doc_builder)
           @node = node
           @doc_builder = doc_builder
         end
 
-        def []= k, v
+        def []=(k, v)
           @node[k] = v
         end
 
-        def [] k
+        def [](k)
           @node[k]
         end
 
         def method_missing(method, *args, &block)
           opts = args.last.is_a?(Hash) ? args.pop : {}
           case method.to_s
           when /^(.*)!$/
-            @node['id'] = $1
+            @node["id"] = $1
             @node.content = args.first if args.first
           when /^(.*)=/
             @node[$1] = args.first
           else
-            @node['class'] =
-              ((@node['class'] || '').split(/\s/) + [method.to_s]).join(' ')
+            @node["class"] =
+              ((@node["class"] || "").split(/\s/) + [method.to_s]).join(" ")
             @node.content = args.first if args.first
           end
 
           # Assign any extra options
-          opts.each do |k,v|
-            @node[k.to_s] = ((@node[k.to_s] || '').split(/\s/) + [v]).join(' ')
+          opts.each do |k, v|
+            @node[k.to_s] = ((@node[k.to_s] || "").split(/\s/) + [v]).join(" ")
           end
 
           if block_given?

Rakefile+6 −0 modified

@@ -143,6 +143,7 @@ HOE = Hoe.spec 'nokogiri' do
     ["rake-compiler",      "~> 1.0.3"],
     ["rake-compiler-dock", "~> 0.7.0"],
     ["rexical",            "~> 1.0.5"],
+    ["rubocop",            "~> 0.73"],
     ["simplecov",          "~> 0.16"],
   ]
 
@@ -275,6 +276,11 @@ task :java_debug do
 end
 Rake::Task[:test].prerequisites << :java_debug
 
+task :rubocop_security do
+  sh "rubocop lib --only Security"
+end
+Rake::Task[:test].prerequisites << :rubocop_security
+
 if Hoe.plugins.include?(:debugging)
   ['valgrind', 'valgrind:mem', 'valgrind:mem0'].each do |task_name|
     Rake::Task["test:#{task_name}"].prerequisites << :compile

test/xml/test_builder.rb+83 −69 modified

@@ -10,7 +10,7 @@ def test_attribute_sensitivity
           x.tag "hello", "abcDef" => "world"
         }.to_xml
         doc = Nokogiri.XML xml
-        assert_equal 'world', doc.root['abcDef']
+        assert_equal "world", doc.root["abcDef"]
       end
 
       def test_builder_multiple_nodes
@@ -21,7 +21,6 @@ def test_builder_multiple_nodes
         end
       end
 
-
       def test_builder_with_utf8_text
         text = "test ﺵ "
         doc = Nokogiri::XML::Builder.new(:encoding => "UTF-8") { |xml| xml.test text }.doc
@@ -33,8 +32,8 @@ def test_builder_escape
           x.condition "value < 1", :attr => "value < 1"
         }.to_xml
         doc = Nokogiri.XML xml
-        assert_equal 'value < 1', doc.root['attr']
-        assert_equal 'value < 1', doc.root.content
+        assert_equal "value < 1", doc.root["attr"]
+        assert_equal "value < 1", doc.root.content
       end
 
       def test_builder_namespace
@@ -44,10 +43,10 @@ def test_builder_namespace
           end
         }.doc
 
-        b = doc.at('b')
+        b = doc.at("b")
         assert b
-        assert_equal({"xmlns:a"=>"x", "xmlns:b"=>"y"}, b.namespaces)
-        assert_equal({"xmlns:b"=>"y"}, namespaces_defined_on(b))
+        assert_equal({ "xmlns:a" => "x", "xmlns:b" => "y" }, b.namespaces)
+        assert_equal({ "xmlns:b" => "y" }, namespaces_defined_on(b))
       end
 
       def test_builder_namespace_part_deux
@@ -57,10 +56,10 @@ def test_builder_namespace_part_deux
           end
         }.doc
 
-        b = doc.at('b')
+        b = doc.at("b")
         assert b
-        assert_equal({"xmlns:a"=>"x", "xmlns:b"=>"y", "xmlns:c"=>"z"}, b.namespaces)
-        assert_equal({"xmlns:a"=>"x", "xmlns:c"=>"z"}, namespaces_defined_on(b))
+        assert_equal({ "xmlns:a" => "x", "xmlns:b" => "y", "xmlns:c" => "z" }, b.namespaces)
+        assert_equal({ "xmlns:a" => "x", "xmlns:c" => "z" }, namespaces_defined_on(b))
       end
 
       def test_builder_with_unlink
@@ -75,58 +74,58 @@ def test_builder_with_unlink
 
       def test_with_root
         doc = Nokogiri::XML(File.read(XML_FILE))
-        Nokogiri::XML::Builder.with(doc.at('employee')) do |xml|
+        Nokogiri::XML::Builder.with(doc.at("employee")) do |xml|
           xml.foo
         end
-        assert_equal 1, doc.xpath('//employee/foo').length
+        assert_equal 1, doc.xpath("//employee/foo").length
       end
 
       def test_root_namespace_default_decl
-        b = Nokogiri::XML::Builder.new { |xml| xml.root(:xmlns => 'one:two') }
+        b = Nokogiri::XML::Builder.new { |xml| xml.root(:xmlns => "one:two") }
         doc = b.doc
-        assert_equal 'one:two', doc.root.namespace.href
-        assert_equal({ 'xmlns' => 'one:two' }, doc.root.namespaces)
+        assert_equal "one:two", doc.root.namespace.href
+        assert_equal({ "xmlns" => "one:two" }, doc.root.namespaces)
       end
 
       def test_root_namespace_multi_decl
         b = Nokogiri::XML::Builder.new { |xml|
-          xml.root(:xmlns => 'one:two', 'xmlns:foo' => 'bar') do
+          xml.root(:xmlns => "one:two", "xmlns:foo" => "bar") do
             xml.hello
           end
         }
         doc = b.doc
-        assert_equal 'one:two', doc.root.namespace.href
-        assert_equal({ 'xmlns' => 'one:two', 'xmlns:foo' => 'bar' }, doc.root.namespaces)
+        assert_equal "one:two", doc.root.namespace.href
+        assert_equal({ "xmlns" => "one:two", "xmlns:foo" => "bar" }, doc.root.namespaces)
 
-        assert_equal 'one:two', doc.at('hello').namespace.href
+        assert_equal "one:two", doc.at("hello").namespace.href
       end
 
       def test_non_root_namespace
         b = Nokogiri::XML::Builder.new { |xml|
-          xml.root { xml.hello(:xmlns => 'one') }
+          xml.root { xml.hello(:xmlns => "one") }
         }
-        assert_equal 'one', b.doc.at('hello', 'xmlns' => 'one').namespace.href
+        assert_equal "one", b.doc.at("hello", "xmlns" => "one").namespace.href
       end
 
       def test_specify_namespace
         b = Nokogiri::XML::Builder.new { |xml|
-          xml.root('xmlns:foo' => 'bar') do
+          xml.root("xmlns:foo" => "bar") do
             xml[:foo].bar
-            xml['foo'].baz
+            xml["foo"].baz
           end
         }
         doc = b.doc
-        assert_equal 'bar', doc.at('foo|bar', 'foo' => 'bar').namespace.href
-        assert_equal 'bar', doc.at('foo|baz', 'foo' => 'bar').namespace.href
+        assert_equal "bar", doc.at("foo|bar", "foo" => "bar").namespace.href
+        assert_equal "bar", doc.at("foo|baz", "foo" => "bar").namespace.href
       end
 
       def test_dtd_in_builder_output
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.doc.create_internal_subset(
-                                         'html',
-                                         "-//W3C//DTD HTML 4.01 Transitional//EN",
-                                         "http://www.w3.org/TR/html4/loose.dtd"
-                                         )
+            "html",
+            "-//W3C//DTD HTML 4.01 Transitional//EN",
+            "http://www.w3.org/TR/html4/loose.dtd"
+          )
           xml.root do
             xml.foo
           end
@@ -137,19 +136,19 @@ def test_dtd_in_builder_output
 
       def test_specify_namespace_nested
         b = Nokogiri::XML::Builder.new { |xml|
-          xml.root('xmlns:foo' => 'bar') do
+          xml.root("xmlns:foo" => "bar") do
             xml.yay do
               xml[:foo].bar
 
               xml.yikes do
-                xml['foo'].baz
+                xml["foo"].baz
               end
             end
           end
         }
         doc = b.doc
-        assert_equal 'bar', doc.at('foo|bar', 'foo' => 'bar').namespace.href
-        assert_equal 'bar', doc.at('foo|baz', 'foo' => 'bar').namespace.href
+        assert_equal "bar", doc.at("foo|bar", "foo" => "bar").namespace.href
+        assert_equal "bar", doc.at("foo|baz", "foo" => "bar").namespace.href
       end
 
       def test_specified_namespace_postdeclared
@@ -158,12 +157,12 @@ def test_specified_namespace_postdeclared
             xml[:foo].b("xmlns:foo" => "bar")
           end
         }.doc
-        a = doc.at('a')
+        a = doc.at("a")
         assert_equal({}, a.namespaces)
 
-        b = doc.at_xpath('//foo:b', {:foo=>'bar'})
+        b = doc.at_xpath("//foo:b", { :foo => "bar" })
         assert b
-        assert_equal({"xmlns:foo"=>"bar"}, b.namespaces)
+        assert_equal({ "xmlns:foo" => "bar" }, b.namespaces)
         assert_equal("b", b.name)
         assert_equal("bar", b.namespace.href)
       end
@@ -179,38 +178,38 @@ def test_specified_namespace_undeclared
       end
 
       def test_set_encoding
-        builder = Nokogiri::XML::Builder.new(:encoding => 'UTF-8') do |xml|
+        builder = Nokogiri::XML::Builder.new(:encoding => "UTF-8") do |xml|
           xml.root do
-            xml.bar 'blah'
+            xml.bar "blah"
           end
         end
-        assert_match 'UTF-8', builder.to_xml
+        assert_match "UTF-8", builder.to_xml
       end
 
       def test_bang_and_underscore_is_escaped
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.root do
-            xml.p_('adsfadsf')
-            xml.p!('adsfadsf')
+            xml.p_("adsfadsf")
+            xml.p!("adsfadsf")
           end
         end
-        assert_equal 2, builder.doc.xpath('//p').length
+        assert_equal 2, builder.doc.xpath("//p").length
       end
 
       def test_square_brackets_set_attributes
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.root do
             foo = xml.foo
-            foo['id'] = 'hello'
-            assert_equal 'hello', foo['id']
+            foo["id"] = "hello"
+            assert_equal "hello", foo["id"]
           end
         end
         assert_equal 1, builder.doc.xpath('//foo[@id = "hello"]').length
       end
 
       def test_nested_local_variable
-        @ivar     = 'hello'
-        local_var = 'hello world'
+        @ivar = "hello"
+        local_var = "hello world"
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.root do
             xml.foo local_var
@@ -221,40 +220,40 @@ def test_nested_local_variable
           end
         end
 
-        assert_equal 'hello world', builder.doc.at('//root/foo').content
-        assert_equal 'hello', builder.doc.at('//root/bar').content
-        assert_equal 'hello', builder.doc.at('baz').content
+        assert_equal "hello world", builder.doc.at("//root/foo").content
+        assert_equal "hello", builder.doc.at("//root/bar").content
+        assert_equal "hello", builder.doc.at("baz").content
       end
 
       def test_raw_append
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.root do
-            xml << 'hello'
+            xml << "hello"
           end
         end
 
-        assert_equal 'hello', builder.doc.at('/root').content
+        assert_equal "hello", builder.doc.at("/root").content
       end
 
       def test_raw_append_with_instance_eval
         builder = Nokogiri::XML::Builder.new do
           root do
-            self << 'hello'
+            self << "hello"
           end
         end
 
-        assert_equal 'hello', builder.doc.at('/root').content
+        assert_equal "hello", builder.doc.at("/root").content
       end
 
       def test_raw_xml_append
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.root do
-            xml << '<aaa><bbb/><ccc/></aaa>'
+            xml << "<aaa><bbb/><ccc/></aaa>"
           end
         end
 
-        assert_equal ["aaa"],       builder.doc.at_css("root").children.collect(&:name)
-        assert_equal ["bbb","ccc"], builder.doc.at_css("aaa").children.collect(&:name)
+        assert_equal ["aaa"], builder.doc.at_css("root").children.collect(&:name)
+        assert_equal ["bbb", "ccc"], builder.doc.at_css("aaa").children.collect(&:name)
       end
 
       def test_raw_xml_append_with_namespaces
@@ -264,10 +263,10 @@ def test_raw_xml_append_with_namespaces
           end
         end.doc
 
-        el = doc.at 'Element'
+        el = doc.at "Element"
         assert_not_nil el
 
-        assert_equal 'y', el.namespace.href
+        assert_equal "y", el.namespace.href
         assert_nil el.namespace.prefix
 
         attr = el.attributes["bar"]
@@ -283,7 +282,7 @@ def test_cdata
           }
         end
         assert_equal("<?xml version=\"1.0\"?><root><![CDATA[hello world]]></root>",
-          builder.to_xml.gsub(/\n/, ""))
+                     builder.to_xml.gsub(/\n/, ""))
       end
 
       def test_comment
@@ -302,7 +301,7 @@ def test_builder_no_block
           cdata string
         }
         assert_equal("<?xml version=\"1.0\"?><root><![CDATA[hello world]]></root>",
-          builder.to_xml.gsub(/\n/, ''))
+                     builder.to_xml.gsub(/\n/, ""))
       end
 
       def test_builder_can_inherit_parent_namespace
@@ -314,40 +313,55 @@ def test_builder_can_inherit_parent_namespace
           }
         }
         doc = builder.doc
-        ['product', 'products'].each do |n|
-          assert_equal doc.at_xpath("//*[local-name() = '#{n}']").namespace.href, 'foo'
+        ["product", "products"].each do |n|
+          assert_equal doc.at_xpath("//*[local-name() = '#{n}']").namespace.href, "foo"
         end
       end
 
       def test_builder_can_handle_namespace_override
         builder = Nokogiri::XML::Builder.new
-        builder.products('xmlns:foo' => 'bar') {
-          builder.product('xmlns:foo' => 'baz')
+        builder.products("xmlns:foo" => "bar") {
+          builder.product("xmlns:foo" => "baz")
         }
 
         doc = builder.doc
-        assert_equal doc.at_xpath("//*[local-name() = 'product']").namespaces['xmlns:foo'], 'baz'
-        assert_equal doc.at_xpath("//*[local-name() = 'products']").namespaces['xmlns:foo'], 'bar'
+        assert_equal doc.at_xpath("//*[local-name() = 'product']").namespaces["xmlns:foo"], "baz"
+        assert_equal doc.at_xpath("//*[local-name() = 'products']").namespaces["xmlns:foo"], "bar"
         assert_nil doc.at_xpath("//*[local-name() = 'products']").namespace
       end
 
       def test_builder_reuses_namespaces
         # see https://github.com/sparklemotion/nokogiri/issues/1810 for memory leak report
         builder = Nokogiri::XML::Builder.new
-        builder.send "envelope", {'xmlns' => 'http://schemas.xmlsoap.org/soap/envelope/'} do
-          builder.send "package", {'xmlns' => 'http://schemas.xmlsoap.org/soap/envelope/'}
+        builder.send "envelope", { "xmlns" => "http://schemas.xmlsoap.org/soap/envelope/" } do
+          builder.send "package", { "xmlns" => "http://schemas.xmlsoap.org/soap/envelope/" }
         end
         envelope = builder.doc.at_css("envelope")
         package = builder.doc.at_css("package")
         assert_equal envelope.namespace, package.namespace
         assert_equal envelope.namespace.object_id, package.namespace.object_id
       end
 
+      def test_builder_uses_proper_document_class
+        xml_builder = Nokogiri::XML::Builder.new
+        assert_instance_of Nokogiri::XML::Document, xml_builder.doc
+
+        html_builder = Nokogiri::HTML::Builder.new
+        assert_instance_of Nokogiri::HTML::Document, html_builder.doc
+
+        foo_builder = ThisIsATestBuilder.new
+        assert_instance_of Nokogiri::XML::Document, foo_builder.doc
+      end
+
       private
 
       def namespaces_defined_on(node)
-        Hash[*node.namespace_definitions.collect{|n| ["xmlns:" + n.prefix, n.href]}.flatten]
+        Hash[*node.namespace_definitions.collect { |n| ["xmlns:" + n.prefix, n.href] }.flatten]
       end
     end
   end
 end
+
+class ThisIsATestBuilder < Nokogiri::XML::Builder
+  # this exists for the test_builder_uses_proper_document_class and should be empty
+end

a652474dbc66

prefer File.open to Kernel.open

https://github.com/tenderlove/rexicalMike DalessioAug 6, 2019via ghsa

commit

1 file changed · +1 −1

lib/rexical/generator.rb+1 −1 modified

@@ -314,7 +314,7 @@ def scan_str(str)
 
       def load_file( filename )
         @filename = filename
-        open(filename, "r") do |f|
+        File.open(filename, "r") do |f|
           scan_setup(f.read)
         end
       end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cr5j-953j-xw5pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-5477ghsaADVISORY
security.gentoo.org/glsa/202006-05ghsavendor-advisoryWEB
usn.ubuntu.com/4175-1/mitrevendor-advisory
github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.ymlghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.ymlghsaWEB
github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dcghsaWEB
github.com/sparklemotion/nokogiri/issues/1915ghsaWEB
github.com/tenderlove/rexical/blob/master/CHANGELOG.rdocghsaWEB
github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926ghsaWEB
hackerone.com/reports/650835ghsaWEB
lists.debian.org/debian-lts-announce/2019/09/msg00027.htmlghsamailing-listWEB
lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlghsamailing-listWEB
lists.debian.org/debian-lts-announce/2022/10/msg00019.htmlghsamailing-listWEB
usn.ubuntu.com/4175-1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.007
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000