From 470ed3fdaa59c6f515f939a775deceee7c147a30 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sun, 23 Jan 2022 14:55:20 -0500 Subject: [PATCH 1/2] ci: add coverage for system libxml2 --- .github/workflows/ci.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 597846c..d7b4cd4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,22 @@ jobs: bundler-cache: true - run: bundle exec rake + cruby-nokogiri-system-libraries: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: ruby/setup-ruby@v1 + with: + ruby-version: "3.1" + - name: Install nokogiri with system libraries + run: | + sudo apt install pkg-config libxml2-dev libxslt-dev + bundle config set force_ruby_platform true + bundle config build.nokogiri --enable-system-libraries + bundle install + bundle exec nokogiri -v + - run: bundle exec rake + jruby: continue-on-error: true # nokogiri on jruby has different behavior strategy: From 6a1ae1b88053ccc4070c307a757878cfbdca117d Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sun, 23 Jan 2022 15:13:56 -0500 Subject: [PATCH 2/2] test: ensure tests pass when nokogiri uses system libxml2 Specifically the patch that affects this behavior is nokogiri/patches/libxml2/0002-Update-entities-to-remove-handling-of-ssi.patch which was introduced to avoid server-side-include vulnerabilities, see https://github.com/sparklemotion/nokogiri/commit/4852e43 --- test/sanitizer_test.rb | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 241564c..1de5a99 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -505,7 +505,13 @@ def test_uri_escaping_of_href_attr_in_a_tag_in_safe_list_sanitizer text = safe_list_sanitize(html) - assert_equal %{test}, text + acceptable_results = [ + # nokogiri w/vendored+patched libxml2 + %{test}, + # nokogiri w/ system libxml2 + %{test}, + ] + assert_includes(acceptable_results, text) end def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer @@ -515,7 +521,13 @@ def test_uri_escaping_of_src_attr_in_a_tag_in_safe_list_sanitizer text = safe_list_sanitize(html) - assert_equal %{test}, text + acceptable_results = [ + # nokogiri w/vendored+patched libxml2 + %{test}, + # nokogiri w/system libxml2 + %{test}, + ] + assert_includes(acceptable_results, text) end def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer @@ -525,7 +537,13 @@ def test_uri_escaping_of_name_attr_in_a_tag_in_safe_list_sanitizer text = safe_list_sanitize(html) - assert_equal %{test}, text + acceptable_results = [ + # nokogiri w/vendored+patched libxml2 + %{test}, + # nokogiri w/system libxml2 + %{test}, + ] + assert_includes(acceptable_results, text) end def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer @@ -535,7 +553,13 @@ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer text = safe_list_sanitize(html, attributes: ['action']) - assert_equal %{test}, text + acceptable_results = [ + # nokogiri w/vendored+patched libxml2 + %{test}, + # nokogiri w/system libxml2 + %{test}, + ] + assert_includes(acceptable_results, text) end def test_exclude_node_type_processing_instructions