🚨 [security] Update yard 0.9.38 → 0.9.44 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ yard (0.9.38 → 0.9.44) · Repo · Changelog

Security Advisories 🚨

🚨 YARD static cache reads raw traversal paths before router sanitization

Summary

YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static tree.

The potential security risk seems low, as only html-ending files can be read, but still the risk of reading arbitrary html files is a confiendtiality issue in itself, which is why we decided to report. Please let us know if this is out of your project's scope.

Details

The --docroot CLI option stores the configured directory in server_options[:DocumentRoot] at lib/yard/cli/server.rb:198, and adapter initialization copies that value into adapter.document_root at lib/yard/server/adapter.rb:76. For Rack requests, RackAdapter#call builds a request object from the Rack environment at lib/yard/server/rack_adapter.rb:58 and passes it to router.call(request) at lib/yard/server/rack_adapter.rb:60. Router#call then stores the incoming request at lib/yard/server/router.rb:55 and invokes check_static_cache before normal routing at lib/yard/server/router.rb:56. Inside check_static_cache, the only initial guard is that adapter.document_root is present at lib/yard/server/static_caching.rb:35; the cache path is built from File.join(adapter.document_root, request.path.sub(/\.html$/, '') + '.html') at lib/yard/server/static_caching.rb:36, without cleaning .. components first. If that resolved path is a regular file, File.file? accepts it at lib/yard/server/static_caching.rb:38 and the file bytes are returned as a 200 HTML response at lib/yard/server/static_caching.rb:40. The later route sanitizer in final_options uses File.cleanpath(...).gsub(...) at lib/yard/server/router.rb:181 and lib/yard/server/router.rb:182, but a static-cache hit returns before that code is reached.

PoC

poc.zip

bash ./poc/run.sh

expected output:

run 1: exit=0 timed_out=False duration=0.08s matched=True phase=oracle fingerprint='YARD_STATIC_CACHE_PATH_TRAVERSAL'
run 2: exit=0 timed_out=False duration=0.08s matched=True phase=oracle fingerprint='YARD_STATIC_CACHE_PATH_TRAVERSAL'
run 3: exit=0 timed_out=False duration=0.08s matched=True phase=oracle fingerprint='YARD_STATIC_CACHE_PATH_TRAVERSAL'

The YARD_STATIC_CACHE_PATH_TRAVERSAL fingerprint is emitted only after the PoC observes a 200 static-cache response whose body contains the sibling file outside the configured document root. A setup failure, syntax failure, or cache miss would not print this oracle and would not demonstrate this traversal read.

Impact

A remote unauthenticated HTTP client who can reach a YARD documentation server with DocumentRoot/--docroot enabled can request .html paths containing parent-directory components and receive readable matching files outside the configured document root. The required guards are narrow: adapter.document_root must be set, the traversed target must exist as a regular readable file, and the target must be reachable through the implementation's forced .html suffix. Those requests bypass the later final_options path cleanup because the cache check runs first. The resulting severity class is information disclosure: response bodies can contain off-root .html file contents, but this path does not show write access, code execution, or arbitrary files without the .html constraint.

🚨 yard: Possible arbitrary path traversal and file access via yard server

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in GHSA-xfhh-rx56-rxcr was incorrectly applied.

Patches

Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on --docroot.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Release Notes

0.9.42

• Fix alternating rows when loading a module in default HTML templates with subelements in the nav frame
• Fix reliability of keypresses and copy/paste in search box (#1174)
• Fix regression in yard server search box styling
• Fix possible path traversal with document_root (--docroot) set in yard server (GHSA-xfhh-rx56-rxcr)

0.9.41

• Add support for rdoc-image:... syntax in HybridMarkup (#1676)
• Add support for colon suffix code blocks in HybridMarkup (rdoc compatibility)
• Fix responsiveness and state issues with nav frame links in yard server

0.9.40

• Add support for Ruby .rbs files (docstrings included) (#1673)
• Add built-in hybrid RDoc/Markdown renderer (HybridMarkdown) requiring no external gems (#1674)
• Add support for #- as a comment-block separator. See Getting Started Guide.
• Add support for commonmarker version >= 1.0.
• Remove usage of jQuery in default templates. jQuery library is still packaged in templates for backward compatibility (#1675)
• Fix false self-referential mixin when bare name matches ancestor namespace (#1672)
• Fix bracket/brace map corruption from Ruby 3.0+ pattern matching deconstruction (#1671)
• Fix @!scope class on attributes (#1582, #1655, #1666)
• Fix @!parse directives not including source for block (#1665)
• Fix inherited methods not appearing in groups (#1656)

0.9.39

• Add support for Ruby 4.0 (#1663)
• Add changelog URI to gemspec metadata (#1641)
• Fix issues with source ranges (#1642)
• Fix an issue loading relative links from file list in HTML template (#1660)
• Various test fixes (#1650, #1651)

Does any of this look wrong? Please let us know.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)