Update RedCloth gem to v4.3.3
What does this MR do and why?
Tentative of remove RedCloth gem
Monkey patch RedCloth to include the CVE fix.
RedCloth gem has a CVE and it doesn't have an updated release, flagged by bundler-audit.
I've search the code for RedCloth and it doesn't find any references.
Update RedCloth gem version to include CVE fix
RedCloth is currently used inside GitLab Markup gem (https://gitlab.com/gitlab-org/gitlab-markup/-/blob/master/lib/github/markups.rb?ref_type=heads#L7) Reproduction: https://gitlab.com/digitalmoksha/bug-reproduction/-/blob/master/README.textile
Changelog: security
Some context
RedCloth gem isn't used by RedCloth.new
or RedCloth::
but it can still be used as calls t
, which is an alias for textilize
.
RedCloth also includes ERB::Util
(ref: https://github.com/jgarber/redcloth/blob/master/lib/redcloth.rb#L40-L45), so without it, methods like h
, html_escape_once
can be used without ERB::Util.
.
RedCloth also require its own redcloth/erb_extension
which creates a method alias t
that can be used without RedCloth.
, which makes it difficult to find its usage.
Plan forward
-
Try to include ERB::Util
, like RedCloth is doing, to try run CI and see if it finds usage of RedCloth -
Fix all CI failures which are places where it may need ERB::Util.
for methods likeh
andhtml_escape_once
. -
Get a GitLab core team review if this gem is really used, before adding ERB::Util
everywhere needed -
NOT APPLICABLE for this MR
Continue searching fort
as the alias for RedClothtextilize
method. -
NOT APPLICABLE for this MR
Keep RedCloth, add a monkey patch with the CVE fix -
Update RedCloth gem to v4.3.3
Screenshots or screen recordings
Not applicable
How to set up and validate locally
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.