Bump rexml from 3.3.1 to 3.3.3 #657
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
gem compare rexml 3.3.1 3.3.3Compared versions: ["3.3.1", "3.3.3"]
DIFFERENT date:
3.3.1: 2024-06-25 00:00:00 UTC
3.3.3: 2024-08-01 00:00:00 UTC
DIFFERENT metadata:
3.3.1: {"changelog_uri"=>"https://github.com/ruby/rexml/releases/tag/v3.3.1"}
3.3.3: {"changelog_uri"=>"https://github.com/ruby/rexml/releases/tag/v3.3.3"}
DIFFERENT version:
3.3.1: 3.3.1
3.3.3: 3.3.3
DIFFERENT files:
3.3.1->3.3.3:
* Changed:
NEWS.md +85/-0
lib/rexml/formatters/pretty.rb +1/-1
lib/rexml/parsers/baseparser.rb +67/-19
lib/rexml/parsers/pullparser.rb +4/-0
lib/rexml/parsers/sax2parser.rb +6/-19
lib/rexml/parsers/streamparser.rb +2/-2
lib/rexml/rexml.rb +1/-1
lib/rexml/source.rb +16/-6
lib/rexml/text.rb +34/-14
DIFFERENT extra_rdoc_files:
3.3.1->3.3.3:
* Changed:
NEWS.md +85/-0 |
gem compare --diff rexml 3.3.1 3.3.3Compared versions: ["3.3.1", "3.3.3"]
DIFFERENT files:
3.3.1->3.3.3:
* Changed:
NEWS.md
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/NEWS.md 2024-08-02 02:10:02.297866061 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/NEWS.md 2024-08-02 02:10:02.309866176 +0000
@@ -2,0 +3,85 @@
+## 3.3.3 - 2024-08-01 {#version-3-3-3}
+
+### Improvements
+
+ * Added support for detecting invalid XML that has unsupported
+ content before root element
+ * GH-184
+ * Patch by NAITOH Jun.
+
+ * Added support for `REXML::Security.entity_expansion_limit=` and
+ `REXML::Security.entity_expansion_text_limit=` in SAX2 and pull
+ parsers
+ * GH-187
+ * Patch by NAITOH Jun.
+
+ * Added more tests for invalid XMLs.
+ * GH-183
+ * Patch by Watson.
+
+ * Added more performance tests.
+ * Patch by Watson.
+
+ * Improved parse performance.
+ * GH-186
+ * Patch by tomoya ishida.
+
+### Thanks
+
+ * NAITOH Jun
+
+ * Watson
+
+ * tomoya ishida
+
+## 3.3.2 - 2024-07-16 {#version-3-3-2}
+
+### Improvements
+
+ * Improved parse performance.
+ * GH-160
+ * Patch by NAITOH Jun.
+
+ * Improved parse performance.
+ * GH-169
+ * GH-170
+ * GH-171
+ * GH-172
+ * GH-173
+ * GH-174
+ * GH-175
+ * GH-176
+ * GH-177
+ * Patch by Watson.
+
+ * Added support for raising a parse exception when an XML has extra
+ content after the root element.
+ * GH-161
+ * Patch by NAITOH Jun.
+
+ * Added support for raising a parse exception when an XML
+ declaration exists in wrong position.
+ * GH-162
+ * Patch by NAITOH Jun.
+
+ * Removed needless a space after XML declaration in pretty print mode.
+ * GH-164
+ * Patch by NAITOH Jun.
+
+ * Stopped to emit `:text` event after the root element.
+ * GH-167
+ * Patch by NAITOH Jun.
+
+### Fixes
+
+ * Fixed a bug that SAX2 parser doesn't expand predefined entities for
+ `characters` callback.
+ * GH-168
+ * Patch by NAITOH Jun.
+
+### Thanks
+
+ * NAITOH Jun
+
+ * Watson
+
lib/rexml/formatters/pretty.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/formatters/pretty.rb 2024-08-02 02:10:02.301866099 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/formatters/pretty.rb 2024-08-02 02:10:02.313866214 +0000
@@ -114 +114 @@
- next if child == node.children[-1] and child.instance_of?(Text)
+ next if child.instance_of?(Text)
lib/rexml/parsers/baseparser.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/parsers/baseparser.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/parsers/baseparser.rb 2024-08-02 02:10:02.313866214 +0000
@@ -127 +126,0 @@
- INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
@@ -131 +130 @@
- NAME_PATTERN = /\s*#{NAME}/um
+ NAME_PATTERN = /#{NAME}/um
@@ -148,0 +148 @@
+ @entity_expansion_count = 0
@@ -155,0 +156 @@
+ attr_reader :entity_expansion_count
@@ -159,0 +161 @@
+ @have_root = false
@@ -242 +244 @@
- return process_instruction(start_position)
+ return process_instruction
@@ -312 +314,5 @@
- match = [:entitydecl, *@source.match(Private::ENTITYDECL_PATTERN, true).captures.compact]
+ match_data = @source.match(Private::ENTITYDECL_PATTERN, true)
+ unless match_data
+ raise REXML::ParseException.new("Malformed entity declaration", @source)
+ end
+ match = [:entitydecl, *match_data.captures.compact]
@@ -344 +350 @@
- values = md[0].scan( ATTDEF_RE )
+ values = md[0].strip.scan( ATTDEF_RE )
@@ -438 +444 @@
- return process_instruction(start_position)
+ return process_instruction
@@ -462,0 +469,3 @@
+ if @tags.empty? and @have_root
+ raise ParseException.new("Malformed XML: Extra tag at the end of the document (got '<#{tag}')", @source)
+ end
@@ -464,0 +474 @@
+ @have_root = true
@@ -471,0 +482,10 @@
+ if @tags.empty?
+ unless /\A\s*\z/.match?(text)
+ if @have_root
+ raise ParseException.new("Malformed XML: Extra content at the end of the document (got '#{text}')", @source)
+ else
+ raise ParseException.new("Malformed XML: Content at the start of the document (got '#{text}')", @source)
+ end
+ end
+ return pull_event if @have_root
+ end
@@ -489 +509,3 @@
- if not value
+ if value
+ record_entity_expansion
+ else
@@ -514 +536,5 @@
- rv = string.gsub( Private::CARRIAGE_RETURN_NEWLINE_PATTERN, "\n" )
+ if string.include?("\r")
+ rv = string.gsub( Private::CARRIAGE_RETURN_NEWLINE_PATTERN, "\n" )
+ else
+ rv = string.dup
+ end
@@ -523,0 +550 @@
+ sum = 0
@@ -529,0 +557,4 @@
+ sum += rv.bytesize
+ if sum > Security.entity_expansion_text_limit
+ raise "entity expansion has grown too large"
+ end
@@ -541,0 +573,8 @@
+
+ def record_entity_expansion
+ @entity_expansion_count += 1
+ if @entity_expansion_count > Security.entity_expansion_limit
+ raise "number of entity expansions exceeded, processing aborted."
+ end
+ end
+
@@ -551 +590 @@
- if @source.match(/\s*\S/um)
+ if @source.match(/\S/um)
@@ -558 +597 @@
- md[1]
+ md[0]
@@ -627,6 +666,13 @@
- def process_instruction(start_position)
- match_data = @source.match(Private::INSTRUCTION_END, true)
- unless match_data
- message = "Invalid processing instruction node"
- @source.position = start_position
- raise REXML::ParseException.new(message, @source)
+ def process_instruction
+ name = parse_name("Malformed XML: Invalid processing instruction node")
+ if @source.match(/\s+/um, true)
+ match_data = @source.match(/(.*?)\?>/um, true)
+ unless match_data
+ raise ParseException.new("Malformed XML: Unclosed processing instruction", @source)
+ end
+ content = match_data[1]
+ else
+ content = nil
+ unless @source.match("?>", true)
+ raise ParseException.new("Malformed XML: Unclosed processing instruction", @source)
+ end
@@ -634,2 +680,4 @@
- if @document_status.nil? and match_data[1] == "xml"
- content = match_data[2]
+ if name == "xml"
+ if @document_status
+ raise ParseException.new("Malformed XML: XML declaration is not at the start", @source)
+ end
@@ -650 +698 @@
- [:processing_instruction, match_data[1], match_data[2]]
+ [:processing_instruction, name, content]
lib/rexml/parsers/pullparser.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/parsers/pullparser.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/parsers/pullparser.rb 2024-08-02 02:10:02.313866214 +0000
@@ -49,0 +50,4 @@
+ def entity_expansion_count
+ @parser.entity_expansion_count
+ end
+
lib/rexml/parsers/sax2parser.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/parsers/sax2parser.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/parsers/sax2parser.rb 2024-08-02 02:10:02.313866214 +0000
@@ -24,0 +25,4 @@
+ def entity_expansion_count
+ @parser.entity_expansion_count
+ end
+
@@ -160,19 +164,2 @@
- #normalized = @parser.normalize( event[1] )
- #handle( :characters, normalized )
- copy = event[1].clone
-
- esub = proc { |match|
- if @entities.has_key?($1)
- @entities[$1].gsub(Text::REFERENCE, &esub)
- else
- match
- end
- }
-
- copy.gsub!( Text::REFERENCE, &esub )
- copy.gsub!( Text::NUMERICENTITY ) {|m|
- m=$1
- m = "0#{m}" if m[0] == ?x
- [Integer(m)].pack('U*')
- }
- handle( :characters, copy )
+ unnormalized = @parser.unnormalize( event[1], @entities )
+ handle( :characters, unnormalized )
lib/rexml/parsers/streamparser.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/parsers/streamparser.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/parsers/streamparser.rb 2024-08-02 02:10:02.317866253 +0000
@@ -39,2 +39,2 @@
- normalized = @parser.unnormalize( event[1] )
- @listener.text( normalized )
+ unnormalized = @parser.unnormalize( event[1] )
+ @listener.text( unnormalized )
lib/rexml/rexml.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/rexml.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/rexml.rb 2024-08-02 02:10:02.317866253 +0000
@@ -34 +34 @@
- VERSION = "3.3.1"
+ VERSION = "3.3.3"
lib/rexml/source.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/source.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/source.rb 2024-08-02 02:10:02.317866253 +0000
@@ -207 +207 @@
- def read(term = nil)
+ def read(term = nil, min_bytes = 1)
@@ -210 +210,11 @@
- @scanner << readline(term)
+ str = readline(term)
+ @scanner << str
+ read_bytes = str.bytesize
+ begin
+ while read_bytes < min_bytes
+ str = readline(term)
+ @scanner << str
+ read_bytes += str.bytesize
+ end
+ rescue IOError
+ end
@@ -240,3 +249,0 @@
- # Note: When specifying a string for 'pattern', it must not include '>' except in the following formats:
- # - ">"
- # - "XXX>" (X is any string excluding '>')
@@ -243,0 +251,2 @@
+ # To avoid performance issue, we need to increase bytes to read per scan
+ min_bytes = 1
@@ -253 +262,2 @@
- return nil unless read
+ return nil unless read(nil, min_bytes)
+ min_bytes *= 2
lib/rexml/text.rb
--- /tmp/d20240802-1962-645osj/rexml-3.3.1/lib/rexml/text.rb 2024-08-02 02:10:02.305866138 +0000
+++ /tmp/d20240802-1962-645osj/rexml-3.3.3/lib/rexml/text.rb 2024-08-02 02:10:02.317866253 +0000
@@ -154,8 +154,21 @@
- # context sensitive
- string.scan(pattern) do
- if $1[-1] != ?;
- raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
- elsif $1[0] == ?&
- if $5 and $5[0] == ?#
- case ($5[1] == ?x ? $5[2..-1].to_i(16) : $5[1..-1].to_i)
- when *VALID_CHAR
+ pos = 0
+ while (index = string.index(/<|&/, pos))
+ if string[index] == "<"
+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
+ end
+
+ unless (end_index = string.index(/[^\s];/, index + 1))
+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
+ end
+
+ value = string[(index + 1)..end_index]
+ if /\s/.match?(value)
+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
+ end
+
+ if value[0] == "#"
+ character_reference = value[1..-1]
+
+ unless (/\A(\d+|x[0-9a-fA-F]+)\z/.match?(character_reference))
+ if character_reference[0] == "x" || character_reference[-1] == "x"
+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
@@ -163 +176 @@
- raise "Illegal character #{$1.inspect} in raw string #{string.inspect}"
+ raise "Illegal character #{string.inspect} in raw string #{string.inspect}"
@@ -165,5 +177,0 @@
- # FIXME: below can't work but this needs API change.
- # elsif @parent and $3 and !SUBSTITUTES.include?($1)
- # if !doctype or !doctype.entities.has_key?($3)
- # raise "Undeclared entity '#{$1}' in raw string \"#{string}\""
- # end
@@ -170,0 +179,8 @@
+
+ case (character_reference[0] == "x" ? character_reference[1..-1].to_i(16) : character_reference[0..-1].to_i)
+ when *VALID_CHAR
+ else
+ raise "Illegal character #{string.inspect} in raw string #{string.inspect}"
+ end
+ elsif !(/\A#{Entity::NAME}\z/um.match?(value))
+ raise "Illegal character \"#{string[index]}\" in raw string #{string.inspect}"
@@ -171,0 +188,2 @@
+
+ pos = end_index + 1
@@ -172,0 +191,2 @@
+
+ string |
dependabot
bot
force-pushed
the
dependabot/bundler/rexml-3.3.3
branch
2 times, most recently
from
3a202ca
to
cc9c953
Compare
Bumps [rexml](https://github.com/ruby/rexml) from 3.3.1 to 3.3.3. - [Release notes](https://github.com/ruby/rexml/releases) - [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md) - [Commits](ruby/rexml@v3.3.1...v3.3.3) --- updated-dependencies: - dependency-name: rexml dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/bundler/rexml-3.3.3
branch
from
cc9c953
to
b3fca8b
Compare
|
Looks like rexml is up-to-date now, so this is no longer needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps rexml from 3.3.1 to 3.3.3.
Release notes
Sourced from rexml's releases.
... (truncated)
Changelog
Sourced from rexml's changelog.
... (truncated)
Commits
e4a067eAdd 3.3.3 entry17ff3e7test: add a performance test for attribute list declarationbe86b3dtest: fix wrong test nameb93d790test: use double quote for string literal0fbe7d5test: don't use abbreviated name1599e87test: add a performance test for PI with many tabse2546e6parse pi: improve invalid case detection73661eftest: fix a typo850488atest: use double quote for string literal46c6397test: add performance tests for entity declarationDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.