[Security] Bump mechanize from 2.7.2 to 2.7.7

[dependabot-preview]

Bumps mechanize from 2.7.2 to 2.7.7. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Mechanize ruby gem Command Injection vulnerability

Impact

Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

• Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
• Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
• Mechanize#download: since v2.2 (see dc91667)
• Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
• Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
• Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

Patches

These vulnerabilities are patched in Mechanize v2.7.7.

Workarounds

... (truncated)

Patched versions: >= 2.7.7 Unaffected versions: < 2.0

Release notes

Sourced from mechanize's releases.

2.7.7 / 2021-02-01

• Security fixes for CVE-2021-21289

  Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

  See GHSA-qrqm-fpv6-6r8g for more information.

  Also see #547, #548. Thank you, @kyoshidajp!

• New Features

  • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

• Bug fix

  • Ignore input fields with blank names (#542, #536)

Changelog

Sourced from mechanize's changelog.

=== 2.7.7 / 2021-02-01

• Security fixes for CVE-2021-21289

  Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

  • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
  • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
  • Mechanize#download: since v2.2 (see dc91667)
  • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
  • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
  • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

  See GHSA-qrqm-fpv6-6r8g for more information.

  Also see #547, #548. Thank you, @kyoshidajp!

• New Features

  • Support for Ruby 3.0 by adding webrick as a runtime dependency. (#557) @pvalena

• Bug fix

  • Ignore input fields with blank names (#542, #536)

=== 2.7.6

• New Features

  • Mechanize#set_proxy accepts an HTTP URL/URI. (#513)

• Bug fix

  • Fix element(s)_with(search: selector) methods not working for forms, form fields and frames. (#444)
  • Improve the filename parser for the Content-Disposition header. (#496, #517)
  • Accept Content-Encoding: identity. (#515)
  • Mechanize::Page#title no longer picks a title in an embeded SVG/RDF element. (#503)
  • Make Mechanize::Form#has_field? boolean. (#501)

=== 2.7.5

• New Features

  • All 4xx responses and RedirectLimitReachedError when fetching robots.txt are treated as full allow just like Googlebot does.
  • Enable support for mime-types > 3.

• Bug fix

  • Don't cause infinite loop when GET /robots.txt redirects. (#457)
  • Fix basic authentication for a realm that contains uppercase characters. (#458, #459)
  • Fix encoding error when uploading a file which name is non-ASCII. (#333)

... (truncated)

Commits

• 3044b4e version bump to v2.7.7
• df36360 changelog: note assigned CVE in the recent security fix description
• 66a6a1b Merge pull request #548 from kyoshidajp/fix_command_injection
• e238b07 changelog: note the patched command injection vulnerabilities
• 5b30aed test: remove rubocop security warnings from TestCase
• 63f8779 fix(security): prevent command injection in FileResponse#read_body
• b48b12f fix(security): prevent command injection in Mechanize::File#save!
• f43a395 fix(security): prevent command injection in Download#save!
• 2ac906b fix(security): prevent command injection in Mechanize#download
• aae0b13 fix(security): prevent command injection in CookieJar
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)