Skip to content

fix(deps): update rust crate hurl to v7 [security] #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update rust crate hurl to v7 [security] #60

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 31, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
hurl (source) dependencies major 4.3.0 -> 7.0.0

GitHub Vulnerability Alerts

GHSA-v33j-v3x4-42qg

Given this Hurl file:

regex.hurl:

GET https://foo.com
HTTP 200
[Asserts]
jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/

When exported to HTML:

$ hurlfmt --out html regex.hurl
<pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span>
</span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span>
<span class="line"><span class="section-header">[Asserts]</span></span>
<span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
</span></span><span class="line"></span>
</code></pre>

The regex literal /<img src="" onerror="alert('Hi!')">/ is not escaped:

<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>

When opened in a browser, the code is run without user interaction:

regex

Release Notes

Orange-OpenSource/hurl (hurl)

v7.0.0

Compare Source

========================================================================================================================

Thanks to
@​ecolinet,
@​theoforger,
@​Muntaner,
@​ashishajr,
@​patkujawa-wf,
@​niklasweimann,
@​alanbondarun,
@​benkio,
@​dhth,
@​verigak,
@​markphilpot,
@​lambrospetrou,
@​aresler,
@​nfj25,
@​nwellnhof,
@​YannickAlex07,
@​lu-zero,
@​RaghavSood,
@​tjbrockmeyer,

Breaking Changes:

  • Add replaceRegex filter and fix replace filter to not take regex #​4018

Enhancements:

  • Add query for HTTP redirects #​922
  • Add urlQueryParam filter #​2199
  • Show curl command when error format option is set to long #​2226
  • Add option to configure max-time per request #​3162
  • Add date comparison predicates #​3480
  • Add pinnedpubkey cli option #​3563
  • Add base64 url safe encode and decode filters #​3840
  • parse curl's --cookie flag #​3877
  • Show hurl --help with color #​3882
  • Add toHex filter #​3963
  • Add first and last filters #​3998
  • Remove hex crate dependency #​4011
  • Small tweaks to --test progress output #​4028
  • Add support for negative values for nth filter #​4050
  • Add option to configure pinnedpubkey per request #​4084
  • Add timeline link on status label in source and run pages #​4128
  • Support template in nth filter parameter #​4152
  • Implement predicate isUuid #​4179
  • Improve captures error messages when filter chain returned no value #​4214
  • Add --ntlm cli option #​4216
  • Add --negotiate option #​4246

Bugs Fixed:

  • Fix incorrect curl command for POST redirect #​2797
  • Fix hurlfmt to disallow invalid header argument in curl command #​3668
  • Parse verbose flag in curl command #​3760
  • Keep secret value forever, even if a secret variable override an existing one #​3898
  • Fix zsh completion #​3938
  • Parse cookie Expires date attribute with '-' #​3956
  • Replace deprecated libxml2 initGenericErrorDefaultFunc with xmlSetGenericErrorFunc #​3975
  • HTML report: fix span for lines in comment. #​4002
  • Fix HTML closing tag for line with trailing comment #​4017
  • Add replaceRegex filter and fix replace filter to not take regex #​4018
  • Fix request body during redirections #​4073
  • Fix "variables" token in GraphQL HTML export #​4117
  • Support negative index in jsonpath #​4154

Security Issues Fixed:

  • Fix JavaScript injection in HTML report through regex literal #​4125

v6.1.1

Compare Source

========================================================================================================================

Thanks to
@​lu-zero,
@​andrejohansson,
@​demostanis,
@​techfg,

Bugs Fixed:

v6.1.0

Compare Source

========================================================================================================================

Thanks to
@​lilyhuang-github,
@​ashishajr,
@​kidbrax,
@​theoforger,
@​smokedlinq,
@​docwhat,
@​glb-cblin,
@​Enoz,
@​ikorason,
@​uday-rana,
@​lu-zero,
@​nghiab1906724,
@​overbyte,

Breaking Changes:

  • Remove deprecated predicates (notEquals, greaterThan etc...) in favor of operators #​3532
  • Remove deprecated keyword HTTP/* for HTTP #​3697

Enhancements:

Bugs Fixed:

  • Fix missing request line errors in HTML report #​3534
  • Eval template in JSON object key #​3593
  • Show error message if format is invalid in format filter #​3613
  • Create parent folders if missing when using --cookie-jar FILE #​3637
  • Remove lint errors and Fix non-zero exit code in case of error #​3648
  • Support BigInteger in variable #​3656
  • fix hurlfmt html export loosing some whitespaces #​3675
  • Fix template to source #​3675
  • Fix changing HTTP version per request sometimes not effective #​3719
  • Add bash file completion for hurl/hurlfmt #​3750
  • Fix multilines HTML export #​3768
  • Change parsing file content type in multipart form data #​3796

Deprecations:

  • Deprecate includes in favor of contains predicate #​1896
  • Warn for deprecated multilines string attributes #​3622
  • Warn for --interactive deprecation #​3763

v6.0.0

Compare Source

========================================================================================================================

Thanks to
@​cemoktra,
@​zikani03,
@​lambrospetrou,
@​jmvargas,
@​quantonganh,
@​sandeshbhusal,
@​thePanz,
@​niklasweimann,
@​infogulch,
@​orlandow,
@​bp7968h,

Breaking Changes:

  • Check that variables do not conflict with existing functions #​3229
  • Remove deprecated --fail-at-end option #​3430
  • Change API for setting variable in hurl::runner::run #​3440
  • Remove hurlfmt deprecated --format option #​3445
  • Rename feature flag from vendored-openssl to static-openssl #​3460

Enhancements:

  • Implement function newUuid #​973
  • Implement --limit-rate from curl #​1222
  • Add --curl option to export executed requests to curl commands #​2679
  • Configure --connect-timeout per request #​3163
  • Support short name for sections [QueryStringParams] => [Query], [FormParams] => [Form], [MultipartFormData] => [Multipart] #​3238
  • Remove url-specific parser (align with grammar) #​3244
  • Remove the crate float-cmp #​3247
  • Jsonpath / Add filter on boolean value #​3252
  • Jsonpath / Add non-equal filter on string and number value #​3261
  • Add support for backtick strings in predicates values #​3317
  • Categorise options in --help #​3339
  • Support more JSON / XML "like" mimetypes with debug output #​3343
  • Add curl debug command to --json and JSON report #​3374
  • Add curl debug command to HTML report #​3386
  • Render Date value #​3431
  • Add newDate generator #​3443

Bugs Fixed:

  • Fix reading standard input multiple times #​3216
  • Fix filename parsing (used by cert option) #​3242
  • Add additional check for --max-filesize option #​3245
  • Support case-insensitive Cookie Attributes #​3265
  • Allow any string in Location Header when not following redirection #​3293
  • Fix graceful shutdown of workers threads in --test #​3297
  • Fix missing space in variable option HTML export #​3412

v5.0.1

Compare Source

========================================================================================================================

Bugs Fixed:

  • Fix regression in --output when output file doesn't exist #​3195

v5.0.0

Compare Source

========================================================================================================================

Thanks to
@​lambrospetrou,
@​OverkillGuy,
@​badboy,
@​DenuxPlays,
@​linkdd,
@​nkback,
@​claytonneal,

Breaking Changes:

  • Encode oneline string only with one backtick #​3113

Enhancements:

  • Create intermediary directories if necessary when producing TAP report #​2860
  • Expose request comments in --out json (hurlfmt) #​2850
  • Create intermediary directories if necessary when producing JUnit report #​2842
  • Add global requests count in test summary #​2832
  • Replace output warnings by errors #​2815
  • Fix inconsistent case for fields queryString and httpVersion in --json #​2804
  • Run tests in parallel #​2753
  • Add support for importing curl url option in hurlfmt #​2750
  • Add JSON report #​2738
  • Add repeat option to repeat a sequence of Hurl file #​2680
  • Add repeat option per request #​2680
  • Add optional duration unit #​2653
  • Apply delay only once per entry, no matter how many retry #​1973
  • Add toFloat filter #​1732
  • Accept directory as Hurl arguments for processing file #​1446

Bugs Fixed:

  • Get SSL certificates info on reused connections, from a cache #​3031
  • Fix max-redirs: -1 in [Options] section #​3023
  • Fix error displayed in double with bad option #​2920
  • Fix hurlfmt exit code with lint error #​2919
  • Truncate file then append it when dumping response with --output. #​2886
  • Fix crash with --json option when capturing 'HttpOnly' and 'Secure' cookie attribute #​2871
  • Fix crash when capturing 'Expires' cookie attribute #​2870
  • Fix empty JSON key parsing #​2836
  • Do not filter 'Authorization' header if host doesn't change while following redirect #​2823
  • Fix sending 'Authorization' header from --user when following redirect #​2812
  • Fix URL when following redirect for certain 'Location' header #​2783
  • Fix powershell completion file #​2729

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/crate-hurl-vulnerability branch from 87a0b8d to 890ba78 Compare August 10, 2025 15:07
@renovate renovate bot force-pushed the renovate/crate-hurl-vulnerability branch from 890ba78 to 72b3060 Compare September 25, 2025 19:57
@renovate renovate bot force-pushed the renovate/crate-hurl-vulnerability branch from 72b3060 to 9f9d171 Compare December 10, 2025 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant