Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency marked to v4.0.10 [SECURITY] #44078

Merged
merged 1 commit into from
Jan 17, 2022
Merged

Update dependency marked to v4.0.10 [SECURITY] #44078

merged 1 commit into from
Jan 17, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 14, 2022

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
marked (source) 4.0.9 -> 4.0.10 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Release Notes

markedjs/marked

v4.0.10

Compare Source

Bug Fixes
  • security: fix redos vulnerabilities (8f80657)

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner January 14, 2022 22:44
@renovate renovate bot added area/frontend area/security dependencies Pull requests that update a dependency file labels Jan 14, 2022
@renovate renovate bot requested review from dprokop and removed request for a team January 14, 2022 22:44
@dprokop dprokop added the backport v8.3.x Mark PR for automatic backport to v8.3.x label Jan 17, 2022
@dprokop dprokop added this to the 8.3.4 milestone Jan 17, 2022
@dprokop dprokop merged commit d4362ea into main Jan 17, 2022
@dprokop dprokop deleted the renovate/npm-marked-vulnerability branch January 17, 2022 07:47
@grafanabot
Copy link
Contributor

The backport to v8.3.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-44078-to-v8.3.x origin/v8.3.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x d4362ea5a88d403c99bfafa86c7ab882e82607cb
# Push it to GitHub
git push --set-upstream origin backport-44078-to-v8.3.x
git switch main
# Remove the local backport branch
git branch -D backport-44078-to-v8.3.x

Then, create a pull request where the base branch is v8.3.x and the compare/head branch is backport-44078-to-v8.3.x.

xlson added a commit to joanlopez/grafana that referenced this pull request Jan 17, 2022
@xlson
Merge remote-tracking branch 'origin/main' into encr/reencrypt-deks
c1dd4c4 
* origin/main:
  Split prepare-release (grafana#44124)
  Fix issue link (grafana#42891)
  Release: remove bump from prepare release action (grafana#44111)
  Access control: Team role picker (grafana#43418)
  Plugins: Add notices to docs to prevent NPX commands from hanging (grafana#44043)
  Azure Monitor: Improved error messages for variable queries (grafana#43213)
  CloudMonitoring: Fixes broken variable queries that use group bys (grafana#43914)
  Elastic: Allow using long/int as date field for alerts (grafana#44027)
  Prometheus: Fix interpolation of $__rate_interval variable (grafana#44035)
  Alerting: show deleted datasource (grafana#43891)
  Dashboard save interaction evt (grafana#43304)
  Chore: reduces circular dependencies for variables/utils.ts (grafana#44087)
  Chore(CodeQL): Add noopener noreferrer to external links in email templates (grafana#44092)
  Export: Fix error being thrown when exporting dashboards using query variables that reference the default datasource (grafana#44034)
  fix delete plugin dashboard (grafana#44055)
  Access Control: Allow signed in users access to GET data sources endpoints (grafana#43338)
  small fix 🙏 (grafana#44089)
  Update dependency marked to v4.0.10 [SECURITY] (grafana#44078)
  Remove Macaron ParamsInt64 function from code base (grafana#43810)
ryantxu pushed a commit that referenced this pull request Jan 18, 2022
@renovate @renovate-bot @ryantxu
Update dependency marked to v4.0.10 [SECURITY] (#44078)
4734d89 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
@ashharrison90 ashharrison90 mentioned this pull request Jan 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dprokop dprokop dprokop approved these changes

Assignees
No one assigned
Labels
area/frontend area/security backport v8.3.x Mark PR for automatic backport to v8.3.x dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
8.3.4
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@grafanabot @dprokop @renovate-bot