On 21/06/2022 08:30, Salvatore Bonaccorso wrote:
Hi Yadd,
On Sat, May 28, 2022 at 09:20:40PM +0100, Adam D. Barratt wrote:
Control: tags -1 + confirmed
On Mon, 2022-03-21 at 14:09 +0100, Yadd wrote:
node-mermaid is vulnerable to XSS attack (CVE-2021-23648)
Please go ahead.
Could you fix as well CVE-2021-43861 in the next point release? Should
be then on top of the already uploaded +deb11u1.
Regards,
Salvatore
Hi,
done (8.7.0+ds+~cs27.17.17-3+deb11u2), just pushed to Bullseye queue
Regards,
Yadddiff --git a/debian/changelog b/debian/changelog
index 32f71e8..f566922 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Fix for XSS vulnerability in url sanitization (Closes: CVE-2021-43861)
+
+ -- Yadd Sat, 02 Jul 2022 07:06:05 +0200
+
node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium
* Decode html entities before sanitizing (Closes: CVE-2021-23648)
diff --git a/debian/patches/CVE-2021-43861.patch
b/debian/patches/CVE-2021-43861.patch
new file mode 100644
index 000..418467e
--- /dev/null
+++ b/debian/patches/CVE-2021-43861.patch
@@ -0,0 +1,306 @@
+Description: Fix for XSS vulnerability in url sanitization
+Author: Knut Sveidqvist
+Origin: upstream, https://github.com/mermaid-js/mermaid/commit/066b7a0d
+Bug:
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-07-02
+
+--- /dev/null
b/cypress/platform/xss16.html
+@@ -0,0 +1,106 @@
++
++
++https://fonts.googleapis.com/css?family=Montserrat=swap;
++ rel="stylesheet"
++/>
++https://unpkg.com/tailwindcss@^1.0/dist/tailwind.min.css;
rel="stylesheet">
++https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css;>
++https://fonts.googleapis.com/css?family=Noto+Sans+SC=swap;
rel="stylesheet">
++
++ body {
++/* background: rgb(221, 208, 208); */
++/* background:#333; */
++font-family: 'Arial';
++/* font-size: 18px !important; */
++}
++ h1 { color: grey;}
++ .mermaid2 {
++display: none;
++ }
++ .mermaid svg {
++/* font-size: 18px !important; */
++ }
++ .malware {
++position: fixed;
++bottom:0;
++left:0;
++right:0;
++height: 150px;
++background: red;
++color: black;
++display: flex;
++display: flex;
++justify-content: center;
++align-items: center;
++font-family: monospace;
++font-size: 72px;
++ }
++
++
++
++Security check
++
++
++
++
++
++ mermaid.parseError = function (err, hash) {
++// console.error('Mermaid error: ', err);
++ };
++ mermaid.initialize({
++theme: 'forest',
++arrowMarkerAbsolute: true,
++// themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill:
red;}',
++logLevel: 0,
++state: {
++ defaultRenderer: 'dagre-d3',
++},
++flowchart: {
++ // defaultRenderer: 'dagre-wrapper',
++ nodeSpacing: 10,
++curve: 'cardinal',
++htmlLabels: true,
++},
++htmlLabels: true,
++// gantt: { axisFormat: '%m/%d/%Y' },
++sequence: { actorFontFamily: 'courier', actorMargin: 50,
showSequenceNumbers: false },
++// sequenceDiagram: { actorMargin: 300 } // deprecated
++// fontFamily: '"times", sans-serif',
++// fontFamily: 'courier',
++fontSize: 18,
++curve: 'basis',
++securityLevel: 'loose',
++startOnLoad: false,
++secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
++// themeVariables: {relationLabelColor: 'red'}
++ });
++ function callback() {
++ alert('It worked');
++}
++ function xssAttack() {
++const div = document.createElement('div');
++div.id = 'the-malware';
++div.className = 'malware';
++div.innerHTML = 'XSS Succeeded';
++document.getElementsByTagName('body')[0].appendChild(div);
++throw new Error('XSS Succeded');
++ }
++
++ var diagram = `sequenceDiagram
++participant Alice
++links Alice: { "Click me!" : "javasjavascript:cript:alert('goose')" }`;
++
++// // var diagram = "stateDiagram-v2\n";
++// // diagram += ""]';
++// console.log(diagram);
++// document.querySelector('#diagram').innerHTML = diagram;
++mermaid.render('diagram', diagram, (res) => {
++ console.log(res);
++ document.querySelector('#res').innerHTML = res;
++});
++
++
++
++
+--- /dev/null
b/cypress/platform/xss17.html
+@@ -0,0 +1,106 @@
++
++
++https://fonts.googleapis.com/css?family=Montserrat=swap;
++ rel="stylesheet"
++/>
++