Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1

2022-07-01 Thread Yadd 

On 21/06/2022 08:30, Salvatore Bonaccorso wrote:

Hi Yadd,

On Sat, May 28, 2022 at 09:20:40PM +0100, Adam D. Barratt wrote:

Control: tags -1 + confirmed

On Mon, 2022-03-21 at 14:09 +0100, Yadd wrote:

node-mermaid is vulnerable to XSS attack (CVE-2021-23648)



Please go ahead.


Could you fix as well CVE-2021-43861 in the next point release? Should
be then on top of the already uploaded +deb11u1.

Regards,
Salvatore


Hi,

done (8.7.0+ds+~cs27.17.17-3+deb11u2), just pushed to Bullseye queue

Regards,
Yadddiff --git a/debian/changelog b/debian/changelog
index 32f71e8..f566922 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Fix for XSS vulnerability in url sanitization (Closes: CVE-2021-43861)
+
+ -- Yadd   Sat, 02 Jul 2022 07:06:05 +0200
+
 node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium
 
   * Decode html entities before sanitizing (Closes: CVE-2021-23648)
diff --git a/debian/patches/CVE-2021-43861.patch 
b/debian/patches/CVE-2021-43861.patch
new file mode 100644
index 000..418467e
--- /dev/null
+++ b/debian/patches/CVE-2021-43861.patch
@@ -0,0 +1,306 @@
+Description: Fix for XSS vulnerability in url sanitization
+Author: Knut Sveidqvist 
+Origin: upstream, https://github.com/mermaid-js/mermaid/commit/066b7a0d
+Bug: 
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-07-02
+
+--- /dev/null
 b/cypress/platform/xss16.html
+@@ -0,0 +1,106 @@
++
++  
++https://fonts.googleapis.com/css?family=Montserrat=swap;
++  rel="stylesheet"
++/>
++https://unpkg.com/tailwindcss@^1.0/dist/tailwind.min.css; 
rel="stylesheet">
++https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css;>
++https://fonts.googleapis.com/css?family=Noto+Sans+SC=swap; 
rel="stylesheet">
++
++  body {
++/* background: rgb(221, 208, 208); */
++/* background:#333; */
++font-family: 'Arial';
++/* font-size: 18px !important; */
++}
++  h1 { color: grey;}
++  .mermaid2 {
++display: none;
++  }
++  .mermaid svg {
++/* font-size: 18px !important; */
++  }
++  .malware {
++position: fixed;
++bottom:0;
++left:0;
++right:0;
++height: 150px;
++background: red;
++color: black;
++display: flex;
++display: flex;
++justify-content: center;
++align-items: center;
++font-family: monospace;
++font-size: 72px;
++  }
++
++  
++  
++Security check
++
++  
++  
++  
++
++  mermaid.parseError = function (err, hash) {
++// console.error('Mermaid error: ', err);
++  };
++  mermaid.initialize({
++theme: 'forest',
++arrowMarkerAbsolute: true,
++// themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill: 
red;}',
++logLevel: 0,
++state: {
++  defaultRenderer: 'dagre-d3',
++},
++flowchart: {
++  // defaultRenderer: 'dagre-wrapper',
++  nodeSpacing: 10,
++curve: 'cardinal',
++htmlLabels: true,
++},
++htmlLabels: true,
++// gantt: { axisFormat: '%m/%d/%Y' },
++sequence: { actorFontFamily: 'courier', actorMargin: 50, 
showSequenceNumbers: false },
++// sequenceDiagram: { actorMargin: 300 } // deprecated
++// fontFamily: '"times", sans-serif',
++// fontFamily: 'courier',
++fontSize: 18,
++curve: 'basis',
++securityLevel: 'loose',
++startOnLoad: false,
++secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
++// themeVariables: {relationLabelColor: 'red'}
++  });
++  function callback() {
++  alert('It worked');
++}
++  function xssAttack() {
++const div = document.createElement('div');
++div.id = 'the-malware';
++div.className = 'malware';
++div.innerHTML = 'XSS Succeeded';
++document.getElementsByTagName('body')[0].appendChild(div);
++throw new Error('XSS Succeded');
++  }
++
++  var diagram = `sequenceDiagram
++participant Alice
++links Alice: { "Click me!" : "javasjavascript:cript:alert('goose')" }`;
++
++// //   var diagram = "stateDiagram-v2\n";
++// //  diagram += ""]';
++// console.log(diagram);
++// document.querySelector('#diagram').innerHTML = diagram;
++mermaid.render('diagram', diagram, (res) => {
++  console.log(res);
++  document.querySelector('#res').innerHTML = res;
++});
++
++  
++
++
+--- /dev/null
 b/cypress/platform/xss17.html
+@@ -0,0 +1,106 @@
++
++  
++https://fonts.googleapis.com/css?family=Montserrat=swap;
++  rel="stylesheet"
++/>
++

Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1

2022-06-21 Thread Salvatore Bonaccorso 
Hi Yadd,

On Sat, May 28, 2022 at 09:20:40PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2022-03-21 at 14:09 +0100, Yadd wrote:
> > node-mermaid is vulnerable to XSS attack (CVE-2021-23648)
> > 
> 
> Please go ahead.

Could you fix as well CVE-2021-43861 in the next point release? Should
be then on top of the already uploaded +deb11u1.

Regards,
Salvatore

Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1

2022-05-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2022-03-21 at 14:09 +0100, Yadd wrote:
> node-mermaid is vulnerable to XSS attack (CVE-2021-23648)
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1

2022-05-28 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1008045 [release.debian.org] bullseye-pu: package 
node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1
Added tag(s) confirmed.

-- 
1008045: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008045
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1

2022-03-21 Thread Yadd 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-mermaid is vulnerable to XSS attack (CVE-2021-23648)

[ Impact ]
medium vulnerability

[ Tests ]
Test passed, new upstream test not applicable here

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Decode HTML entities before parsing URLs

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3bfa0f2..32f71e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium
+
+  * Decode html entities before sanitizing (Closes: CVE-2021-23648)
+
+ -- Yadd   Mon, 21 Mar 2022 14:06:12 +0100
+
 node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-23648.patch 
b/debian/patches/CVE-2021-23648.patch
new file mode 100644
index 000..3571ee3
--- /dev/null
+++ b/debian/patches/CVE-2021-23648.patch
@@ -0,0 +1,46 @@
+Description: decode html entities before sanitizing (fixes XSS)
+Author: Blade Barringer 
+Origin: upstream, https://github.com/braintree/sanitize-url/commit/8f7371ce
+Bug: https://github.com/braintree/sanitize-url/pull/40
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-03-21
+
+--- a/sanitize-url/index.js
 b/sanitize-url/index.js
+@@ -1,6 +1,7 @@
+ 'use strict';
+ 
+ var invalidPrototcolRegex = /^(%20|\s)*(javascript|data)/im;
++const htmlEntitiesRegex =