Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-mermaid is vulnerable to XSS attack (CVE-2021-23648) [ Impact ] medium vulnerability [ Tests ] Test passed, new upstream test not applicable here [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Decode HTML entities before parsing URLs Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 3bfa0f2..32f71e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium + + * Decode html entities before sanitizing (Closes: CVE-2021-23648) + + -- Yadd <y...@debian.org> Mon, 21 Mar 2022 14:06:12 +0100 + node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23648.patch b/debian/patches/CVE-2021-23648.patch new file mode 100644 index 0000000..3571ee3 --- /dev/null +++ b/debian/patches/CVE-2021-23648.patch @@ -0,0 +1,46 @@ +Description: decode html entities before sanitizing (fixes XSS) +Author: Blade Barringer <blade.barrin...@paypal.com> +Origin: upstream, https://github.com/braintree/sanitize-url/commit/8f7371ce +Bug: https://github.com/braintree/sanitize-url/pull/40 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-03-21 + +--- a/sanitize-url/index.js ++++ b/sanitize-url/index.js +@@ -1,6 +1,7 @@ + 'use strict'; + + var invalidPrototcolRegex = /^(%20|\s)*(javascript|data)/im; ++const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; + var ctrlCharactersRegex = /[^\x20-\x7E]/gmi; + var urlSchemeRegex = /^([^:]+):/gm; + var relativeFirstCharacters = ['.', '/']; +@@ -9,15 +10,24 @@ + return relativeFirstCharacters.indexOf(url[0]) > -1; + } + ++// adapted from https://stackoverflow.com/a/29824550/2601552 ++function decodeHtmlCharacters(str) { ++ return str.replace(htmlEntitiesRegex, (match, dec) => { ++ return String.fromCharCode(dec); ++ }); ++} ++ + function sanitizeUrl(url) { + var urlScheme, urlSchemeParseResults, sanitizedUrl; + +- if (!url) { ++ sanitizedUrl = decodeHtmlCharacters(url || "") ++ .replace(ctrlCharactersRegex, "") ++ .trim(); ++ ++ if (!sanitizedUrl) { + return 'about:blank'; + } + +- sanitizedUrl = url.replace(ctrlCharactersRegex, '').trim(); +- + if (isRelativeUrlWithoutProtocol(sanitizedUrl)) { + return sanitizedUrl; + } diff --git a/debian/patches/series b/debian/patches/series index f41df00..b3ba76f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0002-Fix-unsupported-syntax.patch 0003-Replace-moment-mini-with-moment.patch CVE-2021-35513.patch +CVE-2021-23648.patch
