Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency highlight.js to v10 [SECURITY] #283

Merged
merged 1 commit into from
Dec 14, 2020

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 24, 2020

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
highlight.js (source) ^9.15.8 -> ^10.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-26237

Impact

Affected versions of this package are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable.

The pollution should just be harmless data but this can cause problems for applications not expecting these properties to exist and can result in strange behavior or application crashes, i.e. a potential DOS vector.

If your website or application does not render user provided data it should be unaffected.

Patches

Versions 9.18.2 and 10.1.2 and newer include fixes for this vulnerability. If you are using version 7 or 8 you are encouraged to upgrade to a newer release.

Workarounds

Patch your library

Manually patch your library to create null objects for both languages and aliases:

const HLJS = function(hljs) {
  // ...
  var languages = Object.create(null);
  var aliases = Object.create(null);

Filter out bad data from end users

Filter the language names that users are allowed to inject into your HTML to guarantee they are valid.

References

For more information

If you have any questions or comments about this advisory:

GHSA-7wwv-vh3v-89cq

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking)

oswasp:

The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time.

If are you are using Highlight.js to highlight user-provided data you are possibly vulnerable. On the client-side (in a browser or Electron environment) risks could include lengthy freezes or crashes... On the server-side infinite freezes could occur... effectively preventing users from accessing your app or service (ie, Denial of Service).

This is an issue with grammars shipped with the parser (and potentially 3rd party grammars also), not the parser itself. If you are using Highlight.js with any of the following grammars you are vulnerable. If you are using highlightAuto to detect the language (and have any of these grammars registered) you are vulnerable.

All versions prior to 10.4.1 are vulnerable, including version 9.18.5.

Grammars with exponential backtracking issues:

  • c-like (c, cpp, arduino)
  • handlebars (htmlbars)
  • gams
  • perl
  • jboss-cli
  • r
  • erlang-repl
  • powershell
  • routeros
  • livescript (10.4.0 and 9.18.5 included this fix)
  • javascript & typescript (10.4.0 included partial fixes)

And of course any aliases of those languages have the same issue. ie: hpp is no safer than cpp.

Grammars with polynomial backtracking issues:

  • kotlin
  • gcode
  • d
  • aspectj
  • moonscript
  • coffeescript/livescript
  • csharp
  • scilab
  • crystal
  • elixir
  • basic
  • ebnf
  • ruby
  • fortran/irpf90
  • livecodeserver
  • yaml
  • x86asm
  • dsconfig
  • markdown
  • ruleslanguage
  • xquery
  • sqf

And again: any aliases of those languages have the same issue. ie: ruby and rb share the same ruby issues.

Patches

  • Version 10.4.1 resolves these vulnerabilities. Please upgrade.

Workarounds / Mitigations

  • Discontinue use the affected grammars. (or perhaps use only those with poly vs exponential issues)
  • Attempt cherry-picking the grammar fixes into older versions...
  • Attempt using newer CDN versions of any affected languages. (ie using an older CDN version of the library with newer CDN grammars). Your mileage may vary.

References

For more information

If you have any questions or comments about this advisory:


Release Notes

highlightjs/highlight.js

v10.4.1

Compare Source

Security

  • (fix) Exponential backtracking fixes for: Josh Goebel
    • cpp
    • handlebars
    • gams
    • perl
    • jboss-cli
    • r
    • erlang-repl
    • powershell
    • routeros
  • (fix) Polynomial backtracking fixes for: Josh Goebel
    • asciidoc
    • reasonml
    • latex
    • kotlin
    • gcode
    • d
    • aspectj
    • moonscript
    • coffeescript/livescript
    • csharp
    • scilab
    • crystal
    • elixir
    • basic
    • ebnf
    • ruby
    • fortran/irpf90
    • livecodeserver
    • yaml
    • x86asm
    • dsconfig
    • markdown
    • ruleslanguage
    • xquery
    • sqf

Very grateful to Michael Schmidt for all the help.

v10.4.0

Compare Source

A largish release with many improvements and fixes from quite a few different contributors. Enjoy!

Deprecations:

  • (chore) requireLanguage is deprecated.
    • Prefer getLanguage (with custom error handling) or built-time dependencies.
    • See Library API for more information.

Parser:

New Languages:

Language Improvements:

  • enh(shell) Recognize prompts which contain tilde ~ (#​2859) Guillaume Grossetie
  • enh(shell) Add support for multiline commands with line continuation \ (#​2861) Guillaume Grossetie
  • enh(autodetect) Over 30+ improvements to auto-detect (#​2745) Josh Goebel
    • 4-5% improvement in auto-detect against large sample set
    • properties, angelscript, lsl, javascript, n1ql, ocaml, ruby
    • protobuf, hy, scheme, crystal, yaml, r, vbscript, groovy
    • python, java, php, lisp, matlab, clojure, csharp, css
  • fix(r) fixed keywords not properly spaced (#​2852) Josh Goebel
  • fix(javascript) fix potential catastrophic backtracking (#​2852) Josh Goebel
  • fix(livescript) fix potential catastrophic backtracking (#​2852) Josh Goebel
  • bug(xml) XML grammar was far too imprecise/fuzzy Josh Goebel
  • enh(xml) Improve precision to prevent false auto-detect positives Josh Goebel
  • fix(js/ts) Prevent for/while/if/switch from falsly matching as functions (#​2803) Josh Goebel
  • enh(julia) Update keyword lists for Julia 1.x (#​2781) Fredrik Ekre
  • enh(python) Match numeric literals per the language reference Richard Gibson
  • enh(ruby) Match numeric literals per language documentation Richard Gibson
  • enh(javascript) Match numeric literals per ECMA-262 spec Richard Gibson
  • enh(java) Match numeric literals per Java Language Specification Richard Gibson
  • enh(swift) Match numeric literals per language reference Richard Gibson
  • enh(php) highlight variables (#​2785) Taufik Nurrohman
  • fix(python) Handle comments on decorators (#​2804) Jonathan Sharpe
  • enh(diff) improve highlighting of diff for git patches [Florian Bezdeka][]
  • fix(llvm) lots of small improvements and fixes (#​2830) Josh Goebel
  • enh(mathematica) Rework entire implementation Patrick Scheibe
    • Correct matching of the many variations of Mathematica's numbers
    • Matching of named-characters aka special symbols like \[Gamma]
    • Updated list of version 12.1 built-in symbols
    • Matching of patterns, slots, message-names and braces
  • fix(swift) Handle keywords that start with # Marcus Ortiz
  • enh(swift) Match some keyword Marcus Ortiz
  • enh(swift) Match @main attribute Marcus Ortiz

Dev Improvements:

  • chore(dev) add theme picker to the tools/developer tool (#​2770) Josh Goebel
  • fix(dev) the Vue.js plugin no longer throws an exception when hljs is not in the global namespace Kyle Brown

New themes:

v10.3.2

Compare Source

Tiny tiny release, just to fix the website incorrectly not listing Javascript
in the list of languages you could choose for a custom build. NPM and CDN
build should not have been affected so 10.3.1 is effectively the same as
10.3.2 for those builds.

If you made a custom build from the website with 10.3 or 10.3.1 you may
want to check and make sure it includes Javascript, and if not, build it again.

v10.3.1

Compare Source

Prior version let some look-behind regex sneak in, which does not work
yet on Safari. This release removes those incompatible regexes.

Fix:

  • fix(Safari) Remove currently unsupported look-behind regex (fix) Josh Goebel

v10.3.0

Compare Source

Language Improvements:

Deprecations:

v10.2.1

Compare Source

Parser Engine:

v10.2.0

Compare Source

Parser Engine:

  • (fix) When ignoring a potential match highlighting can terminate early (#​2649) Josh Goebel

New themes:

Deprecations:

Big picture:

Language Improvements:

v10.1.2

Compare Source

Fixes:

  • fix(night) Prevent object prototype values from being returned by getLanguage (#​2636) night

v10.1.1

Compare Source

Fixes:

v10.1.0

Compare Source

New themes:

Parser Engine:

Deprecations:

Language Improvements:

v10.0.3

Compare Source

v10.0.2

Compare Source

Brower build:

Parser Engine Changes:

v10.0.1

Compare Source

Parser Engine Changes:

v10.0.0

Compare Source

New languages:

  • add(php-template) Explicit language to detect PHP templates (vs xml) Josh Goebel
  • enh(python) Added python-repl for Python REPL sessions
  • add(never) Added 3rd party Never language support

New themes:

Parser Engine Changes:

Language Improvements:

Developer Tools:

  • added Dockerfile for optionally developing with a container

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@github-actions
Copy link

github-actions bot commented Nov 24, 2020

Size Change: 0 B

Total Size: 7.48 kB

ℹ️ View Unchanged
Filename Size Change
dist/currency.es.js 2.07 kB 0 B
dist/currency.js 2.08 kB 0 B
dist/currency.min.js 1.14 kB 0 B
dist/currency.umd.js 2.2 kB 0 B

compressed-size-action

@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling 33fbb90 on renovate/npm-highlight.js-vulnerability into 4611c1c on master.

@coveralls
Copy link

coveralls commented Nov 25, 2020

Coverage Status

Coverage remained the same at 100.0% when pulling afc8283 on renovate/npm-highlight.js-vulnerability into a1b1609 on master.

@renovate renovate bot force-pushed the renovate/npm-highlight.js-vulnerability branch from 33fbb90 to b3ba88e Compare December 4, 2020 17:58
@renovate renovate bot changed the title Update dependency highlight.js to v9.18.2 [SECURITY] Update dependency highlight.js to v10 [SECURITY] Dec 4, 2020
@renovate renovate bot force-pushed the renovate/npm-highlight.js-vulnerability branch from b3ba88e to afc8283 Compare December 14, 2020 16:07
@scurker scurker merged commit 83f9a83 into master Dec 14, 2020
@scurker scurker deleted the renovate/npm-highlight.js-vulnerability branch December 14, 2020 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants