Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1
From: Yadd <yadd@debian.org>
Date: Mon, 21 Mar 2022 14:09:09 +0100
Message-id: <[🔎] 164786814917.1590410.14372741310503659353.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1008045@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-mermaid is vulnerable to XSS attack (CVE-2021-23648)

[ Impact ]
medium vulnerability

[ Tests ]
Test passed, new upstream test not applicable here

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Decode HTML entities before parsing URLs

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 3bfa0f2..32f71e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium
+
+  * Decode html entities before sanitizing (Closes: CVE-2021-23648)
+
+ -- Yadd <yadd@debian.org>  Mon, 21 Mar 2022 14:06:12 +0100
+
 node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-23648.patch b/debian/patches/CVE-2021-23648.patch
new file mode 100644
index 0000000..3571ee3
--- /dev/null
+++ b/debian/patches/CVE-2021-23648.patch
@@ -0,0 +1,46 @@
+Description: decode html entities before sanitizing (fixes XSS)
+Author: Blade Barringer <blade.barringer@paypal.com>
+Origin: upstream, https://github.com/braintree/sanitize-url/commit/8f7371ce
+Bug: https://github.com/braintree/sanitize-url/pull/40
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-03-21
+
+--- a/sanitize-url/index.js
++++ b/sanitize-url/index.js
+@@ -1,6 +1,7 @@
+ 'use strict';
+ 
+ var invalidPrototcolRegex = /^(%20|\s)*(javascript|data)/im;
++const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
+ var ctrlCharactersRegex = /[^\x20-\x7E]/gmi;
+ var urlSchemeRegex = /^([^:]+):/gm;
+ var relativeFirstCharacters = ['.', '/'];
+@@ -9,15 +10,24 @@
+   return relativeFirstCharacters.indexOf(url[0]) > -1;
+ }
+ 
++// adapted from https://stackoverflow.com/a/29824550/2601552
++function decodeHtmlCharacters(str) {
++  return str.replace(htmlEntitiesRegex, (match, dec) => {
++    return String.fromCharCode(dec);
++  });
++}
++
+ function sanitizeUrl(url) {
+   var urlScheme, urlSchemeParseResults, sanitizedUrl;
+ 
+-  if (!url) {
++  sanitizedUrl = decodeHtmlCharacters(url || "")
++    .replace(ctrlCharactersRegex, "")
++    .trim();
++
++  if (!sanitizedUrl) {
+     return 'about:blank';
+   }
+ 
+-  sanitizedUrl = url.replace(ctrlCharactersRegex, '').trim();
+-
+   if (isRelativeUrlWithoutProtocol(sanitizedUrl)) {
+     return sanitizedUrl;
+   }
diff --git a/debian/patches/series b/debian/patches/series
index f41df00..b3ba76f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0002-Fix-unsupported-syntax.patch
 0003-Replace-moment-mini-with-moment.patch
 CVE-2021-35513.patch
+CVE-2021-23648.patch

Reply to:

Prev by Date: Processed: systemd 247.3-7 flagged for acceptance
Next by Date: Bug#959469: openssl 1.1.1n-0+deb10u1 flagged for acceptance
Previous by thread: Processed: systemd 247.3-7 flagged for acceptance
Next by thread: Bug#1008056: buster-pu: package libnet-ssleay-perl/1.85-2.1
Index(es):
- Date
- Thread