Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency dompurify to v2.5.4 [security] - autoclosed #1187

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency dompurify to v2.5.4 [security] - autoclosed #1187

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 16, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
dompurify 2.3.6 -> 2.5.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45801

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by cure53/DOMPurify@1e52026 (3.x branch) and cure53/DOMPurify@26e1d69 (2.x branch).

CVE-2024-47875

DOMpurify was vulnerable to nesting-based mXSS

fixed by 0ef5e537 (2.x) and
merge 943

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under test

CVE-2024-48910

dompurify was vulnerable to prototype pollution

Fixed by cure53/DOMPurify@d1dd037

Release Notes

cure53/DOMPurify (dompurify)

v2.5.4: DOMPurify 2.5.4

Compare Source

  • Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
  • Fixed the tests for MSIE and fixed related test-runner

v2.5.3: DOMPurify 2.5.3

Compare Source

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Fixed some smaller issues in README and other documentation

v2.5.2: DOMPurify 2.5.2

Compare Source

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

v2.5.1: DOMPurify 2.5.1

Compare Source

  • Fixed an mXSS sanitizer bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v2.5.0: DOMPurify 2.5.0

Compare Source

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

v2.4.9: DOMPurify 2.4.9

Compare Source

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v2.4.8: DOMPurify 2.4.8

Compare Source

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

v2.4.7: DOMPurify 2.4.7

Compare Source

v2.4.6: DOMPurify 2.4.6

Compare Source

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

v2.4.5: DOMPurify 2.4.5

Compare Source

  • Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v2.4.4: DOMPurify 2.4.4

Compare Source

v2.4.3: DOMPurify 2.4.3

Compare Source

  • Final release that is compatible with MSIE10 & MSIE 11

v2.4.2: DOMPurify 2.4.2

Compare Source

  • Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @​tosmolka
  • Fixed a Prototype Pollution issue discovered and reported by @​kevin-mizu

v2.4.1: DOMPurify 2.4.1

Compare Source

v2.4.0: DOMPurify 2.4.0

Compare Source

  • Removed bundled types again as they caused too much trouble

v2.3.12: DOMPurify 2.3.12

Compare Source

v2.3.11: DOMPurify 2.3.11

Compare Source

  • Added generated type definitions for better compatibility
  • Added SANITIZE_NAMED_PROPS config option, thanks @​SoheilKhodayari
  • Updated README and config documentation, thanks @​0xedward
  • Updated test suite with newer Node versions

v2.3.10: DOMPurify 2.3.10

Compare Source

  • Added support for sanitization of attributes requiring Trusted Types, thanks @​tosmolka

v2.3.9: DOMPurify 2.3.9

Compare Source

  • Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @​tosmolka
  • Bumped some dependencies, thanks @​is2ei
  • Included github-actions in the dependabot config, thanks @​nathannaveen

v2.3.8: DOMPurify 2.3.8

Compare Source

  • Cleaned up a minor issue with the 2.3.7 release, thanks @​johnbirds

No other changes compared to 2.3.7 release, which entail:

v2.3.7

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@codecov Codecov
Copy link

codecov bot commented Sep 16, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.43%. Comparing base (7cfe30a) to head (f83d042).
Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1187   +/-   ##
=======================================
  Coverage   88.43%   88.43%           
=======================================
  Files         399      399           
  Lines        8519     8519           
  Branches     2091     2091           
=======================================
  Hits         7534     7534           
+ Misses        943      942    -1     
- Partials       42       43    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 7 times, most recently from 450b8a7 to 8ebabbc Compare September 20, 2024 14:20
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 2 times, most recently from 00a692b to bf0f3b0 Compare September 30, 2024 13:49
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 4 times, most recently from 2d00a09 to 94d5d82 Compare October 9, 2024 20:32
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 7 times, most recently from 53ddf42 to 1877f78 Compare October 21, 2024 19:14
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch 4 times, most recently from 7e17144 to aa817db Compare October 31, 2024 14:40
@renovate renovate bot force-pushed the renovate/npm-dompurify-vulnerability branch from aa817db to f83d042 Compare November 1, 2024 17:37
@renovate renovate bot changed the title fix(deps): update dependency dompurify to v2.5.4 [security] fix(deps): update dependency dompurify to v2.5.4 [security] - autoclosed Nov 4, 2024
@renovate renovate bot closed this Nov 4, 2024
@renovate renovate bot deleted the renovate/npm-dompurify-vulnerability branch November 4, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants