petakopi.my
petakopi.my copied to clipboard
petakopi
🚨 [security] [js] Update trix 2.0.10 → 2.1.1 (minor)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ trix (2.0.10 → 2.1.1) · Repo
Security Advisories 🚨
🚨 Trix Editor Arbitrary Code Execution Vulnerability
The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.
Vulnerable Versions: Up to 2.1.0
Fixed Version: 2.1.1
Vector:
- Bug 1: When copying content manipulated by a script, such as:
document.addEventListener('copy', function(e){ e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>'); e.preventDefault(); });and pasting into the Trix editor, the script within the content is executed.
- Bug 2: Similar execution occurs with content structured as:
document.write(`copy<div data-trix-attachment="{"contentType":"text/html","content":"<img src=1 onerror=alert(101)>HELLO123"}"></div>me`);Impact:
An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
Remediation:
Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.
CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.
References:
Credit: These issues were reported by security researchers loknop and pinpie.
Release Notes
2.1.1
What's Changed
- Bump tar from 6.2.0 to 6.2.1 by @dependabot in #1146
- Sanitize noscript to prevent copy and paste XSS by @lewispb in #1147
- Sanitize HTML content in data-trix-* attributes by @lewispb & @afcapel in #1149
New Contributors
Full Changelog: v2.1.0...v2.1.1
2.1.0
What's Changed
- Bump ip from 1.1.8 to 1.1.9 by @dependabot in #1136
- Bump follow-redirects from 1.15.4 to 1.15.6 by @dependabot in #1140
- Allow custom HTML attributes in blocks by @afcapel in #1138
Full Changelog: v2.0.10...v2.1.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 16 commits:
v2.1.1Merge pull request #1149 from basecamp/paste-html-sanitizeSanitize HTML content in data-trix-* attributesTest attachment content is sanitizedMerge pull request #1147 from basecamp/sanitize-noscriptSanitize noscript to prevent copy and paste XSSMerge pull request #1146 from basecamp/dependabot/npm_and_yarn/tar-6.2.1Bump tar from 6.2.0 to 6.2.1v2.1.0Merge pull request #1138 from basecamp/custom-html-block-attributesMerge pull request #1140 from basecamp/dependabot/npm_and_yarn/follow-redirects-1.15.6Bump follow-redirects from 1.15.4 to 1.15.6Default to empty HTML attributesAllow custom HTML attributes in blocksMerge pull request #1136 from basecamp/dependabot/npm_and_yarn/ip-1.1.9Bump ip from 1.1.8 to 1.1.9
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu cancel merge
- Cancels automatic merging of this PR
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)
![depfu[bot] avatar](https://avatars.githubusercontent.com/in/715?v=4 "Published by a pub.dev verified publisher"){kind=small}