search

agiledigital / typed-redux-saga

An attempt to bring better TypeScript typing to redux-saga.
MIT License
315 stars 33 forks source link

Update dependency nunjucks to v3.2.4 [SECURITY] #690

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
nunjucks 3.2.3 -> 3.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

Release Notes

mozilla/nunjucks (nunjucks) ### [`v3.2.4`](https://redirect.github.com/mozilla/nunjucks/blob/HEAD/CHANGELOG.md#324-Apr-13-2023) [Compare Source](https://redirect.github.com/mozilla/nunjucks/compare/v3.2.3...v3.2.4) - HTML encode backslashes when expressions are passed through the escape filter (including when this is done automatically with autoescape). Merge of [#​1437](https://redirect.github.com/mozilla/nunjucks/pull/1437).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.