search

docsifyjs / docsify

🃏 A magical documentation site generator.
https://docsify.js.org
MIT License
27.79k stars 5.68k forks source link

Update marked version to 4 to avoid vulnerability #1852

Closed mrflos closed 1 year ago

mrflos commented 2 years ago

Feature request

What problem does this feature solve?

The actual dependency on marked version 1.2.9, has a vulnerability of denial of service. cf. CVE-2022-21681 Dependabot says it will be fixed if using marked >= 4.0.10

What does the proposed API look like?

How should this be implemented in your opinion?

Are you willing to work on this yourself?

I'm not an expert in js but i could try if needed

juanjoDiaz commented 1 year ago

Any reason to not update marked and close the vulnerability? This has been open for 8 months.

trusktr commented 1 year ago

There's no reason, just no one has gotten to it yet.

It may not be as simple as a version number change in package.json, may require some work, and might be a breaking change (not sure yet, but someone would need to verify it).

Note that the above CVE-2022-21681 has not been a concern. Docsify is typically a statically-served client-side application, so there isn't really anything to DoS. Thus far no one has reported any performance issues (whether by that regex or not).

It is possible someone might be using the experimental and very incomplete SSR (server-side rendering) implementation we had, in which case someone making a lot of requests to someone's SSR'd Docsify site could potentially cause a DoS, but the current version of SSR has since been removed, so DoS is no longer a possibility as we move towards a more modern Docsify.

Essentially there isn't a security concern regarding any slow regex at the moment.

EDIT: I forgot, Marked was already updated beyond the above recommended version in https://github.com/docsifyjs/docsify/pull/1993.

But regardless, we are working to simplify and modernize Docsify and intend update marked to the latest again. That will be tracked in

We'll close this one in favor of that one.

If someone feels like trying to update marked, please do. Any help would be welcome!

gmartenscb commented 1 year ago

Marked was indeed already bumped to a version higher than the security vulnerabilities. Unfortunately, this was only done on the develop branch and was actually never released just yet. So the latest version of docsify (4.13.1) is still using marked@^1.2.9) which has a security vulnerability. Any chance we can get a release with the updated version of marked?

trusktr commented 1 year ago

v5 is coming soon.

In the meantime what you can do it simply clone Docsify, update marked version, run the build step, and host the built file with your static site.

If someone has time to test it out for v4 prior to the breaking changes on develop (they are marked as breaking), and make a pull request for v4, we can consider that too. Personally when I circle back I will focus on the v5 release.

gs-scooter commented 9 months ago

@trusktr - Unfortunately, attempting a build off of main branch with v4.3.0 of marked results in an error (see below). Would appreciate any ideas on how to resolve this since it's preferred to not be sitting on a high-severity vulnerability for an unknown amount of time.

lib/plugins/ga.js
lib/plugins/matomo.min.js
lib/plugins/ga.min.js
lib/plugins/disqus.min.js
lib/plugins/matomo.js
lib/plugins/external-script.min.js
lib/plugins/disqus.js
lib/plugins/gitalk.js
lib/plugins/external-script.js
lib/plugins/gitalk.min.js
lib/plugins/emoji.min.js
lib/plugins/emoji.js
lib/plugins/zoom-image.min.js
lib/plugins/zoom-image.js
lib/plugins/search.js
lib/plugins/search.min.js
lib/plugins/front-matter.min.js
lib/plugins/front-matter.js
SyntaxError: Unexpected token (2475:26)
    at Object.pp$4.raise (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:2825:15)
    at Object.pp.unexpected (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:689:10)
    at Object.pp.expect (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:683:28)
    at Object.pp$3.parseMethod (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:2609:10)
    at Object.pp$1.parseClassMethod (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:1387:25)
    at Object.pp$1.parseClassElement (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:1376:10)
    at Object.pp$1.parseClass (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:1315:26)
    at Object.pp$1.parseStatement (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:833:19)
    at Object.parseStatement (C:\dev\docsify\node_modules\acorn-dynamic-import\lib\index.js:63:118)
    at Object.pp$1.parseTopLevel (C:\dev\docsify\node_modules\buble\node_modules\acorn\dist\acorn.js:746:23) {
  pos: 68445,
  loc: Position {
    line: 2475,
    column: 26,
    file: 'C:\\dev\\docsify\\node_modules\\marked\\lib\\marked.esm.js'
  },
  raisedAt: 68446,
  snippet: '2471 :   constructor(options) {\n' +
    '2472 :     this.options = options || defaults;\n' +
    '2473 :   }\n' +
    '2474 : \n' +
    '2475 :   static passThroughHooks = new Set([\n' +
    '                                 ^',
  toString: [Function (anonymous)],
  plugin: 'buble',
  frame: '2471 :   constructor(options) {\n' +
    '2472 :     this.options = options || defaults;\n' +
    '2473 :   }\n' +
    '2474 : \n' +
    '2475 :   static passThroughHooks = new Set([\n' +
    '                                 ^',
  code: 'PLUGIN_ERROR',
  hook: 'transform',
  id: 'C:\\dev\\docsify\\node_modules\\marked\\lib\\marked.esm.js',
  watchFiles: [
    'C:\\dev\\docsify\\src\\core\\index.js',
    'C:\\dev\\docsify\\src\\core\\Docsify.js',
    'C:\\dev\\docsify\\src\\core\\util\\dom.js',
    'C:\\dev\\docsify\\src\\core\\global-api.js',
    'C:\\dev\\docsify\\src\\core\\config.js',
    'C:\\dev\\docsify\\src\\core\\render\\index.js',
    'C:\\dev\\docsify\\src\\core\\router\\index.js',
    'C:\\dev\\docsify\\src\\core\\event\\index.js',
    'C:\\dev\\docsify\\src\\core\\fetch\\index.js',
    'C:\\dev\\docsify\\src\\core\\virtual-routes\\index.js',
    'C:\\dev\\docsify\\src\\core\\util\\core.js',
    'C:\\dev\\docsify\\src\\core\\init\\lifecycle.js',
    'C:\\dev\\docsify\\src\\core\\util\\env.js',
    'C:\\dev\\docsify\\src\\core\\render\\slugify.js',
    'C:\\dev\\docsify\\src\\core\\render\\compiler.js',
    'C:\\dev\\docsify\\src\\core\\fetch\\ajax.js',
    'C:\\dev\\docsify\\src\\core\\util\\index.js',
    'C:\\dev\\docsify\\node_modules\\prismjs\\prism.js',
    'C:\\dev\\docsify\\node_modules\\marked\\lib\\marked.esm.js',
    'C:\\dev\\docsify\\src\\core\\router\\util.js',
    'C:\\dev\\docsify\\src\\core\\event\\scroll.js',
    'C:\\dev\\docsify\\src\\core\\render\\embed.js',
    'C:\\dev\\docsify\\node_modules\\tinydate\\dist\\tinydate.mjs',
    'C:\\dev\\docsify\\src\\core\\event\\sidebar.js',
    'C:\\dev\\docsify\\src\\core\\render\\tpl.js',
    'C:\\dev\\docsify\\src\\core\\virtual-routes\\next.js',
    'C:\\dev\\docsify\\src\\core\\virtual-routes\\exact-match.js',
    'C:\\dev\\docsify\\src\\core\\router\\history\\html5.js',
    'C:\\dev\\docsify\\src\\core\\util\\polyfill\\css-vars.js',
    'C:\\dev\\docsify\\src\\core\\router\\history\\hash.js',
    '\x00commonjsHelpers.js'
  ]
}
ERROR: "build:js" exited with 1.
trusktr commented 9 months ago

@gs-scooter If you would like to help out, ping us in Discord.