Open renovate[bot] opened 4 years ago
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.
This PR contains the following updates:
1.7.8
->1.8.0
GitHub Vulnerability Alerts
CVE-2019-10768
Versions of
angular
prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API functionmerge()
does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.Recommendation
Upgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality.
CVE-2020-7676
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "
GHSA-5cp4-xmrw-59wf
Summary
XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to
JQLite
methods likeJQLite.prepend
,JQLite.after
,JQLite.append
,JQLite.replaceWith
,JQLite.append
,new JQLite
andangular.element
.Description
JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in
jqLiteBuildFragment
.One of the modifications performed expands an XHTML self-closing tag.
If
jqLiteBuildFragment
is called (e.g. vianew JQLite(aString)
) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM.This is similar to a bug in jQuery
htmlPrefilter
function that was fixed in 3.5.0.Proof of concept
Note that the style element is not closed and
<img
would be a text node inside the style if inserted into the DOM as-is. As such, some HTML sanitizers would leave the<img
as is without processing it and stripping theonerror
attribute.This will alert, as
<style/>
will be replaced with<style></style>
before adding it to the DOM, closing the style element early and reactivatingimg
.Patches
The issue is patched in
JQLite
bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability affects jQuery <3.5.0.Workarounds
Changing sanitizer configuration not to allow certain tag grouping (e.g.
<option><style></option>
) or inline style elements may stop certain exploitation vectors, but it's uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended.References
https://github.com/advisories/GHSA-mhp6-pxh8-r675 https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
Release Notes
angular/angular.js
### [`v1.8.0`](https://togithub.com/angular/angular.js/blob/HEAD/CHANGELOG.md#180-nested-vaccination-2020-06-01) [Compare Source](https://togithub.com/angular/angular.js/compare/v1.7.9...v1.8.0) *This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz([@koto](https://togithub.com/koto)); and independently by Esben Sparre Andreasen ([@esbena](https://togithub.com/esbena)) while performing a Variant Analysis of [CVE-2020-11022](https://togithub.com/advisories/GHSA-gxr4-xjj5-5px2) which itself was found and reported by Masato Kinugawa ([@masatokinugawa](https://togithub.com/masatokinugawa)).* #### Bug Fixes - **jqLite:** - prevent possible XSS due to regex-based HTML replacement ([2df43c](https://togithub.com/angular/angular.js/commit/2df43c07779137d1bddf7f3b282a1287a8634acd)) #### Breaking Changes ##### **jqLite** due to: - **[2df43c](https://togithub.com/angular/angular.js/commit/2df43c07779137d1bddf7f3b282a1287a8634acd)**: prevent possible XSS due to regex-based HTML replacement JqLite no longer turns XHTML-like strings like `` to sibling elements `` when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: `(Thanks to the [Snyk Security Research Team](https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/) for identifyng this issue.) - **ngStyle:** correctly remove old style when new style value is invalid ([5edd25](https://togithub.com/angular/angular.js/commit/5edd25364f617083363dc2bd61f9230b38267578), [#16860](https://togithub.com/angular/angular.js/issues/16860), [#16868](https://togithub.com/angular/angular.js/issues/16868))
Configuration
📅 Schedule: Branch creation - "" in timezone Japan, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.