When processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.
While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.
Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:
An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files.
This is an example of inline JavaScript in a Less file:
.rule {
@​var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`;
color: @​var;
}
Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.
Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:
.rule {
@​var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`";
color: @​var;
}
Patches
We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.
This fix is available in less-openui5 version v0.10.0
Workarounds
Only process trusted theming resources.
For more information
If you have any questions or comments about this advisory:
This PR contains the following updates:
0.1.3->0.10.0GitHub Vulnerability Alerts
CVE-2021-21316
Impact
When processing theming resources (i.e.
*.lessfiles) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.
Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:
An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the
.lessfiles.This is an example of inline JavaScript in a Less file:
Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.
Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:
Patches
We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.
This fix is available in less-openui5 version v0.10.0
Workarounds
Only process trusted theming resources.
For more information
If you have any questions or comments about this advisory:
Release Notes
SAP/less-openui5 (less-openui5)
### [`v0.10.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v0100---2021-01-29) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.9.0...v0.10.0) ##### Breaking Changes - **Security:** Disable JavaScript execution in Less.js [`c0d3a85`](https://togithub.com/SAP/less-openui5/commit/c0d3a8572974a20ea6cee42da11c614a54f100e8) ##### BREAKING CHANGE Parser option `javascriptEnabled` has been removed. JavaScript is always disabled and cannot be enabled. ### [`v0.9.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v090---2020-11-06) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.7...v0.9.0) ##### Breaking Changes - Remove support for import over http(s) [`e4a1c86`](https://togithub.com/SAP/less-openui5/commit/e4a1c86b994430fa3e640dc7b09a6c09a1b2845b) - Require Node.js >= 10 [`47f244e`](https://togithub.com/SAP/less-openui5/commit/47f244ec37ab5ff51c88cd2dd96c4110f2779694) ##### BREAKING CHANGE Import over http(s) is not supported anymore. Use the Builder 'fs' option to provide an interface that also handles http(s) resources. Support for older Node.js releases has been dropped. Only Node.js v10 or higher is supported. ### [`v0.8.7`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v087---2020-06-26) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.6...v0.8.7) ##### Bug Fixes - Error handling for missing scoping files [`c7513a1`](https://togithub.com/SAP/less-openui5/commit/c7513a101a2f01e9114ff86f5be598a29bc51be0) ### [`v0.8.6`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v086---2020-02-24) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.5...v0.8.6) ##### Bug Fixes - CSS var assignment only for less to less vars ([#116](https://togithub.com/SAP/less-openui5/issues/116)) [`2e9560d`](https://togithub.com/SAP/less-openui5/commit/2e9560dd2b89f7b1f3e09fcc3d0bfe867496a3fc) ### [`v0.8.5`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v085---2020-02-21) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.4...v0.8.5) ##### Features - Keep linking of less vars for css vars ([#115](https://togithub.com/SAP/less-openui5/issues/115)) [`3f99e9d`](https://togithub.com/SAP/less-openui5/commit/3f99e9d49fac620405dcad48556f5c4dfcf916c4) ### [`v0.8.4`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v084---2020-02-10) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.3...v0.8.4) ##### Features - Add experimental CSS variables and skeleton build ([#108](https://togithub.com/SAP/less-openui5/issues/108)) [`e6d8503`](https://togithub.com/SAP/less-openui5/commit/e6d85038f077ff252e8240d9924e7c4761ac4e5e) ### [`v0.8.3`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v083---2020-01-07) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.2...v0.8.3) ##### Bug Fixes - Diff algorithm exception ([#110](https://togithub.com/SAP/less-openui5/issues/110)) [`9628a6c`](https://togithub.com/SAP/less-openui5/commit/9628a6c6386b671e37a3c9680ca3b5fbd6175146) ### [`v0.8.2`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v082---2019-12-16) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.1...v0.8.2) ##### Bug Fixes - Support absolute import paths in less files ([#107](https://togithub.com/SAP/less-openui5/issues/107)) [`266b06d`](https://togithub.com/SAP/less-openui5/commit/266b06d9b091d34e6f279fbdf567702bcb9dbaed) ### [`v0.8.1`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v081---2019-12-03) [Compare Source](https://togithub.com/SAP/less-openui5/compare/v0.8.0...v0.8.1) ##### Bug Fixes - Improve rule diffing algorithm ([#104](https://togithub.com/SAP/less-openui5/issues/104)) [`2527189`](https://togithub.com/SAP/less-openui5/commit/252718912861d2edde2041729a106fb3e0a6316b) ### [`v0.8.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#v080---2019-11-18) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.7.0...v0.8.0) ##### Breaking Changes - Remove support for 'sourceMap' / 'cleancss' options [`3f234c8`](https://togithub.com/SAP/less-openui5/commit/3f234c88c4442035c0fe2683197c044ec6a93fab) ##### Bug Fixes - Apply less.js fix for import race condition [`694f6c4`](https://togithub.com/SAP/less-openui5/commit/694f6c41ad788eded034df6835cf5fbd8f6feaf3) ### [`v0.7.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#070---2019-10-30) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.6.0...0.7.0) ##### Breaking Changes - Drop support for Node.js < 8.5 [`810962c`](https://togithub.com/SAP/less-openui5/commit/810962cf7bb4604641160d547593568f70b72f98) ##### Bug Fixes - Add inline parameters on empty CSS [`bc59d58`](https://togithub.com/SAP/less-openui5/commit/bc59d58486e972057675c5b8abe83229f116bc07) - Scope rule handling ([#92](https://togithub.com/SAP/less-openui5/issues/92)) [`89b56c1`](https://togithub.com/SAP/less-openui5/commit/89b56c1a975f53ea8e436878b07707f1fb061486) [v0.11.6]: https://togithub.com/SAP/less-openui5/compare/v0.11.5...v0.11.6 [v0.11.5]: https://togithub.com/SAP/less-openui5/compare/v0.11.4...v0.11.5 [v0.11.4]: https://togithub.com/SAP/less-openui5/compare/v0.11.3...v0.11.4 [v0.11.3]: https://togithub.com/SAP/less-openui5/compare/v0.11.2...v0.11.3 [v0.11.2]: https://togithub.com/SAP/less-openui5/compare/v0.11.1...v0.11.2 [v0.11.1]: https://togithub.com/SAP/less-openui5/compare/v0.11.0...v0.11.1 [v0.11.0]: https://togithub.com/SAP/less-openui5/compare/v0.10.0...v0.11.0 [v0.10.0]: https://togithub.com/SAP/less-openui5/compare/v0.9.0...v0.10.0 [v0.9.0]: https://togithub.com/SAP/less-openui5/compare/v0.8.7...v0.9.0 [v0.8.7]: https://togithub.com/SAP/less-openui5/compare/v0.8.6...v0.8.7 [v0.8.6]: https://togithub.com/SAP/less-openui5/compare/v0.8.5...v0.8.6 [v0.8.5]: https://togithub.com/SAP/less-openui5/compare/v0.8.4...v0.8.5 [v0.8.4]: https://togithub.com/SAP/less-openui5/compare/v0.8.3...v0.8.4 [v0.8.3]: https://togithub.com/SAP/less-openui5/compare/v0.8.2...v0.8.3 [v0.8.2]: https://togithub.com/SAP/less-openui5/compare/v0.8.1...v0.8.2 [v0.8.1]: https://togithub.com/SAP/less-openui5/compare/v0.8.0...v0.8.1 [v0.8.0]: https://togithub.com/SAP/less-openui5/compare/0.7.0...v0.8.0 [0.7.0]: https://togithub.com/SAP/less-openui5/compare/0.6.0...0.7.0 ### [`v0.6.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#060---2018-09-10) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.5.4...0.6.0) ##### Breaking changes - Drop unsupported Node.js versions. Now requires >= 6 [#45](https://togithub.com/SAP/less-openui5/pull/45) ##### Fixes - Again, fix inline theme parameters encoding for '#' [#48](https://togithub.com/SAP/less-openui5/pull/48) ##### All changes [`0.5.4...0.6.0`](https://togithub.com/SAP/less-openui5/compare/0.5.4...0.6.0) ### [`v0.5.4`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#054---2018-07-04) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.5.3...0.5.4) ##### Fixes - Revert "Fix inline theme parameters encoding for '#'" [#26](https://togithub.com/SAP/less-openui5/pull/26) ##### All changes [`0.5.3...0.5.4`](https://togithub.com/SAP/less-openui5/compare/0.5.3...0.5.4) ### [`v0.5.3`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#053---2018-05-18) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.5.2...0.5.3) ##### Fixes - Fix less error propagation [#22](https://togithub.com/SAP/less-openui5/pull/22) - Fix inline theme parameters encoding for '#' [#23](https://togithub.com/SAP/less-openui5/pull/23) ##### All changes [`0.5.2...0.5.3`](https://togithub.com/SAP/less-openui5/compare/0.5.2...0.5.3) ### [`v0.5.2`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#052---2018-03-26) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.5.1...0.5.2) ##### Fixes - Fix reduced set of variables [#20](https://togithub.com/SAP/less-openui5/pull/20) ##### All changes [`0.5.1...0.5.2`](https://togithub.com/SAP/less-openui5/compare/0.5.1...0.5.2) ### [`v0.5.1`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#051---2018-03-12) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.5.0...0.5.1) ##### Fixes - Changed paths in variable collector to posix variant [#19](https://togithub.com/SAP/less-openui5/pull/19) ##### All changes [`0.5.0...0.5.1`](https://togithub.com/SAP/less-openui5/compare/0.5.0...0.5.1) ### [`v0.5.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#050---2018-02-09) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.4.0...0.5.0) ##### Features - Reduce collected variables to only add relevant ones [#18](https://togithub.com/SAP/less-openui5/pull/18) ##### All changes [`0.4.0...0.5.0`](https://togithub.com/SAP/less-openui5/compare/0.4.0...0.5.0) ### [`v0.4.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#040---2017-12-13) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.3.1...0.4.0) ##### Features - Add scope option [#16](https://togithub.com/SAP/less-openui5/pull/16) - Add custom fs option [#17](https://togithub.com/SAP/less-openui5/pull/17) ##### All changes [`0.3.1...0.4.0`](https://togithub.com/SAP/less-openui5/compare/0.3.1...0.4.0) ### [`v0.3.1`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#031---2017-03-28) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.3.0...0.3.1) ##### Fixes - Performance workaround: Handle properties directly added to String proto [#12](https://togithub.com/SAP/less-openui5/pull/12) ##### All changes [`0.3.0...0.3.1`](https://togithub.com/SAP/less-openui5/compare/0.3.0...0.3.1) ### [`v0.3.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#030---2017-03-23) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.2.0...0.3.0) ##### Breaking changes - Drop support for Node.js v0.10 [#5](https://togithub.com/SAP/less-openui5/pull/5) - Replace static `build` function with `Builder` class to enable caching of build results [#10](https://togithub.com/SAP/less-openui5/pull/10) - Refactor options to also include input LESS string [#6](https://togithub.com/SAP/less-openui5/pull/6) ##### Features - Added "lessInputPath" option to provide a path relative to the "rootPaths" [#10](https://togithub.com/SAP/less-openui5/pull/10) - Added diffing and scoping to support Belize contrast areas [#10](https://togithub.com/SAP/less-openui5/pull/10) - Analyze .theming files as theme scope indicators [#10](https://togithub.com/SAP/less-openui5/pull/10) ##### All changes [`0.2.0...0.3.0`](https://togithub.com/SAP/less-openui5/compare/0.2.0...0.3.0) ### [`v0.2.0`](https://togithub.com/SAP/less-openui5/blob/HEAD/CHANGELOG.md#020---2016-03-15) [Compare Source](https://togithub.com/SAP/less-openui5/compare/0.1.3...0.2.0) ##### Breaking changes - Set default of parser option `relativeUrls` to `true` [`00d892b`](https://togithub.com/SAP/less-openui5/commit/00d892b95c8c0401b8a61f1b1709dfc4a68cfa26) ##### Features - Include inline theming parameters [`4fa91b9`](https://togithub.com/SAP/less-openui5/commit/4fa91b997251f44ae3796e9f8396b45327005b13) ##### All changes [`0.1.3...0.2.0`](https://togithub.com/SAP/less-openui5/compare/0.1.3...0.2.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.