Update `pymdown-extensions` to fix CVE-2023-32309

[hotenov]

Quote about CVE-2023-32309

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

Affected versions: >= 1.5, < 10.0 Patched version: 10.0

This will close auto-created PR https://github.com/yashaka/selene/pull/482 by dependabot

[hotenov]

This is a quick fix!

Although the pymdown-extensions will be updated by merging PR, we still will use legacy (and potentially insecure) behavior via option restrict_base_path: False

NOTE: To avoid using this legacy behavior we should implement our own "snippet functionality" via copy / edit scripts in the future.

[hotenov]

The fix was merged. I close this issue.