mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-06 06:37:02 +02:00
UI: patch lodash.template with vulnerability fix (#26626)
This commit is contained in:
parent
75b0418d51
commit
670ec764d3
45
ui/.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch
Normal file
45
ui/.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch
Normal file
@ -0,0 +1,45 @@
|
||||
diff --git a/index.js b/index.js
|
||||
index f051141e362679e1cc12f3dca924d8f6e7f5459b..63815c4c53412263de74fd4d779cfd198be87c8e 100644
|
||||
--- a/index.js
|
||||
+++ b/index.js
|
||||
@@ -17,6 +17,9 @@ var HOT_COUNT = 800,
|
||||
var INFINITY = 1 / 0,
|
||||
MAX_SAFE_INTEGER = 9007199254740991;
|
||||
|
||||
+/** Error message constants. */
|
||||
+var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
|
||||
+
|
||||
/** `Object#toString` result references. */
|
||||
var argsTag = '[object Arguments]',
|
||||
arrayTag = '[object Array]',
|
||||
@@ -1343,6 +1346,18 @@ function keysIn(object) {
|
||||
return isArrayLike(object) ? arrayLikeKeys(object, true) : baseKeysIn(object);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * Used to validate the `validate` option in `_.template` variable.
|
||||
+ *
|
||||
+ * Forbids characters which could potentially change the meaning of the function argument definition:
|
||||
+ * - "()," (modification of function parameters)
|
||||
+ * - "=" (default value)
|
||||
+ * - "[]{}" (destructuring of function parameters)
|
||||
+ * - "/" (beginning of a comment)
|
||||
+ * - whitespace
|
||||
+ */
|
||||
+var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/;
|
||||
+
|
||||
/**
|
||||
* Creates a compiled template function that can interpolate data properties
|
||||
* in "interpolate" delimiters, HTML-escape interpolated data properties in
|
||||
@@ -1522,6 +1537,11 @@ function template(string, options, guard) {
|
||||
if (!variable) {
|
||||
source = 'with (obj) {\n' + source + '\n}\n';
|
||||
}
|
||||
+ // Throw an error if a forbidden character was found in `variable`, to prevent
|
||||
+ // potential command injection attacks.
|
||||
+ else if (reForbiddenIdentifierChars.test(variable)) {
|
||||
+ throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT);
|
||||
+ }
|
||||
// Cleanup code by stripping empty strings.
|
||||
source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source)
|
||||
.replace(reEmptyStringMiddle, '$1')
|
@ -220,7 +220,9 @@
|
||||
"xmlhttprequest-ssl": "^1.6.2",
|
||||
"@embroider/macros": "^1.15.0",
|
||||
"socket.io": "^4.6.2",
|
||||
"json5": "^1.0.2"
|
||||
"json5": "^1.0.2",
|
||||
"lodash.template@^4.4.0": "patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch",
|
||||
"lodash.template@^4.5.0": "patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch"
|
||||
},
|
||||
"engines": {
|
||||
"node": "18"
|
||||
|
12
ui/yarn.lock
12
ui/yarn.lock
@ -13767,7 +13767,7 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"lodash.template@npm:^4.4.0, lodash.template@npm:^4.5.0":
|
||||
"lodash.template@npm:4.5.0":
|
||||
version: 4.5.0
|
||||
resolution: "lodash.template@npm:4.5.0"
|
||||
dependencies:
|
||||
@ -13777,6 +13777,16 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"lodash.template@patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch::locator=vault%40workspace%3A.":
|
||||
version: 4.5.0
|
||||
resolution: "lodash.template@patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch::version=4.5.0&hash=fc7e65&locator=vault%40workspace%3A."
|
||||
dependencies:
|
||||
lodash._reinterpolate: ^3.0.0
|
||||
lodash.templatesettings: ^4.0.0
|
||||
checksum: 7d6d1f5d57bf1ef0dd2877e49f00a45423030372e9d7bd2982c98e5d25805038a51af19149eabe7643bf558dfec2d53bc0db2abd627d2e91755d14da638e6030
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"lodash.templatesettings@npm:^4.0.0":
|
||||
version: 4.2.0
|
||||
resolution: "lodash.templatesettings@npm:4.2.0"
|
||||
|
Loading…
Reference in New Issue
Block a user