UI: patch lodash.template with vulnerability fix (#26626)

This commit is contained in:
Chelsea Shaw 2024-04-29 11:49:44 -05:00 committed by GitHub
parent 75b0418d51
commit 670ec764d3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 59 additions and 2 deletions

View File

@ -0,0 +1,45 @@
diff --git a/index.js b/index.js
index f051141e362679e1cc12f3dca924d8f6e7f5459b..63815c4c53412263de74fd4d779cfd198be87c8e 100644
--- a/index.js
+++ b/index.js
@@ -17,6 +17,9 @@ var HOT_COUNT = 800,
var INFINITY = 1 / 0,
MAX_SAFE_INTEGER = 9007199254740991;
+/** Error message constants. */
+var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
+
/** `Object#toString` result references. */
var argsTag = '[object Arguments]',
arrayTag = '[object Array]',
@@ -1343,6 +1346,18 @@ function keysIn(object) {
return isArrayLike(object) ? arrayLikeKeys(object, true) : baseKeysIn(object);
}
+/**
+ * Used to validate the `validate` option in `_.template` variable.
+ *
+ * Forbids characters which could potentially change the meaning of the function argument definition:
+ * - "()," (modification of function parameters)
+ * - "=" (default value)
+ * - "[]{}" (destructuring of function parameters)
+ * - "/" (beginning of a comment)
+ * - whitespace
+ */
+var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/;
+
/**
* Creates a compiled template function that can interpolate data properties
* in "interpolate" delimiters, HTML-escape interpolated data properties in
@@ -1522,6 +1537,11 @@ function template(string, options, guard) {
if (!variable) {
source = 'with (obj) {\n' + source + '\n}\n';
}
+ // Throw an error if a forbidden character was found in `variable`, to prevent
+ // potential command injection attacks.
+ else if (reForbiddenIdentifierChars.test(variable)) {
+ throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT);
+ }
// Cleanup code by stripping empty strings.
source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source)
.replace(reEmptyStringMiddle, '$1')

View File

@ -220,7 +220,9 @@
"xmlhttprequest-ssl": "^1.6.2",
"@embroider/macros": "^1.15.0",
"socket.io": "^4.6.2",
"json5": "^1.0.2"
"json5": "^1.0.2",
"lodash.template@^4.4.0": "patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch",
"lodash.template@^4.5.0": "patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch"
},
"engines": {
"node": "18"

View File

@ -13767,7 +13767,7 @@ __metadata:
languageName: node
linkType: hard
"lodash.template@npm:^4.4.0, lodash.template@npm:^4.5.0":
"lodash.template@npm:4.5.0":
version: 4.5.0
resolution: "lodash.template@npm:4.5.0"
dependencies:
@ -13777,6 +13777,16 @@ __metadata:
languageName: node
linkType: hard
"lodash.template@patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch::locator=vault%40workspace%3A.":
version: 4.5.0
resolution: "lodash.template@patch:lodash.template@npm%3A4.5.0#./.yarn/patches/lodash.template-npm-4.5.0-5272df3039.patch::version=4.5.0&hash=fc7e65&locator=vault%40workspace%3A."
dependencies:
lodash._reinterpolate: ^3.0.0
lodash.templatesettings: ^4.0.0
checksum: 7d6d1f5d57bf1ef0dd2877e49f00a45423030372e9d7bd2982c98e5d25805038a51af19149eabe7643bf558dfec2d53bc0db2abd627d2e91755d14da638e6030
languageName: node
linkType: hard
"lodash.templatesettings@npm:^4.0.0":
version: 4.2.0
resolution: "lodash.templatesettings@npm:4.2.0"