summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSheogorath2019-08-07 09:38:12 +0200
committerSheogorath2019-08-15 23:14:48 +0200
commitc4053ea7ce359ec03773763fbf3fcb2be192778b (patch)
treeba00b95a3985df85a4c30357b40c9212d9c46905
parent57cfbcbd470c794d667dc7bdb91f9bb27245db94 (diff)
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 https://github.com/markedjs/marked/pull/1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
-rw-r--r--package.json4
-rw-r--r--yarn.lock16
2 files changed, 10 insertions, 10 deletions
diff --git a/package.json b/package.json
index b495ed94..2649d5af 100644
--- a/package.json
+++ b/package.json
@@ -82,7 +82,7 @@
"mathjax": "~2.7.0",
"mattermost": "^3.4.0",
"mermaid": "~8.2.3",
- "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2",
+ "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5",
"method-override": "^2.3.7",
"minimist": "^1.2.0",
"minio": "^6.0.0",
@@ -193,8 +193,8 @@
"mocha": "^5.2.0",
"mock-require": "^3.0.3",
"optimize-css-assets-webpack-plugin": "^5.0.0",
- "sequelize-cli": "^5.4.0",
"script-loader": "^0.7.2",
+ "sequelize-cli": "^5.4.0",
"string-loader": "^0.0.1",
"style-loader": "^0.21.0",
"uglifyjs-webpack-plugin": "^1.2.7",
diff --git a/yarn.lock b/yarn.lock
index ab964e28..f9a87cfe 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7590,10 +7590,10 @@ markdown-table@^1.1.0:
resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.3.tgz#9fcb69bcfdb8717bfd0398c6ec2d93036ef8de60"
integrity sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q==
-marked@~0.6.2:
- version "0.6.2"
- resolved "https://registry.yarnpkg.com/marked/-/marked-0.6.2.tgz#c574be8b545a8b48641456ca1dbe0e37b6dccc1a"
- integrity sha512-LqxwVH3P/rqKX4EKGz7+c2G9r98WeM/SW34ybhgNGhUQNKtf1GmmSkJ6cDGJ/t6tiyae49qRkpyTw2B9HOrgUA==
+marked@~0.7.0:
+ version "0.7.0"
+ resolved "https://registry.yarnpkg.com/marked/-/marked-0.7.0.tgz#b64201f051d271b1edc10a04d1ae9b74bb8e5c0e"
+ integrity sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg==
math-interval-parser@^1.1.0:
version "1.1.0"
@@ -7769,12 +7769,12 @@ messageformat@^0.3.1:
nopt "~3.0.6"
watchr "~2.4.13"
-"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.2":
- version "0.4.4"
- resolved "git+https://github.com/codimd/meta-marked#04fd9775b38566e41b71e3e63bd78717d3eb4445"
+"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.5":
+ version "0.4.5"
+ resolved "git+https://github.com/codimd/meta-marked#30852d0efa633418865df179f5956cd3df0fd0b3"
dependencies:
js-yaml "~3.13.1"
- marked "~0.6.2"
+ marked "~0.7.0"
method-override@^2.3.7:
version "2.3.10"