From c4053ea7ce359ec03773763fbf3fcb2be192778b Mon Sep 17 00:00:00 2001
From: Sheogorath
Date: Wed, 7 Aug 2019 09:38:12 +0200
Subject: Update meta-marked to latest version

Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.

This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.

For Details:

https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515

What is a ReDOS?

A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.

For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Credit:

Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.

Also thanks to the `marked`-team for fixing things already.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 yarn.lock | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'yarn.lock')

diff --git a/yarn.lock b/yarn.lock
index ab964e28..f9a87cfe 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7590,10 +7590,10 @@ markdown-table@^1.1.0:
   resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.3.tgz#9fcb69bcfdb8717bfd0398c6ec2d93036ef8de60"
   integrity sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q==
 
-marked@~0.6.2:
-  version "0.6.2"
-  resolved "https://registry.yarnpkg.com/marked/-/marked-0.6.2.tgz#c574be8b545a8b48641456ca1dbe0e37b6dccc1a"
-  integrity sha512-LqxwVH3P/rqKX4EKGz7+c2G9r98WeM/SW34ybhgNGhUQNKtf1GmmSkJ6cDGJ/t6tiyae49qRkpyTw2B9HOrgUA==
+marked@~0.7.0:
+  version "0.7.0"
+  resolved "https://registry.yarnpkg.com/marked/-/marked-0.7.0.tgz#b64201f051d271b1edc10a04d1ae9b74bb8e5c0e"
+  integrity sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg==
 
 math-interval-parser@^1.1.0:
   version "1.1.0"
@@ -7769,12 +7769,12 @@ messageformat@^0.3.1:
     nopt "~3.0.6"
     watchr "~2.4.13"
 
-"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.2":
-  version "0.4.4"
-  resolved "git+https://github.com/codimd/meta-marked#04fd9775b38566e41b71e3e63bd78717d3eb4445"
+"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.5":
+  version "0.4.5"
+  resolved "git+https://github.com/codimd/meta-marked#30852d0efa633418865df179f5956cd3df0fd0b3"
   dependencies:
     js-yaml "~3.13.1"
-    marked "~0.6.2"
+    marked "~0.7.0"
 
 method-override@^2.3.7:
   version "2.3.10"
-- 
cgit v1.2.3