From f4c335ad2f4059b3fbf9114f37440e77f8ca9a4d Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Tue, 28 Dec 2021 16:59:22 +0100 Subject: [PATCH 1/2] Fix for XSS vulnerability in url sanitization --- cypress/platform/xss16.html | 106 ++++++++++++++++++++++++++ cypress/platform/xss17.html | 106 ++++++++++++++++++++++++++ package.json | 2 +- src/diagrams/common/common.spec.js | 14 +++- src/diagrams/sequence/svgDraw.js | 14 ++-- src/diagrams/sequence/svgDraw.spec.js | 16 +++- 6 files changed, 249 insertions(+), 9 deletions(-) create mode 100644 cypress/platform/xss16.html create mode 100644 cypress/platform/xss17.html diff --git a/cypress/platform/xss16.html b/cypress/platform/xss16.html new file mode 100644 index 000000000..076ed3c34 --- /dev/null +++ b/cypress/platform/xss16.html @@ -0,0 +1,106 @@ + + + + + + + + + +
Security check
+
+
+
+ + + + + diff --git a/cypress/platform/xss17.html b/cypress/platform/xss17.html new file mode 100644 index 000000000..26f6a208a --- /dev/null +++ b/cypress/platform/xss17.html @@ -0,0 +1,106 @@ + + + + + + + + + +
Security check
+
+
+
+ + + + + diff --git a/package.json b/package.json index bb2fd0855..1449d05d5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "mermaid", - "version": "8.13.6", + "version": "8.13.8", "description": "Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.", "main": "dist/mermaid.core.js", "module": "dist/mermaid.esm.min.mjs", diff --git a/src/diagrams/common/common.spec.js b/src/diagrams/common/common.spec.js index e71400479..967a8d358 100644 --- a/src/diagrams/common/common.spec.js +++ b/src/diagrams/common/common.spec.js @@ -1,4 +1,4 @@ -import { removeScript, removeEscapes } from './common'; +import { sanitizeText, removeScript, removeEscapes } from './common'; describe('when securityLevel is antiscript, all script must be removed', function () { it('should remove all script block, script inline.', function () { @@ -69,3 +69,15 @@ describe('remove escape code in text', function () { expect(result).toEqual('script:'); }); }); + +describe('Sanitize text', function () { + it('should remove script tag', function () { + const maliciousStr = 'javajavascript:script:alert(1)'; + const result = sanitizeText(maliciousStr, { + securityLevel: 'strict', + flowchart: { htmlLabels: true }, + }); + console.log('result', result); + expect(result).not.toContain('javascript:alert(1)'); + }); +}); diff --git a/src/diagrams/sequence/svgDraw.js b/src/diagrams/sequence/svgDraw.js index cd0058bbf..ea2340eae 100644 --- a/src/diagrams/sequence/svgDraw.js +++ b/src/diagrams/sequence/svgDraw.js @@ -1,5 +1,6 @@ import common from '../common/common'; import { addFunction } from '../../interactionDb'; +import { sanitizeUrl } from '@braintree/sanitize-url'; export const drawRect = function (elem, rectData) { const rectElem = elem.append('rect'); @@ -19,12 +20,12 @@ export const drawRect = function (elem, rectData) { return rectElem; }; -const sanitizeUrl = function (s) { - return s - .replace(/&/g, '&') - .replace(/ { addFunction(() => { @@ -1055,4 +1056,5 @@ export default { popupMenu, popdownMenu, fixLifeLineHeights, + sanitizeUrl, }; diff --git a/src/diagrams/sequence/svgDraw.spec.js b/src/diagrams/sequence/svgDraw.spec.js index 755b8cc24..eb9730c77 100644 --- a/src/diagrams/sequence/svgDraw.spec.js +++ b/src/diagrams/sequence/svgDraw.spec.js @@ -1,4 +1,4 @@ -const svgDraw = require('./svgDraw'); +const svgDraw = require('./svgDraw').default; const { MockD3 } = require('d3'); describe('svgDraw', function () { @@ -124,4 +124,18 @@ describe('svgDraw', function () { expect(rect.lower).toHaveBeenCalled(); }); }); + describe('sanitizeUrl', function () { + it('it should sanitize malicious urls', function () { + const maliciousStr = 'javascript:script:alert(1)'; + const result = svgDraw.sanitizeUrl(maliciousStr); + console.log('result', result); + expect(result).not.toContain('javascript:alert(1)'); + }); + it('it should not sanitize non dangerous urls', function () { + const maliciousStr = 'javajavascript:script:alert(1)'; + const result = svgDraw.sanitizeUrl(maliciousStr); + console.log('result', result); + expect(result).not.toContain('javascript:alert(1)'); + }); + }); }); From 65592e0541790968703f16bc0b91a641b5443111 Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Tue, 28 Dec 2021 17:31:35 +0100 Subject: [PATCH 2/2] Adding security page to the docs --- docs/_sidebar.md | 11 ++++++----- docs/security.md | 17 +++++++++++++++++ 2 files changed, 23 insertions(+), 5 deletions(-) create mode 100644 docs/security.md diff --git a/docs/_sidebar.md b/docs/_sidebar.md index 2d329ac6c..61eded583 100644 --- a/docs/_sidebar.md +++ b/docs/_sidebar.md @@ -1,10 +1,10 @@ -- πŸ“” Introduction +- πŸ“” Introduction - [About Mermaid](README.md) - [Deployment](n00b-gettingStarted.md) - [Syntax and Configuration](n00b-syntaxReference.md) -- πŸ“Š Diagram Syntax +- πŸ“Š Diagram Syntax - [Flowchart](flowchart.md) - [Sequence diagram](sequenceDiagram.md) - [Class Diagram](classDiagram.md) @@ -16,7 +16,7 @@ - [Requirement Diagram](requirementDiagram.md) - [Other Examples](examples.md) -- βš™οΈ Deployment and Configuration +- βš™οΈ Deployment and Configuration - [Tutorials](Tutorials.md) - [API-Usage](usage.md) @@ -26,12 +26,13 @@ - [Mermaid CLI](mermaidCLI.md) - [Advanced usage](n00b-advanced.md) -- πŸ“š Misc +- πŸ“š Misc - [Use-Cases and Integrations](integrations.md) - [FAQ](faq.md) -- πŸ™Œ Contributions and Community +- πŸ™Œ Contributions and Community - [Overview for Beginners](n00b-overview.md) - [Development and Contribution ](development.md) - [Changelog](CHANGELOG.md) - [Adding Diagrams ](newDiagram.md) + - [Security ](security.md) diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 000000000..2d88d1aec --- /dev/null +++ b/docs/security.md @@ -0,0 +1,17 @@ +# Security +The Mermaid team takes the security of Mermaid and the applications that use Mermaid seriously. This page describes how to report any vulnerabilities you may find, and lists best practices to minimize the risk of introducing a vulnerability. + +## Reporting vulnerabilities +To report a vulnerability, please e-mail security@mermaid.live with a description of the issue, the steps you took to create the issue, affected versions, and if known, mitigations for the issue. + +We aim to reply within three working days, probably much sooner. + +You should expect a close collaboration as we work to resolve the issue you have reported. Please reach out to security@mermaid.live again if you do not receive prompt attention and regular updates. + +You may also reach out to the team via our public Slack chat channels; however, please make sure to e-mail security@mernaid.live when reporting an issue, and avoid revealing information about vulnerabilities in public as that could that could put users at risk. + +## Best practices + +Keep current with the latest Mermaid releases. We regularly update Mermaid, and these updates may fix security defects discovered in previous versions. Check the Mermaid release notes for security-related updates. + +Keep your application’s dependencies up to date. Make sure you upgrade your package dependencies to keep the dependencies up to date. Avoid pinning to specific versions for your dependencies and, if you do, make sure you check periodically to see if your dependencies have had security updates, and update the pin accordingly.