Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump angular from 1.5.0 to 1.8.0 #96

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Security] Bump angular from 1.5.0 to 1.8.0 #96

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps angular from 1.5.0 to 1.8.0. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

XSS via JQLite DOM manipulation functions in AngularJS

Summary

XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.

Description

JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in jqLiteBuildFragment.

One of the modifications performed expands an XHTML self-closing tag.

If jqLiteBuildFragment is called (e.g. via new JQLite(aString)) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM.

This is similar to a bug in jQuery htmlPrefilter function that was fixed in 3.5.0.

Proof of concept

const inertPayload = `` before adding it to the DOM, closing the style element early and reactivating `img`.
Patches
The issue is patched in JQLite bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability affects jQuery <3.5.0.
</tr></table> ... (truncated)
Affected versions: < 1.8.0

Sourced from The GitHub Security Advisory Database.

Cross site scripting in Angular angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code.

Affected versions: < 1.8.0

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects angular In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Affected versions: < 1.7.9

Changelog

Sourced from angular's changelog.

1.8.0 nested-vaccination (2020-06-01)

This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@masatokinugawa).

Bug Fixes

  • jqLite:
    • prevent possible XSS due to regex-based HTML replacement (2df43c)

Breaking Changes

jqLite due to:

  • 2df43c: prevent possible XSS due to regex-based HTML replacement

JqLite no longer turns XHTML-like strings like <div /><span /> to sibling elements <div></div><span></span> when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: <div><span></span></div>.

This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling

angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();

But you should adjust your code for this change and remove your use of this function as soon as possible.

Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds.

1.7.9 pollution-eradication (2019-11-19)

Bug Fixes

1.7.8 enthusiastic-oblation (2019-03-11)

Commits
  • e55d352 docs(*): update changelog for 1.8.0
  • 78ab691 chore(*): prep for 1.8.0
  • 59b5651 docs(ngRepeat): missing closing backtick
  • c8b7c16 fix(jqLite): improve documentation
  • 05cf606 fix(jqLite): apply suggestions from code review
  • 2df43c0 fix(jqLite): prevent possible XSS due to regex-based HTML replacement
  • 295213d chore(*): clean up package.json and CircleCI config
  • a31c207 chore(docs-app): remove document.write() from docs index.html
  • 2518966 fix(grunt-utils): insert the core CSS styles without using innerHTML
  • 7de25c8 chore(ci): ensure that deployment files are ready for deployment
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by petebacondarwin, a new releaser for angular since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump angular from 1.5.0 to 1.8.0
b952d17 
Bumps [angular](https://github.com/angular/angular.js) from 1.5.0 to 1.8.0. **This update includes security fixes.**
- [Release notes](https://github.com/angular/angular.js/releases)
- [Changelog](https://github.com/angular/angular.js/blob/master/CHANGELOG.md)
- [Commits](angular/angular.js@v1.5.0...v1.8.0)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code security Pull requests that address a security vulnerability labels Dec 4, 2020
@dependabot-preview dependabot-preview bot requested a review from igara December 4, 2020 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igara igara Awaiting requested review from igara

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants