mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2025-04-09 07:16:48 +00:00
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a RegexDOS attack in the marked dependency. The dependency was already updated in our meta-marked repository, but not updated in yarn. This made us still vulnerable to this ReDOS which was able to cause a DOS attack on the server when updating a note. For Details: https://github.com/markedjs/marked/releases/tag/v0.7.0 https://github.com/markedjs/marked/pull/1515 What is a ReDOS? A ReDOS attack is a DOS attack where an attacker targets a not-well-written Regular Expression. Regular expressions try to build a tree of all possibilities it can match in order to figure out if the given statement is valid or not. A ReDOS attack abuses this concept by providing a statement that doesn't match but causes extremly huge trees that simply lead to exhausting CPU usage. For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS Credit: Huge thanks to @bitinerant for finding this and handling it with a responsible disclosure. Also thanks to the `marked`-team for fixing things already. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath
parent
57cfbcbd47
commit
c4053ea7ce
2 changed files with 10 additions and 10 deletions
|
|
@ -82,7 +82,7 @@
|
|||
"mathjax": "~2.7.0",
|
||||
"mattermost": "^3.4.0",
|
||||
"mermaid": "~8.2.3",
|
||||
"meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2",
|
||||
"meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5",
|
||||
"method-override": "^2.3.7",
|
||||
"minimist": "^1.2.0",
|
||||
"minio": "^6.0.0",
|
||||
|
|
@ -193,8 +193,8 @@
|
|||
"mocha": "^5.2.0",
|
||||
"mock-require": "^3.0.3",
|
||||
"optimize-css-assets-webpack-plugin": "^5.0.0",
|
||||
"sequelize-cli": "^5.4.0",
|
||||
"script-loader": "^0.7.2",
|
||||
"sequelize-cli": "^5.4.0",
|
||||
"string-loader": "^0.0.1",
|
||||
"style-loader": "^0.21.0",
|
||||
"uglifyjs-webpack-plugin": "^1.2.7",
|
||||
|
|
|
|||
16
yarn.lock
16
yarn.lock
|
|
@ -7590,10 +7590,10 @@ markdown-table@^1.1.0:
|
|||
resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.3.tgz#9fcb69bcfdb8717bfd0398c6ec2d93036ef8de60"
|
||||
integrity sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q==
|
||||
|
||||
marked@~0.6.2:
|
||||
version "0.6.2"
|
||||
resolved "https://registry.yarnpkg.com/marked/-/marked-0.6.2.tgz#c574be8b545a8b48641456ca1dbe0e37b6dccc1a"
|
||||
integrity sha512-LqxwVH3P/rqKX4EKGz7+c2G9r98WeM/SW34ybhgNGhUQNKtf1GmmSkJ6cDGJ/t6tiyae49qRkpyTw2B9HOrgUA==
|
||||
marked@~0.7.0:
|
||||
version "0.7.0"
|
||||
resolved "https://registry.yarnpkg.com/marked/-/marked-0.7.0.tgz#b64201f051d271b1edc10a04d1ae9b74bb8e5c0e"
|
||||
integrity sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg==
|
||||
|
||||
math-interval-parser@^1.1.0:
|
||||
version "1.1.0"
|
||||
|
|
@ -7769,12 +7769,12 @@ messageformat@^0.3.1:
|
|||
nopt "~3.0.6"
|
||||
watchr "~2.4.13"
|
||||
|
||||
"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.2":
|
||||
version "0.4.4"
|
||||
resolved "git+https://github.com/codimd/meta-marked#04fd9775b38566e41b71e3e63bd78717d3eb4445"
|
||||
"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.5":
|
||||
version "0.4.5"
|
||||
resolved "git+https://github.com/codimd/meta-marked#30852d0efa633418865df179f5956cd3df0fd0b3"
|
||||
dependencies:
|
||||
js-yaml "~3.13.1"
|
||||
marked "~0.6.2"
|
||||
marked "~0.7.0"
|
||||
|
||||
method-override@^2.3.7:
|
||||
version "2.3.10"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue