chore(deps): update dependency angular to v1.8.0 [security] #228
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-angular-vulnerability
branch
from
0ef09fe
to
a778b7f
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.7.8->1.8.0GitHub Vulnerability Alerts
CVE-2019-10768
Versions of
angularprior to 1.7.9 are vulnerable to prototype pollution. The deprecated API functionmerge()does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.Recommendation
Upgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality.
CVE-2020-7676
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code. GHSA-5cp4-xmrw-59wf Summary XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. Description JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in jqLiteBuildFragment. One of the modifications performed expands an XHTML self-closing tag. If jqLiteBuildFragment is called (e.g. via new JQLite(aString)) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM. This is similar to a bug in jQuery htmlPrefilter function that was fixed in 3.5.0. Proof of concept const inertPayload = `<div><style><style/><img src=x onerror="alert(1337)"/>` Note that the style element is not closed and <img would be a text node inside the style if inserted into the DOM as-is. As such, some HTML sanitizers would leave the <img as is without processing it and stripping the onerror attribute. angular.element(document).append(inertPayload); This will alert, as <style/> will be replaced with <style></style> before adding it to the DOM, closing the style element early and reactivating img. Patches The issue is patched in JQLite bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability affects jQuery <3.5.0. Workarounds Changing sanitizer configuration not to allow certain tag grouping (e.g. <option><style></option>) or inline style elements may stop certain exploitation vectors, but it's uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended. References https://github.com/advisories/GHSA-mhp6-pxh8-r675 https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://snyk.io/vuln/SNYK-JS-ANGULAR-570058 Release Notes angular/angular.js v1.8.0 Compare Source This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while performing a Variant Analysis of CVE-2020-11022 which itself was found and reported by Masato Kinugawa (@masatokinugawa). Bug Fixes jqLite: prevent possible XSS due to regex-based HTML replacement (2df43c) Breaking Changes jqLite due to: 2df43c: prevent possible XSS due to regex-based HTML replacement JqLite no longer turns XHTML-like strings like <div /><span /> to sibling elements <div></div><span></span> when not in XHTML mode. Instead it will leave them as-is. The browser, in non-XHTML mode, will convert these to: <div><span></span></div>. This is a security fix to avoid an XSS vulnerability if a new jqLite element is created from a user-controlled HTML string. If you must have this functionality and understand the risk involved then it is posible to restore the original behavior by calling angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement(); But you should adjust your code for this change and remove your use of this function as soon as possible. Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the jQuery 3.5 upgrade guide for more details about the workarounds. v1.7.9 Compare Source Bug Fixes angular.merge: do not merge proto property (726f49) (Thanks to the Snyk Security Research Team for identifyng this issue.) ngStyle: correctly remove old style when new style value is invalid (5edd25, #16860, #16868) Configuration 📅 Schedule: "" (UTC). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. [ ] If you want to rebase/retry this PR, click this checkbox. This PR has been generated by WhiteSource Renovate. View repository job log here.