[Pkg-javascript-devel] Bug#987039: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3

Fri Apr 16 08:49:24 BST 2021

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-devel at lists.alioth.debian.org

[ Reason ]
dojo/dijit is vulnerable to cross-site-scripting (#970000,
CVE-2020-4051).

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed during build, including upstream new checks

[ Risks ]
Upstream patch applied without any changes, not trivial but not a big
change. From patch comment:

 This update should minimally affect production applications:
 * The behavior of existing links with HTML content will be unchanged
 * Existing links that are edited and saved will be filtered (this is only if
   the link is edited, other content within the editor can be edited without
   affecting the link)
 * Newly created links will be filtered by default
 * For production code to continue working as-is with new data the application
   code will have to be updated to specify `true` for the `LinkDialog` plugin's
   `allowUnsafeHtml` option

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
in plugin dijit/_editor/plugins/LinkDialog.js, a new chack was added

I didn't add any debian/NEWS entry since risk is tagged as "low". Do you
think it is required here? Maybe something inspired from comment below.

Cheers,
Xavier
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index d4aae875..407f7c48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.14.2+dfsg1-1+deb10u3) buster; urgency=medium
+
+  * Team upload
+  * Fix cross-site-scripting vulnerability (Closes: #970000, CVE-2020-4051)
+
+ -- Yadd <yadd at debian.org>  Fri, 16 Apr 2021 09:39:01 +0200
+
 dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2020-4051.patch b/debian/patches/CVE-2020-4051.patch
new file mode 100644
index 00000000..714b93d2
--- /dev/null
+++ b/debian/patches/CVE-2020-4051.patch
@@ -0,0 +1,135 @@
+Description: fix cross-site scripting vulnerability in the Editor's LinkDialog plugin
+ * Add config option `allowUnsafeHtml`: default is `false` which results in
+   `<` being replaced with `<`
+ * Add config option `linkFilter`: can be a function or array of filter pairs
+   to control exactly what filtering is applied
+ .
+ This update should minimally affect production applications:
+ .
+ * The behavior of existing links with HTML content will be unchanged
+ * Existing links that are edited and saved will be filtered (this is only if
+   the link is edited, other content within the editor can be edited without
+   affecting the link)
+ * Newly created links will be filtered by default
+ * For production code to continue working as-is with new data the application
+   code will have to be updated to specify `true` for the `LinkDialog` plugin's
+   `allowUnsafeHtml` option
+Author: Mangala Sadhu Sangeet Singh Khalsa <mssskhalsa at gmail.com>
+Origin: upstream, https://github.com/dojo/dijit/commit/7d9d4927
+Bug: https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
+Bug-Debian: https://bugs.debian.org/970000
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2021-04-16
+
+--- a/dijit/_editor/plugins/LinkDialog.js
++++ b/dijit/_editor/plugins/LinkDialog.js
+@@ -1,5 +1,6 @@
+ define([
+ 	"require",
++	"dojo/_base/array",
+ 	"dojo/_base/declare", // declare
+ 	"dojo/dom-attr", // domAttr.get
+ 	"dojo/keys", // keys.ENTER
+@@ -11,7 +12,7 @@
+ 	"../_Plugin",
+ 	"../../form/DropDownButton",
+ 	"../range"
+-], function(require, declare, domAttr, keys, lang, on, has, query, string,
++], function(require, array, declare, domAttr, keys, lang, on, has, query, string,
+ 	_Plugin, DropDownButton, rangeapi){
+ 
+ 	// module:
+@@ -26,6 +27,21 @@
+ 		//
+ 		//		- createLink
+ 
++		// allowUnsafeHtml: boolean
++		//		If false (default), the link description will be filtered to prevent HTML content.
++		//		If true no filtering is done, allowing for HTML content within the link element.
++		//		The filter can be specified with the 'linkFilter' option.
++		allowUnsafeHtml: false,
++
++		// linkFilter: function or array of replacement pairs
++		//		If 'allowUnsafeHtml' is false then this filter will be applied to the link Description value.
++		//		function: the function will be invoked with the string value of the Description field and its
++		//			return value will be used
++		//		array: each array item should be an array of two values to pass to String#replace
++		linkFilter: [
++			[/</g, "<"]
++		],
++
+ 		// Override _Plugin.buttonClass.   This plugin is controlled by a DropDownButton
+ 		// (which triggers a TooltipDialog).
+ 		buttonClass: DropDownButton,
+@@ -252,6 +268,16 @@
+ 			if(args && args.urlInput){
+ 				args.urlInput = args.urlInput.replace(/"/g, """);
+ 			}
++			if(!this.allowUnsafeHtml && args && args.textInput){
++				if(typeof this.linkFilter === 'function'){
++					args.textInput = this.linkFilter(args.textInput);
++				}
++				else{
++					array.forEach(this.linkFilter, function (currentFilter) {
++						args.textInput = args.textInput.replace(currentFilter[0], currentFilter[1]);
++					});
++				}
++			}
+ 			return args;
+ 		},
+ 
+@@ -629,8 +655,15 @@
+ 	});
+ 
+ 	// Register these plugins
+-	_Plugin.registry["createLink"] = function(){
+-		return new LinkDialog({command: "createLink"});
++	_Plugin.registry["createLink"] = function(args){
++		var pluginOptions = {
++			command: "createLink",
++			allowUnsafeHtml: ("allowUnsafeHtml" in args) ? args.allowUnsafeHtml : false
++		};
++		if("linkFilter" in args){
++			pluginOptions.linkFilter = args.linkFilter;
++		}
++		return new LinkDialog(pluginOptions);
+ 	};
+ 	_Plugin.registry["insertImage"] = function(){
+ 		return new ImgLinkDialog({command: "insertImage"});
+--- a/dijit/tests/editor/test_LinkDialog.html
++++ b/dijit/tests/editor/test_LinkDialog.html
+@@ -7,6 +7,10 @@
+ 	<script type="text/javascript" src="../boilerplate.js"></script>
+ 
+ 	<script type="text/javascript">
++		function filterLink () {
++			return 'Filtered Value';
++		}
++
+ 		require([
+ 			"dojo/parser",
+ 			"dijit/Editor",
+@@ -35,6 +39,22 @@
+ 			<br>
+ 		</div>
+ 	</div>
++
++	<p>Editor with <code>allowUnsafeHtml</code> set to <code>true</code></p>
++	<div style="border: 1px dotted black;">
++		<div id="editorUnsafe" data-dojo-type="dijit/Editor" data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink", allowUnsafeHtml: true}, "insertImage", "viewSource"]'>
++			<p>This editor will allow unrestricted HTML in the Description field of links</p>
++			<br>
++		</div>
++	</div>
++
++	<p>Editor with custom <code>linkFilter</code> function</p>
++	<div style="border: 1px dotted black;">
++		<div id="editorLinkFilter" data-dojo-type="dijit/Editor" data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink", linkFilter: filterLink}, "insertImage", "viewSource"]'>
++			<p>Links created in this editor will always have a description of "Filtered Value", which is the value returned by the custom <code>linkFilter</code> function.</p>
++			<br>
++		</div>
++	</div>
+ 
+ 	<p>RTL Editor:</p>
+ 	<div style="border: 1px dotted black;">
diff --git a/debian/patches/series b/debian/patches/series
index d5b7db42..04f730d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 CVE-2019-10785.patch
 CVE-2020-5258.diff
 CVE-2020-5259.diff
+CVE-2020-4051.patch
