oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix ReDoS in file editor (UiFileManager plugin) due to outdated codemirror

Browse source 
just patched from updated version, ideally codemirror dependency should be
included during build stage, but there's no infrastructure for that (yet)
This commit is contained in:
caryoscelus 2023-07-03 21:19:40 +00:00
parent 8355b82eef
commit d16c71966b
3 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -1,6 +1,7 @@
### zeronet-conservancy 0.7.9+
- fixed ReDoS in file editor (UiFileManager plugin) due to outdated codemirror (@caryoscelus)
### zeronet-conservancy 0.7.9 (2023-07-02)
### zeronet-conservancy 0.7.9 (2023-07-02) (f966a4203fe33bd9f35)
maintainers: @caryoscelus -> none
- update README (build/dev instructions; thanks to @fgaz)
- better debugging of update non-propagation

5
plugins/UiFileManager/media/codemirror/all.js
View file

@ -17366,7 +17366,10 @@ CodeMirror.defineMode("javascript", function(config, parserConfig) {
var kw = keywords[word]
return ret(kw.type, kw.style, word)
}
if (word == "async" && stream.match(/^(\s|\/\*.*?\*\/)*[\[\(\w]/, false))
// backported ReDoS fix from
// https://github.com/codemirror/codemirror5/blob/a0854c752a76e4ba9512a9beedb9076f36e4f8f9/mode/javascript/javascript.js#L130C36-L130C36
// https://security.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
if (word == "async" && stream.match(/^(\s|\/\*([^*]|\*(?!\/))*?\*\/)*[\[\(\w]/, false))
return ret("async", "keyword", word)
}
return ret("variable", "variable", word)

5
plugins/UiFileManager/media/codemirror/mode/javascript.js vendored
View file

@ -126,7 +126,10 @@ CodeMirror.defineMode("javascript", function(config, parserConfig) {
var kw = keywords[word]
return ret(kw.type, kw.style, word)
}
if (word == "async" && stream.match(/^(\s|\/\*.*?\*\/)*[\[\(\w]/, false))
// backported ReDoS fix from
// https://github.com/codemirror/codemirror5/blob/a0854c752a76e4ba9512a9beedb9076f36e4f8f9/mode/javascript/javascript.js#L130C36-L130C36
// https://security.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
if (word == "async" && stream.match(/^(\s|\/\*([^*]|\*(?!\/))*?\*\/)*[\[\(\w]/, false))
return ret("async", "keyword", word)
}
return ret("variable", "variable", word)