From a28b52589423175e5bc833bbd20027f2d8c08901 Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Mon, 29 Apr 2024 14:24:28 -0400 Subject: [PATCH 1/4] docs: Update SECURITY.md --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 44cfc409..a68b8b9f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -13,11 +13,11 @@ If you find such vulnerability, it's important to disclose it in a quick and sec ## Reporting a Vulnerability -**DO NOT CREATE AN ISSUE ON GITHUB** to report a potential vulnerability / security problem. Instead, choose one of these options: +**DO NOT CREATE A GITHUB ISSUE / DISCUSSION** to report a potential vulnerability / security problem. Instead, choose one of these options: -### A) Disclose on Huntr.dev +### A) Submit a Vulnerability Report *(recommended)* -Disclose the vulnerability on [Huntr.dev](https://huntr.dev/bounties/disclose) for the repository `https://github.com/Requarks/wiki`. +Fill in the form on https://github.com/requarks/wiki/security/advisories/new ### B) Send an email From 854ec230ddd5ac82b05525095bbfc810fc9aecb7 Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Mon, 29 Apr 2024 15:12:22 -0400 Subject: [PATCH 2/4] ci: Update build.yml --- .github/workflows/build.yml | 100 ++++++++++++++++++------------------ 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 19b3a7d1..924101cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set Build Variables run: | @@ -42,20 +42,20 @@ jobs: cat package.json - name: Login to DockerHub - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push Docker images - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5 with: context: . file: dev/build/Dockerfile @@ -77,7 +77,7 @@ jobs: find _dist/wiki/ -printf "%P\n" | tar -czf wiki-js.tar.gz --no-recursion -C _dist/wiki/ -T - - name: Upload a Build Artifact - uses: actions/upload-artifact@v3.1.2 + uses: actions/upload-artifact@v4 with: name: drop path: wiki-js.tar.gz @@ -92,7 +92,7 @@ jobs: dbtype: [postgres, mysql, mariadb, mssql, sqlite] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set Test Variables run: | @@ -129,7 +129,7 @@ jobs: docker: armv7 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set Version Variables run: | @@ -142,26 +142,26 @@ jobs: fi - name: Set up QEMU - uses: docker/setup-qemu-action@v2.1.0 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.4.0 + uses: docker/setup-buildx-action@v3 - name: Login to DockerHub - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Download a Build Artifact - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@v4 with: name: drop path: drop @@ -172,7 +172,7 @@ jobs: tar -xzf $GITHUB_WORKSPACE/drop/wiki-js.tar.gz -C $GITHUB_WORKSPACE/build --exclude=node_modules - name: Build and push Docker images - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5 with: context: . file: dev/build-arm/Dockerfile @@ -190,12 +190,12 @@ jobs: steps: - name: Setup Node.js environment - uses: actions/setup-node@v3.6.0 + uses: actions/setup-node@v4 with: node-version: 18.x - name: Download a Build Artifact - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@v4 with: name: drop path: drop @@ -221,7 +221,7 @@ jobs: run: tar -czf wiki-js-windows.tar.gz -C $env:GITHUB_WORKSPACE\win . - name: Upload a Build Artifact - uses: actions/upload-artifact@v3.1.2 + uses: actions/upload-artifact@v4 with: name: drop-win path: wiki-js-windows.tar.gz @@ -241,13 +241,13 @@ jobs: echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV - name: Login to DockerHub - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -282,13 +282,13 @@ jobs: echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV - name: Login to DockerHub - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v2.1.0 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -328,13 +328,13 @@ jobs: docker manifest push -p ghcr.io/requarks/wiki:latest - name: Download Linux Build - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@v4 with: name: drop path: drop - name: Download Windows Build - uses: actions/download-artifact@v3.0.2 + uses: actions/download-artifact@v4 with: name: drop-win path: drop-win @@ -359,7 +359,7 @@ jobs: artifacts: 'drop/wiki-js.tar.gz,drop-win/wiki-js-windows.tar.gz' - name: Notify Slack Releases Channel - uses: slackapi/slack-github-action@v1.18.0 + uses: slackapi/slack-github-action@v1.26.0 with: payload: | { @@ -381,34 +381,34 @@ jobs: See [release notes](https://github.com/requarks/wiki/releases) for details. - name: Notify Discord Channel - uses: sebastianpopp/discord-action@v1.0 + uses: sebastianpopp/discord-action@v2.0 with: webhook: ${{ secrets.DISCORD_WEBHOOK }} message: Wiki.js ${{ github.ref_name }} has been released! See https://github.com/requarks/wiki/releases for details. - build-do-image: - name: Build DigitalOcean Image - runs-on: ubuntu-latest - needs: [release] - - steps: - - uses: actions/checkout@v3 - - - name: Set Version Variables - run: | - echo "Using TAG mode: $GITHUB_REF_NAME" - echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV - - - name: Install Packer - run: | - curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - - sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" - sudo apt-get update && sudo apt-get install packer - - - name: Build Droplet Image - env: - DIGITALOCEAN_API_TOKEN: ${{ secrets.DO_TOKEN }} - WIKI_APP_VERSION: ${{ env.REL_VERSION_STRICT }} - working-directory: dev/packer - run: | - packer build digitalocean.json + # build-do-image: + # name: Build DigitalOcean Image + # runs-on: ubuntu-latest + # needs: [release] + + # steps: + # - uses: actions/checkout@v4 + + # - name: Set Version Variables + # run: | + # echo "Using TAG mode: $GITHUB_REF_NAME" + # echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV + + # - name: Install Packer + # run: | + # curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - + # sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" + # sudo apt-get update && sudo apt-get install packer + + # - name: Build Droplet Image + # env: + # DIGITALOCEAN_API_TOKEN: ${{ secrets.DO_TOKEN }} + # WIKI_APP_VERSION: ${{ env.REL_VERSION_STRICT }} + # working-directory: dev/packer + # run: | + # packer build digitalocean.json From 98c04fe18e1a0bc98850c7c367adcf1c9981578e Mon Sep 17 00:00:00 2001 From: Nicolas Giard Date: Mon, 29 Apr 2024 17:12:17 -0400 Subject: [PATCH 3/4] docs: Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 40fac120..d02727e9 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,7 @@ Support this project by becoming a sponsor. Your name will show up in the Contri - Ruizhe Li ([@liruizhe1995](https://github.com/liruizhe1995)) - Sam Martin ([@ABitMoreDepth](https://github.com/ABitMoreDepth)) - Sean Coffey ([@seanecoffey](https://github.com/seanecoffey)) +- Simon Ott ([@ottsimon](https://github.com/ottsimon)) - Stephan Kristyn ([@stevek-pro](https://github.com/stevek-pro)) - Theodore Chu ([@TheodoreChu](https://github.com/TheodoreChu)) - Tyler Denman ([@tylerguy](https://github.com/tylerguy)) From 1238d614e1599fefadd4614ee4b5797a087f50ac Mon Sep 17 00:00:00 2001 From: Ethan <49207751+Et43@users.noreply.github.com> Date: Mon, 13 May 2024 20:57:17 +0200 Subject: [PATCH 4/4] Merge pull request from GHSA-xjcj-p2qv-q3rf * Update render.js # Improved handling of mustache expressions and v-pre attribute assignment ## Changes Made: - Ensured that the parent tag of such text nodes is explicitly set to a `

` tag with the `v-pre` attribute. - Added debug messages for better understanding of the script execution flow [THIS SHOULD REMOVED WHEN PUSHING TO PRODUCTION]. ## Why it Works: - When a mustache expression is found, the script either wraps it in a new `

` tag with the `v-pre` attribute or adds the `v-pre` attribute to the existing parent `

` tag. - This approach ensures that the template code is not removed but encapsulated within `

` tags with the `v-pre` attribute, as required. ## Test Cases Passed: 1. `{{ constructor.constructor('alert(1)')() }}` 2. `{{ constructor.constructor('alert(1)')() }}` 3. `

{{ constructor.constructor('alert(1)')() }}

` 4. `

{{ constructor.constructor('alert(1)')() }}

` 5. `

<xyz>{{constructor.constructor('alert("Test Case 8")')()}}<xyz>{{constructor.constructor('alert("Test Case 9")')()}}</xyz>

` This commit enhances the robustness and reliability of handling mustache expressions and ensures proper assignment of the `v-pre` attribute, to ensure that there is no room for the weaponization of the template code later in the rendering process. * fix: move template expressions after dom-purify + handle text nodes without parent --------- Co-authored-by: NGPixel --- .../modules/rendering/html-core/renderer.js | 39 +++++++++++-------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/server/modules/rendering/html-core/renderer.js b/server/modules/rendering/html-core/renderer.js index f0ffbec8..a6426089 100644 --- a/server/modules/rendering/html-core/renderer.js +++ b/server/modules/rendering/html-core/renderer.js @@ -10,7 +10,7 @@ const mustacheRegExp = /(\{|{?){2}(.+?)(\}|}?){2}/i module.exports = { async render() { - const $ = cheerio.load(this.input, { + let $ = cheerio.load(this.input, { decodeEntities: true }) @@ -253,17 +253,35 @@ module.exports = { } }) + // -------------------------------- + // STEP: POST + // -------------------------------- + + let output = decodeEscape($.html('body').replace('', '').replace('', '')) + + for (let child of _.sortBy(_.filter(this.children, ['step', 'post']), ['order'])) { + const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`) + output = await renderer.init(output, child.config) + } + // -------------------------------- // Escape mustache expresions // -------------------------------- + $ = cheerio.load(output, { + decodeEntities: true + }) + function iterateMustacheNode (node) { - const list = $(node).contents().toArray() - list.forEach(item => { + $(node).contents().each((idx, item) => { if (item && item.type === 'text') { const rawText = $(item).text().replace(/\r?\n|\r/g, '') if (mustacheRegExp.test(rawText)) { - $(item).parent().attr('v-pre', true) + if (!item.parent || item.parent.name === 'body') { + $(item).wrap($('

').attr('v-pre', true)) + } else { + $(item).parent().attr('v-pre', true) + } } } else { iterateMustacheNode(item) @@ -276,18 +294,7 @@ module.exports = { $(elm).attr('v-pre', true) }) - // -------------------------------- - // STEP: POST - // -------------------------------- - - let output = decodeEscape($.html('body').replace('', '').replace('', '')) - - for (let child of _.sortBy(_.filter(this.children, ['step', 'post']), ['order'])) { - const renderer = require(`../${_.kebabCase(child.key)}/renderer.js`) - output = await renderer.init(output, child.config) - } - - return output + return decodeEscape($.html('body').replace('', '').replace('', '')) } }