This repository has been archived by the owner on Apr 29, 2024. It is now read-only.
Update dependency katex to v0.16.10 [SECURITY] #510
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.16.7
->0.16.10
GitHub Vulnerability Alerts
CVE-2024-28244
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\def
or\newcommand
that causes a near-infinite loop, despite settingmaxExpand
to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
Forbid inputs containing any of the characters
₊₋₌₍₎₀₁₂₃₄₅₆₇₈₉ₐₑₕᵢⱼₖₗₘₙₒₚᵣₛₜᵤᵥₓᵦᵧᵨᵩᵪ⁺⁻⁼⁽⁾⁰¹²³⁴⁵⁶⁷⁸⁹ᵃᵇᶜᵈᵉᵍʰⁱʲᵏˡᵐⁿᵒᵖʳˢᵗᵘʷˣʸᶻᵛᵝᵞᵟᵠᵡ
before passing them to KaTeX.(There is no easy workaround for the auto-render extension.)
Details
KaTeX supports an option named
maxExpand
which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script characters" allows an attacker to bypass this limit. Each sub/superscript group instantiated a separate Parser with its own limit on macro executions, without inheriting the current count of macro executions from its parent. This has been corrected in KaTeX v0.16.10.For more information
If you have any questions or comments about this advisory:
CVE-2024-28245
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\includegraphics
that runs arbitrary JavaScript, or generate invalid HTML.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trust
option, or set it to forbid\includegraphics
commands."\\includegraphics"
.Details
\includegraphics
did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.For more information
If you have any questions or comments about this advisory:
CVE-2024-28246
Impact
Code that uses KaTeX's
trust
option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generatejavascript:
links in the output, even if thetrust
function tries to forbid this protocol viatrust: (context) => context.protocol !== 'javascript'
.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trust
function.context.protocol
viacontext.protocol.toLowerCase()
before attempting to check for certain protocols.trust
option.Details
KaTeX did not normalize the
protocol
entry of thecontext
object provided to a user-specifiedtrust
-function, so it could be a mix of lowercase and/or uppercase letters.It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Currently KaTeX internally sees
file:
andFile:
URLs as different protocols, socontext.protocol
can befile
orFile
, so the above check does not suffice. A simple workaround would be:Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
CVE-2024-28243
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\edef
that causes a near-infinite loop, despite settingmaxExpand
to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
Forbid inputs containing the substring
"\\edef"
before passing them to KaTeX.(There is no easy workaround for the auto-render extension.)
Details
KaTeX supports an option named
maxExpand
which prevents infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. However, what counted as an "expansion" is a single macro expanding to any number of tokens. The expand-and-define TeX command\edef
can be used to build up an exponential number of tokens using only a linear number of expansions according to this definition, e.g. by repeatedly doubling the previous definition. This has been corrected in KaTeX v0.16.10, where every expanded token in an\edef
counts as an expansion.For more information
If you have any questions or comments about this advisory:
Release Notes
KaTeX/KaTeX (katex)
v0.16.10
Compare Source
Bug Fixes
v0.16.9
Compare Source
Features
v0.16.8
Compare Source
Features
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.