Skip to content

Commit

Permalink
Mention CVE-2021-23358 in code, test and documentation (#2915)
Browse files Browse the repository at this point in the history
  • Loading branch information
jgonggrijp committed Mar 29, 2021
1 parent c9e803e commit c627e38
Show file tree
Hide file tree
Showing 7 changed files with 10 additions and 6 deletions.
2 changes: 1 addition & 1 deletion docs/modules/template.html
Original file line number Diff line number Diff line change
Expand Up @@ -1013,7 +1013,7 @@ <h1>template.js</h1>
<div class="pilwrap ">
<a class="pilcrow" href="#section-9">&#182;</a>
</div>
<p>Insure against third-party code injection.</p>
<p>Insure against third-party code injection. (CVE-2021-23358)</p>

</div>

Expand Down
2 changes: 1 addition & 1 deletion docs/underscore-esm.html
Original file line number Diff line number Diff line change
Expand Up @@ -2496,7 +2496,7 @@ <h1>underscore-esm.js</h1>
<div class="pilwrap ">
<a class="pilcrow" href="#section-129">&#182;</a>
</div>
<p>Insure against third-party code injection.</p>
<p>Insure against third-party code injection. (CVE-2021-23358)</p>

</div>

Expand Down
4 changes: 3 additions & 1 deletion index.html
Original file line number Diff line number Diff line change
Expand Up @@ -2714,7 +2714,9 @@ <h2 id="changelog">Change Log</h2>
affects all versions of Underscore between 1.3.2 and 1.12.0,
inclusive, as well as preview releases 1.13.0-0 and 1.13.0-1. The
fix in this release is also included in the parallel preview
release 1.13.0-2.
release 1.13.0-2. <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358"
>CVE-2021-23358</a>
</li>
<li>
Restores an optimization in <tt>_.debounce</tt> that was
Expand Down
2 changes: 1 addition & 1 deletion modules/template.js
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ export default function template(text, settings, oldSettings) {

var argument = settings.variable;
if (argument) {
// Insure against third-party code injection.
// Insure against third-party code injection. (CVE-2021-23358)
if (!bareIdentifier.test(argument)) throw new Error(
'variable is not a bare identifier: ' + argument
);
Expand Down
2 changes: 2 additions & 0 deletions test/utility.js
Original file line number Diff line number Diff line change
Expand Up @@ -468,9 +468,11 @@
QUnit.test('#2911 - _.templateSettings.variable must not allow third parties to inject code.', function(assert) {
QUnit.holyProperty = 'holy';
var invalidVariableNames = [
// CVE-2021-23337 (not applicable to Underscore)
'){delete QUnit.holyProperty}; with(obj',
'(x = QUnit.holyProperty = "evil"), obj',
'document.write("got you!")',
// CVE-2021-23358 (our actual security leak, which we fixed)
'a = (function() { delete QUnit.holyProperty; }())',
'a = (QUnit.holyProperty = "evil")',
'a = document.write("got you!")'
Expand Down
2 changes: 1 addition & 1 deletion underscore-esm.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion underscore.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit c627e38

Please sign in to comment.