Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Vulnerable Underscore.js 1.8.3 #7358

Closed
4 tasks done
MechiH opened this issue Jul 12, 2024 · 2 comments
Closed
4 tasks done

Update Vulnerable Underscore.js 1.8.3 #7358

MechiH opened this issue Jul 12, 2024 · 2 comments
Labels
change request Issue requests a new feature or improvement upstream Issue must be taken upstream

Comments

@MechiH
Copy link

MechiH commented Jul 12, 2024

Context

No response

Description

Underscore.js 1.8.3, which is included in the built version of MkDocs Material documentation inside file site/assets/javascripts/lunr/wordcut.js, has a known high severity vulnerability (CVE-2021-23358).

Update to [email protected] is required

Related links

Use Cases

This has affect on all users of the project.

Visuals

No response

Before submitting

@squidfunk
Copy link
Owner

Thanks for reporting. wordcut.js is provided by lunr-languages, a library that provides additional stemmers and stopword filters for lunr.js, the search we're currently using. Thus, this issue should be reported upstream, because we only consume wordcut.js from this library – we can't patch it ourselves. Could you please create an issue upstream?

Additionally, wordcut.js is only used for the Thai and Hindi language, and does not impact any of the other 60+ languages we're supporting, so the potential attack surface is low. Furthermore, search runs in a web worker, so wordcut.js is loaded inside a web worker context, which provides additional shielding from the main thread.

As mentioned, we can't fix it, but I currently assess the risk as being tolerable, given that it only affects a small subset of languages, and runs in an already isolated context. Also note that we're working on a new search to replace luns.js and lunr-languages in the near future, tracked in #6307. Other than that, if you have any idea how we can mitigate the situation without starting to patch wordcut.js on our side or losing functionality, please share them with us.

@squidfunk
Copy link
Owner

As an additional countermeasure, I've looked at wordcut.js to learn how underscore.js is used, and albeit the entirety of underscore.js is bundled, with most of the code being dead code, it appears the only method used is _.clone:

The CVE specifically concerns _.template, which is not being used by wordcut.js in any instance, so we don't have an urgent problem on our side here. Furthermore, the maintainers of lunr-languages could remove the use of underscore.js quite easily by replacing _.clone with a simple ...spread, i.e., vanilla JavaScript code:

var acceptors = _.clone(Acceptors);

// ... can be changed to:
var acceptors = {...Acceptors}

This would also reduce the payload by several dozen kilobytes.

@squidfunk squidfunk added change request Issue requests a new feature or improvement upstream Issue must be taken upstream labels Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
change request Issue requests a new feature or improvement upstream Issue must be taken upstream
Projects
None yet
Development

No branches or pull requests

2 participants