python-aws-lambda-handlers

python-aws-lambda-handlers copied to clipboard

Reame
Issues

chore(deps): update dependency pymdown-extensions to v10 [security]

Open renovate[bot] opened this issue 2 years ago • 0 comments

This PR contains the following updates:

Package	Change	Age	Confidence
pymdown-extensions	`==7.1` -> `==10.0`

GitHub Vulnerability Alerts

CVE-2023-32309

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

PoC

import markdown

payload = "--8<-- \"/etc/passwd\""
html = markdown.markdown(payload, extensions=['pymdownx.snippets'])

print(html)

Impact

Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users.

It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.

Suggestion

Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

`v10.0`

10.0

Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy behavior.

`v9.11`

9.11

NEW: Emoji: Update to new CDN and use Twemoji 14.1.2.
NEW: Snippets: Ignore nested snippet section syntax when including a section.

`v9.10`

9.10

NEW: Blocks: Add new experimental general purpose blocks that provide a framework for creating fenced block containers for specialized parsing. A number of extensions utilizing general purpose blocks are included and are meant to be an alternative to (and maybe one day replace): Admonitions, Details, Definition Lists, and Tabbed. Also adds a new HTML plugin for quick wrapping of content with arbitrary HTML elements.
NEW: Highlight: When enabling line spans and/or line anchors, if a code block has an ID associated with it, line ids will be generated using that code ID instead of the code block count.
NEW: Snippets: Expand section syntax to allow section names with - and _.
NEW: Snippets: When check_paths is enabled, and a specified section is not found, raise an error.
NEW: Snippets: Add new experimental feature dedent_sections that will de-indent (remove any common leading whitespace from every line in text) from that block of text.
NEW: MagicLink: Update GitLab links to match recent changes and to be more correct.
NEW: MagicLink: Relax required hash length when performing link shortening.

`v9.9.2`

9.9.2

FIX: Snippets syntax can break in XML comments as XML comments do not allow --. Relax Snippets syntax such that -8<- (single -) are allowed.

`v9.9.1`

9.9.1

FIX: Use a different CDN for Twemoji icons as MaxCDN is no longer available.

`v9.9`

9.9

ENHANCE: BetterEm: Further improvements to strong/emphasis handling:
- Ensure that one or more consecutive * or _ surrounded by whitespace are not considered as a token.
ENHANCE: Caret: Apply recent BetterEm improvements to Caret:
- Fix case where ^^ nested between ^ would be handled in an unexpected way.
- Ensure that one or more consecutive ^ surrounded by whitespace are not considered as a token.
ENHANCE: Tilde: Apply recent BetterEm improvements to Tilde:
- Fix case where ~~ nested between ~ would be handled in an unexpected way.
- Ensure that one or more consecutive ~ surrounded by whitespace are not considered a token.
ENHANCE: Mark: Apply recent BetterEm improvements to Mark:
- Ensure that one or more consecutive = surrounded by whitespace are not considered a token.

`v9.8`

9.8

NEW: Formally declare support for Python 3.11.
FIX: BetterEm: Fix case where ** nested between * would be handled in an unexpected way.

`v9.7`

9.7

NEW: Tabbed: Add new syntax to allow forcing a specific tab to be selected by default.
NEW: Snippets: Add a new option to pass arbitrary HTTP headers.
NEW: Snippets: Allow specifying sections in a snippet and including just the specified section.

`v9.6`

9.6

NEW: Highlight: Allow greater granularity of specifying where language guessing takes place via guess_lang option (e.g. block vs inline).
NEW: Tabbed: Add options for generating tab IDs from tab titles.
NEW: Snippets: Add support for specifying specific lines for Snippets.
NEW: Snippets: Commenting out files in block format no longer requires a space directly after ;.
NEW: Snippets: A new sane way to escape snippets is now available.

`v9.5`

9.5

NEW: InlineHilite: Custom inline code block formatters can now be forced to raise an exception by raising a InlineHiliteException.
NEW: Snippets: Add new options to handle importing snippets from URL.
NEW: Snippets: Snippets will only swallow missing file errors (unless check_paths is enabled), all other errors will be propagated up.
NEW: Snippets: When a file or URL is missing, raise SnippetMissingError instead of IOError.
FIX: Snippets: Small issues related to recursive inclusion of snippets.

`v9.4`

9.4

NEW: Highlight: Changes in order to support Pygments 2.12+. If using Pygments and a version less than 2.12 is installed, Highlight will raise an exception.

`v9.3`

9.3

NEW: B64: Allow SVG to be encoded and inlined.
NEW: PathConverter: Add option to use file:// prefix on absolute paths.
FIX: Highlight: Ensure that extend_pygments_lang is not case sensitive regarding language names.

`v9.2`

9.2

NEW: Drop Python 3.6 support and formally add Python 3.10 support.
NEW: Highlight: Add pygments_lang_option to enable attaching language classes to Pygments code blocks.
NEW: SuperFences: Custom fence validators and formatters can now be forced to raise an exception by raising a SuperFencesException.
NEW: Keys: Add power and fingerprint keys.
FIX: SuperFences: Fix case where custom fence in a blockquote was not gracefully handled.
FIX: Arithmatex: fix issue where if you limit the inline or block syntax to specific input types, access to certain matched groups could cause an error.

`v9.1`

9.1

NEW: Highlight: If linenums is enabled globally via the highlight extension, and a code block specifies a line number of zero (e.g. SuperFences), disable line numbers for that code block.
FIX: Snippets: Add missing documentation for auto_append feature that was added in 8.2.
FIX: Highlight: When attr_list is enabled, attributes were not properly added to Pygments code blocks in the table format. (#1505)

`v9.0`

9.0

Please see Migration Notes for details on upgrading to 9.0.

NEW: Arithmatex: Wrap MathJax "script" format (non-preview) with a container element just like all other Arithmatex output formats.
NEW: Arithmatex: MathJax (non-generic) form's container element now has the arithmatex class added just like everywhere else.
NEW: Arithmatex: Add options to override HTML element container type of inline and block math.
NEW: Arithmatex: Add new formatter functions intended to replace old math fenced/inline block formatters. New formatter functions are configurable. All others are marked as deprecated and will be removed at some future date.
NEW: Emoji: Upgraded Twitter emoji database to support latest emoji. It is a known issue that Twitter has :man_in_santa_hat: and :mx_claus: backwards -- same for :mrs_claus: and :woman_in_santa_hat:. That is on Twitter's side, not ours.
NEW: Highlight: Add support for the Pygments option linespans.
NEW: Highlight: Add support for Pygments option lineanchors.
NEW: Highlight: Add support for Pygments option anchorlinenos.
NEW: Highlight: Remove legacy_no_wrap_code option.
NEW: Add support for generating title headers pulled from the Pygments lexer for code blocks. Feature can be enabled via the new auto_title option. If a specific name is not preferred, these names can be overridden via a user defined mapping called auto_title_map.
NEW: SuperFences: Allow setting a title, or overriding an auto title via the new title option in a fenced code header.
NEW: SuperFences: Allow adding ID and arbitrary data- attributes on Pygments code blocks. The latter requires the attr_list extension to be enabled.
NEW: SuperFences: Removed old deprecated option highlight_code which no longer did anything.
NEW: SuperFences: Remove legacy code meant to help with transitioning to new custom fence function format.
NEW: Tabbed: New alternate style that allows for a scrollable tabs if they overflow. Feature is experimental, see docs for more information.
NEW: Slugs: Add new configurable slugify function that aims to replace all other slugify methods. Deprecate uslugify, uslugify_encoded, uslugify_case, uslugify_case_encoded, gfm, and gfm_encoded. slugify takes parameters returning a function that performs the desired slug handling. slugify adds new options case="fold" for case folding and normalize='<normalize format here>' (uses NFC by default).
FIX: BetterEm: Fix some complex cases related to "smart" logic. (#1413)
FIX: EscapeAll: Fix issue where an escaped HTML entity may end up with incorrect slug and incorrect table of content entry.
FIX: Highlight: Fix issue that occurs when showing only nth line numbers and using pymdownx-inline. Lines not showing a line number would not render with the proper leading space.

`v8.2`

8.2

NEW: Snippets: now accepts a list of base paths which will be resolved in the order they are specified. Compatibility is present with legacy behavior, and a single string path will still be accepted.
NEW: Snippets: allow for specifying certain snippets to auto-append to every file. Useful for appending abbreviations, reference links, etc.
NEW: Snippets: a snippet base path can be a full path to a file. When a base path is a full path to a file, only that file will be included from the specified folder. This allows for targeting a one off file outside of the normal snippet paths(s).
NEW: MagicLink: add GitHub Discussions support to MagicLink. Can now use ?<num> to link discussions. Full discussion links will also be shortened if shortening is enabled. (#1187)
NEW: MagicLink: add new normalize_issue_symbols option to make issues, pull request, and discussion links all render with # instead of #, !, and ? respectively. Input syntax is still the same. Great if you want a GitHub style look where all issue types are just rendered with #.
FIX: MagicLink: documentation will not render links with special icons added via CSS so as not to confuse users that may think that is part of MagicLink. While possible with CSS, MagicLink provides no CSS automatically.
FIX: Tabbed & Details: Fix corner case with lists. (#1225)
FIX: Fix issue with unescaping logic in code blocks.

`v8.1.1`

8.1.1

FIX: Ensure content immediately before Details content or Tabbed content gets preserved.
FIX: StripHTML: Fix some corner cases related to stripping comments.

`v8.1`

8.1

NEW: Drop support for Python 3.5.
NEW: Officially support Python 3.9.
NEW: Tabbed titles can now have simple Markdown in them which can be parsed and rendered (like emoji, bold, etc.).
FIX: Avoid parsing script tags in PathConverter and B64 extensions.

`v8.0.1`

8.0.1

FIX: Fix issue with pymdownx-inline an Pygments 2.7+.

`v8.0`

8.0

Please see Release Notes for details on upgrading to 8.0.

NEW: Added SaneHeaders extension.
NEW: SuperFences & InlineHilite: gracefully handle failing custom formatters and/or validators. Users should add their own debug code to their formatter/validator if they suspect it isn't working.
NEW: SuperFences: if a custom fence validator fails, try the next custom fence until all are exhausted.
NEW: SuperFences: no longer allow custom options in the form key= (no value). Only keys with values or keys with no value and no = are accepted. Keys with no value will now assume the value to be the key name.
NEW: SuperFences: if attr_list extension is enabled, fenced code that use brace attribute list style headers ( ```{lang #id .class attr=value}) will attach arbitrary attributes that are included in the header to the code element.
NEW: SuperFences: when Pygments is disabled, options (such as linenums) included in fenced code headers no longer do anything. If attr_list is enabled, and the brace header is used, such options will be treated as HTML attributes. JavaScript highlighter options should be defined in the brace header form with attr_list enabled in order to generate appropriate, compatible HTML with the chosen JavaScript highlighter.
NEW: SuperFences: backwards incompatible changes where made to custom fence API. See Release Notes for instructions on how to migrate to the new API. Some temporary support for most of the old format is in place, but is deprecated.
NEW: SuperFences: has removed legacy code tab feature. Associated legacy_tab_classes option has been removed. Please use the Tabbed extension to create general purpose tabs for code blocks or other content.
NEW: Highlight: add new option language_prefix which controls the prefix applied to language classes when Pygments is not being used.
NEW: Highlight: A new option called code_attr_on_pre was added to the Highlight extension and controls whether language classes, and any ids, attributes, and classes that are defined in fenced code attribute list style headers, are attached to the code element or pre element. This has effect when using Pygments.
NEW: Highlight: option linenums now defaults to None and accepts None, True, or False. None is disabled by default, but can be enabled per code block. True enables line numbers globally. False disables globally and cannot be enabled manually per code block.
NEW: ExtraRawHTML: remove extension.
FIX: Fix issues with complex emphasis combinations in BetterEm.
FIX: Details: fix corner cases related to extension and lists.
FIX: Tabbed: fix corner cases related to extension and lists.
FIX: EscapeAll: Handle HTML entities special.
FIX: SuperFences: Fix parameter unpacking bug.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

May 31 '23 01:05 renovate[bot]