Update dependency katex to ^0.16.0 [SECURITY] #35
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.12.0
->^0.16.0
GitHub Vulnerability Alerts
CVE-2024-28246
Impact
Code that uses KaTeX's
trust
option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generatejavascript:
links in the output, even if thetrust
function tries to forbid this protocol viatrust: (context) => context.protocol !== 'javascript'
.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trust
function.context.protocol
viacontext.protocol.toLowerCase()
before attempting to check for certain protocols.trust
option.Details
KaTeX did not normalize the
protocol
entry of thecontext
object provided to a user-specifiedtrust
-function, so it could be a mix of lowercase and/or uppercase letters.It is generally better to allow-list by protocol, in which case this would normally not be an issue. But in some cases, you might want to block-list, and the KaTeX documentation even provides such an example:
Currently KaTeX internally sees
file:
andFile:
URLs as different protocols, socontext.protocol
can befile
orFile
, so the above check does not suffice. A simple workaround would be:Most URL parsers normalize the scheme to lowercase. For example, RFC3986 says:
CVE-2024-28245
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\includegraphics
that runs arbitrary JavaScript, or generate invalid HTML.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
trust
option, or set it to forbid\includegraphics
commands."\\includegraphics"
.Details
\includegraphics
did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts.For more information
If you have any questions or comments about this advisory:
CVE-2024-28243
Impact
KaTeX users who render untrusted mathematical expressions could encounter malicious input using
\edef
that causes a near-infinite loop, despite settingmaxExpand
to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow.Patches
Upgrade to KaTeX v0.16.10 to remove this vulnerability.
Workarounds
Forbid inputs containing the substring
"\\edef"
before passing them to KaTeX.(There is no easy workaround for the auto-render extension.)
Details
KaTeX supports an option named
maxExpand
which prevents infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. However, what counted as an "expansion" is a single macro expanding to any number of tokens. The expand-and-define TeX command\edef
can be used to build up an exponential number of tokens using only a linear number of expansions according to this definition, e.g. by repeatedly doubling the previous definition. This has been corrected in KaTeX v0.16.10, where every expanded token in an\edef
counts as an expansion.For more information
If you have any questions or comments about this advisory:
Release Notes
KaTeX/KaTeX (katex)
v0.16.10
Compare Source
Bug Fixes
v0.16.9
Compare Source
Features
v0.16.8
Compare Source
Features
v0.16.7
Compare Source
Bug Fixes
v0.16.6
Compare Source
Bug Fixes
\let
viamacros
option (#3738) (bdb0be2), closes #3737 #3737v0.16.5
Compare Source
Features
v0.16.4
Compare Source
Bug Fixes
v0.16.3
Compare Source
Bug Fixes
v0.16.2
Compare Source
Bug Fixes
v0.16.1
Compare Source
Bug Fixes
v0.16.0
Compare Source
Bug Fixes
BREAKING CHANGES
0.15.6 (2022-05-20)
Features
0.15.5 (2022-05-20)
Bug Fixes
0.15.4 (2022-05-20)
Features
0.15.3 (2022-03-13)
Bug Fixes
0.15.2 (2022-01-12)
Bug Fixes
0.15.1 (2021-10-31)
Features
v0.15.6
Compare Source
Features
v0.15.5
Compare Source
Bug Fixes
v0.15.4
Compare Source
Features
v0.15.3
Compare Source
Bug Fixes
v0.15.2
Compare Source
Bug Fixes
v0.15.1
Compare Source
Features
v0.15.0
Compare Source
Features
BREAKING CHANGES
\relax
is now implemented as a function. It'll stopexpansions and parsing, so the behavior around
\relax
may change.For example,
\kern2\relax em
will no longer work.0.14.1 (2021-10-30)
Bug Fixes
v0.14.1
Compare Source
Bug Fixes
v0.14.0
Compare Source
Features
BREAKING CHANGES
and ECMAScript modules,
import katex from 'katex';
will import theECMAScript module.
You can now use:
require('katex/dist/contrib/[name].js')
require('katex/contrib/[name]')
import katex from 'katex/dist/katex.mjs'
import katex from 'katex'
import 'katex/dist/contrib/[name].mjs'
import 'katex/contrib/[name]'
0.13.24 (2021-10-30)
Bug Fixes
0.13.23 (2021-10-30)
Bug Fixes
0.13.22 (2021-10-30)
Bug Fixes
0.13.21 (2021-10-29)
Bug Fixes
0.13.20 (2021-10-26)
Performance Improvements
0.13.19 (2021-10-26)
Features
0.13.18 (2021-09-02)
Features
0.13.17 (2021-09-01)
Bug Fixes
0.13.16 (2021-08-28)
Bug Fixes
0.13.15 (2021-08-28)
Features
0.13.14 (2021-08-28)
Bug Fixes
0.13.13 (2021-07-21)
Bug Fixes
0.13.12 (2021-07-21)
Bug Fixes
0.13.11 (2021-05-14)
Bug Fixes
Features
0.13.10 (2021-05-12)
Bug Fixes
0.13.9 (2021-05-07)
Bug Fixes
0.13.8 (2021-05-06)
Features
0.13.7 (2021-05-06)
Bug Fixes
0.13.6 (2021-05-06)
Bug Fixes
0.13.5 (2021-05-02)
Bug Fixes
0.13.4 (2021-05-02)
Bug Fixes
0.13.3 (2021-04-24)
Bug Fixes
0.13.2 (2021-04-06)
Bug Fixes
0.13.1 (2021-04-05)
Bug Fixes
[v0.13.0]
See https://github.com/KaTeX/KaTeX/issues/2490 for breaking changes and migration guide!
Bug Fixes
Features
allowedInArgument
instead ofgreediness
property (#2134)Documentation
Other Changes
dist
in the release commit (#2385)[v0.12.0]
Added
globalGroup
option to place definitions in global scope (#2091)\cal
(#2116){rcases}
and{drcases}
(#2149)strict
andtrust
setting. See https://katex.org/docs/options.html for more details. Please review its security implication before enabling the extension.\message
,\errmessage
, and\show
for debugging (#2135)\expandafter
,\noexpand
,\edef
,\let
, and\long
(#2122)\minuso
(#2213)Changed
mathtex-script
: Use html 'defer' attribute (#2069)auto-render
: do not touch text nodes w/o formulas (#2154)\mathnormal
instead of\mathcal
Removed
Fixed
border-collapse: collapse
in vlist, fix misalignment in table (#2103)\@​ifnextchar
consumes spaces (#2118)\boxed
inherited color (#2130)auto-render
: ignore "option" tags (#2180)\substack
(#2278)\boldsymbol
not italic for textords such as Greek (#2290, #2299)[v0.11.1]
Changed
Fixed
[v0.11.0]
Added
\href
and\url
will break without adjusting the trust settingChanged
Fixed
[v0.10.2]
Added
Changed
Fixed
Removed
[v0.10.1]
Added
Changed
Fixed
[v0.10.0]
Added
\(
(#1213)\\
in inline math (#1298)match-at
dependency, use RegExp for lexer (#1447)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.