Skip to content

Commit

Permalink
Merge branch 'release/8.11.4'
Browse files Browse the repository at this point in the history
  • Loading branch information
knsv committed Aug 5, 2021
2 parents af7f5d0 + e8fc810 commit a670b67
Show file tree
Hide file tree
Showing 14 changed files with 264 additions and 62 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/release-preview-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:

- name: Publish
run: |
PREVIEW_VERSION=2
PREVIEW_VERSION=8
VERSION=$(echo ${{github.ref}} | tail -c +20)-preview.$PREVIEW_VERSION
echo $VERSION
npm version --no-git-tag-version --allow-same-version $VERSION
Expand Down
6 changes: 2 additions & 4 deletions cypress/platform/knsv.html
Original file line number Diff line number Diff line change
Expand Up @@ -57,14 +57,12 @@
end
</div>
<div class="mermaid" style="width: 100%; height: 20%;">
%%{init: { '__proto__': {'vuln': 'test'}} }%%
%%{init: { '__proto__': {'vuln': 'test'}} }%%

%%{init: { "apa":"b", "theme":"forest"}}%%
sequenceDiagram
Alice->>Bob: Hi Bob
Bob->>Alice: Hi Alice
</div>
<div class="mermaid">
<div class="mermaid2">
%%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
%%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
graph LR
Expand Down
7 changes: 7 additions & 0 deletions cypress/platform/xss2.html
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,13 @@
graph LR
A --> B
</div>
<div class="mermaid">
%%{init: { 'prototype': {'__proto__': {'polluted': 'test'}}} }%%
%%{init: { 'prototype': {'__proto__': {'polluted': 'test'}}} }%%
sequenceDiagram
Alice->>Bob: Hi Bob
Bob->>Alice: Hi Alice
</div>
<script src="./mermaid.js"></script>
<script>
mermaid.initialize({
Expand Down
109 changes: 91 additions & 18 deletions dist/mermaid.core.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/mermaid.core.js.map

Large diffs are not rendered by default.

109 changes: 91 additions & 18 deletions dist/mermaid.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/mermaid.js.map

Large diffs are not rendered by default.

10 changes: 5 additions & 5 deletions dist/mermaid.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/mermaid.min.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "mermaid",
"version": "8.11.3",
"version": "8.11.4",
"description": "Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.",
"main": "dist/mermaid.core.js",
"keywords": [
Expand Down
11 changes: 11 additions & 0 deletions src/defaultConfig.js
Original file line number Diff line number Diff line change
Expand Up @@ -1142,4 +1142,15 @@ top of the chart
config.class.arrowMarkerAbsolute = config.arrowMarkerAbsolute;
config.git.arrowMarkerAbsolute = config.arrowMarkerAbsolute;

const keyify = (obj, prefix = '') =>
Object.keys(obj).reduce((res, el) => {
if (Array.isArray(obj[el])) {
return res;
} else if (typeof obj[el] === 'object' && obj[el] !== null) {
return [...res, prefix + el, ...keyify(obj[el], '')];
}
return [...res, prefix + el];
}, []);

export const configKeys = keyify(config, '');
export default config;
4 changes: 2 additions & 2 deletions src/diagrams/sequence/sequenceDiagram.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -1348,7 +1348,7 @@ Bob->>Alice: Fine!`;
});
it('it should draw two actors, notes to the left with text wrapped and the init directive sets the theme to dark and fontFamily to Menlo, fontSize to 18, and fontWeight to 800', function() {
const str = `
%%{init: { "theme": "dark", 'config': { "fontFamily": "Menlo", "fontSize": 18, "fontWeight": 400, "wrap": true }}}%%
%%{init: { "theme": "dark", 'config': { "fontFamily": "Menlo", "fontSize": 18, "messageFontWeight": 400, "wrap": true }}}%%
sequenceDiagram
Alice->>Bob: Hello Bob, how are you? If you are not available right now, I can leave you a message. Please get back to me as soon as you can!
Note left of Alice: Bob thinks
Expand All @@ -1364,7 +1364,7 @@ Bob->>Alice: Fine!`;
expect(mermaid.theme).toBe('dark');
expect(mermaid.sequence.fontFamily).toBe('Menlo');
expect(mermaid.sequence.fontSize).toBe(18);
expect(mermaid.sequence.fontWeight).toBe(400);
expect(mermaid.sequence.messageFontWeight).toBe(400);
expect(msgs.every(v => v.wrap)).toBe(true);

expect(bounds.stopx).toBe(conf.width * 2 + conf.actorMargin);
Expand Down
7 changes: 5 additions & 2 deletions src/mermaidAPI.js
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ import journeyDb from './diagrams/user-journey/journeyDb';
import journeyRenderer from './diagrams/user-journey/journeyRenderer';
import journeyParser from './diagrams/user-journey/parser/journey';
import errorRenderer from './errorRenderer';

// import * as configApi from './config';
// // , {
// // setConfig,
Expand All @@ -66,7 +67,7 @@ import errorRenderer from './errorRenderer';
import { log, setLogLevel } from './logger';
import getStyles from './styles';
import theme from './themes';
import utils, { assignWithDepth } from './utils';
import utils, { directiveSanitizer, assignWithDepth } from './utils';

function parse(text) {
const cnf = configApi.getConfig();
Expand Down Expand Up @@ -537,7 +538,9 @@ const handleDirective = function (p, directive, type) {
delete directive.args[prop];
}
});

log.debug('sanitize in handleDirective', directive.args);
directiveSanitizer(directive.args);
log.debug('sanitize in handleDirective (done)', directive.args);
reinitialize(directive.args);
configApi.addDirective(directive.args);
break;
Expand Down
53 changes: 45 additions & 8 deletions src/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import {
select,
} from 'd3';
import common from './diagrams/common/common';
import { configKeys } from './defaultConfig';
import { log } from './logger';

// Effectively an enum of the supported curve types, accessible by name
Expand Down Expand Up @@ -69,16 +70,11 @@ const anyComment = /\s*%%.*\n/gm;
export const detectInit = function (text, cnf) {
let inits = detectDirective(text, /(?:init\b)|(?:initialize\b)/);
let results = {};

if (Array.isArray(inits)) {
let args = inits.map((init) => init.args);
Object.keys(args).forEach((argKey) => {
Object.keys(args[argKey]).forEach((key) => {
if (key.indexOf('__') === 0) {
log.debug('sanitize deleting prototype option', args[key]);
delete args[argKey][key];
}
});
});
directiveSanitizer(args);

results = assignWithDepth(results, [...args]);
} else {
results = inits.args;
Expand All @@ -95,6 +91,8 @@ export const detectInit = function (text, cnf) {
}
});
}

// Todo: refactor this, these results are never used
return results;
};

Expand Down Expand Up @@ -821,6 +819,44 @@ export const entityDecode = function (html) {
return unescape(decoder.textContent);
};

export const directiveSanitizer = (args) => {
log.debug('directiveSanitizer called with', args);
if (typeof args === 'object') {
// check for array
if (args.length) {
args.forEach((arg) => directiveSanitizer(arg));
} else {
// This is an object
Object.keys(args).forEach((key) => {
log.debug('Checking key', key);
if (key.indexOf('__') === 0) {
log.debug('sanitize deleting __ option', key);
delete args[key];
}

if (key.indexOf('proto') >= 0) {
log.debug('sanitize deleting proto option', key);
delete args[key];
}

if (key.indexOf('constr') >= 0) {
log.debug('sanitize deleting constr option', key);
delete args[key];
}
if (configKeys.indexOf(key) < 0) {
log.debug('sanitize deleting option', key);
delete args[key];
} else {
if (typeof args[key] === 'object') {
log.debug('sanitize deleting object', key);
directiveSanitizer(args[key]);
}
}
});
}
}
};

export default {
assignWithDepth,
wrapLabel,
Expand All @@ -845,4 +881,5 @@ export default {
runFunc,
entityDecode,
initIdGeneratior,
directiveSanitizer,
};

0 comments on commit a670b67

Please sign in to comment.