Merge pull request #12 from linc-technologies/bugfix/HERO-10791-cves-everywhere-all-at-once-pt-4

HERO-10791: cves everywhere all at once pt 4

Author: KeesTucker

package.json

@@ -88,9 +88,11 @@
     "webpack-dev-server": "^4.11.0"
   },
   "resolutions": {
-    "cross-spawn": "7.0.5",
     "body-parser": "1.20.3",
     "braces": "3.0.3",
-    "tar": "^6.2.0"
+    "cross-spawn": "7.0.5",
+    "path-to-regexp": "^0.1.12",
+    "tar": "^6.2.0",
+    "ws": "^8.17.1"
   }
 }

patches/dompurify+3.0.5.patch patches/dompurify+3.2.4.patch

@@ -1,47 +1,50 @@
-diff --git a/node_modules/dompurify/dist/purify.es.js b/node_modules/dompurify/dist/purify.es.js
-index ee9246e..d297e22 100644
---- a/node_modules/dompurify/dist/purify.es.js
-+++ b/node_modules/dompurify/dist/purify.es.js
-@@ -1190,6 +1190,7 @@ function createDOMPurify() {
-         namespaceURI
+diff --git a/node_modules/dompurify/dist/purify.es.mjs b/node_modules/dompurify/dist/purify.es.mjs
+index 86186cf..710e443 100644
+--- a/node_modules/dompurify/dist/purify.es.mjs
++++ b/node_modules/dompurify/dist/purify.es.mjs
+@@ -1054,6 +1054,7 @@ function createDOMPurify() {
        } = attr;
-       value = name === 'value' ? attr.value : stringTrim(attr.value);
+       const lcName = transformCaseFunc(name);
+       let value = name === 'value' ? attrValue : stringTrim(attrValue);
 +      const initValue = value;
-       lcName = transformCaseFunc(name);
        /* Execute a hook if present */
- 
-@@ -1209,11 +1210,11 @@ function createDOMPurify() {
+       hookEvent.attrName = lcName;
+       hookEvent.attrValue = value;
+@@ -1080,9 +1081,10 @@ function createDOMPurify() {
+         continue;
+       }
        /* Remove attribute */
- 
- 
 -      _removeAttribute(name, currentNode);
++      /* (Removal deferred until after hook check) */
        /* Did the hooks approve of the attribute? */
- 
- 
        if (!hookEvent.keepAttr) {
 +        _removeAttribute(name, currentNode);
          continue;
        }
        /* Work around a security issue in jQuery 3.0 */
-@@ -1238,6 +1239,7 @@ function createDOMPurify() {
+@@ -1099,6 +1101,7 @@ function createDOMPurify() {
+       /* Is `value` valid for this attribute? */
        const lcTag = transformCaseFunc(currentNode.nodeName);
- 
        if (!_isValidAttribute(lcTag, lcName, value)) {
 +        _removeAttribute(name, currentNode);
          continue;
        }
-       /* Full DOM Clobbering protection via namespace isolation,
-@@ -1274,17 +1276,18 @@ function createDOMPurify() {
+       /* Handle attributes that require Trusted Types */
+@@ -1119,19 +1122,22 @@ function createDOMPurify() {
+         }
        }
        /* Handle invalid data-* attribute set by try-catching it */
- 
--
 -      try {
 -        if (namespaceURI) {
 -          currentNode.setAttributeNS(namespaceURI, name, value);
 -        } else {
 -          /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
 -          currentNode.setAttribute(name, value);
+-        }
+-        if (_isClobbered(currentNode)) {
+-          _forceRemove(currentNode);
+-        } else {
+-          arrayPop(DOMPurify.removed);
 +      if (value !== initValue) {
 +        try {
 +          if (namespaceURI) {
@@ -50,60 +53,65 @@ index ee9246e..d297e22 100644
 +            /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
 +            currentNode.setAttribute(name, value);
 +          }
++          if (_isClobbered(currentNode)) {
++            _forceRemove(currentNode);
++          } else {
++            arrayPop(DOMPurify.removed);
++          }
 +        } catch (_) {
-+          _removeAttribute(name, currentNode);
          }
--
--        arrayPop(DOMPurify.removed);
 -      } catch (_) {}
 +      }
      }
      /* Execute a hook if present */
- 
+     _executeHooks(hooks.afterSanitizeAttributes, currentNode, null);
 diff --git a/node_modules/dompurify/dist/purify.js b/node_modules/dompurify/dist/purify.js
-index ba807e1..c6512fc 100644
+index a03f326..d5d7424 100644
 --- a/node_modules/dompurify/dist/purify.js
 +++ b/node_modules/dompurify/dist/purify.js
-@@ -1196,6 +1196,7 @@
-           namespaceURI
+@@ -1060,6 +1060,7 @@
          } = attr;
-         value = name === 'value' ? attr.value : stringTrim(attr.value);
+         const lcName = transformCaseFunc(name);
+         let value = name === 'value' ? attrValue : stringTrim(attrValue);
 +        const initValue = value;
-         lcName = transformCaseFunc(name);
          /* Execute a hook if present */
- 
-@@ -1215,11 +1216,10 @@
+         hookEvent.attrName = lcName;
+         hookEvent.attrValue = value;
+@@ -1086,9 +1087,10 @@
+           continue;
+         }
          /* Remove attribute */
- 
- 
 -        _removeAttribute(name, currentNode);
++        /* (Initial removal deferred until after hook check) */
          /* Did the hooks approve of the attribute? */
- 
--
          if (!hookEvent.keepAttr) {
 +          _removeAttribute(name, currentNode);
            continue;
          }
          /* Work around a security issue in jQuery 3.0 */
-@@ -1244,6 +1244,7 @@
+@@ -1105,6 +1107,7 @@
+         /* Is `value` valid for this attribute? */
          const lcTag = transformCaseFunc(currentNode.nodeName);
- 
          if (!_isValidAttribute(lcTag, lcName, value)) {
 +          _removeAttribute(name, currentNode);
            continue;
          }
-         /* Full DOM Clobbering protection via namespace isolation,
-@@ -1280,17 +1281,18 @@
+         /* Handle attributes that require Trusted Types */
+@@ -1125,19 +1128,22 @@
+           }
          }
          /* Handle invalid data-* attribute set by try-catching it */
- 
--
 -        try {
 -          if (namespaceURI) {
 -            currentNode.setAttributeNS(namespaceURI, name, value);
 -          } else {
 -            /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
 -            currentNode.setAttribute(name, value);
+-          }
+-          if (_isClobbered(currentNode)) {
+-            _forceRemove(currentNode);
+-          } else {
+-            arrayPop(DOMPurify.removed);
 +        if (value !== initValue) {
 +          try {
 +            if (namespaceURI) {
@@ -112,13 +120,15 @@ index ba807e1..c6512fc 100644
 +              /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
 +              currentNode.setAttribute(name, value);
 +            }
++            if (_isClobbered(currentNode)) {
++              _forceRemove(currentNode);
++            } else {
++              arrayPop(DOMPurify.removed);
++            }
 +          } catch (_) {
-+            _removeAttribute(name, currentNode);
            }
--
--          arrayPop(DOMPurify.removed);
 -        } catch (_) {}
 +        }
        }
        /* Execute a hook if present */
- 
+       _executeHooks(hooks.afterSanitizeAttributes, currentNode, null);

yarn.lock

@@ -9916,10 +9916,10 @@ path-scurry@^1.10.1, path-scurry@^1.6.1:
     lru-cache "^9.1.1 || ^10.0.0"
     minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
 
-[email protected]:
-  version "0.1.7"
-  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.7.tgz#df604178005f522f15eb4490e7247a1bfaa67f8c"
-  integrity sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==
+[email protected], path-to-regexp@^0.1.12:
+  version "0.1.12"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.12.tgz#d5e1a12e478a976d432ef3c58d534b9923164bb7"
+  integrity sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==
 
 path-type@^1.0.0:
   version "1.1.0"
@@ -13126,15 +13126,10 @@ [email protected]:
     type-fest "^0.4.1"
     write-json-file "^3.2.0"
 
-[email protected]:
-  version "8.13.0"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-8.13.0.tgz#9a9fb92f93cf41512a0735c8f4dd09b8a1211cd0"
-  integrity sha512-x9vcZYTrFPC7aSIbj7sRCYo7L/Xb8Iy+pW0ng0wt2vCJv7M9HOMy0UoN3rr+IFC7hb7vXoqS+P9ktyLLLhO+LA==
-
-ws@^8.13.0, ws@^8.8.0:
-  version "8.16.0"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-8.16.0.tgz#d1cd774f36fbc07165066a60e40323eab6446fd4"
-  integrity sha512-HS0c//TP7Ina87TfiPUz1rQzMhHrl/SG2guqRcTOIUYD2q8uhUdNHZYJUaQ8aTGPzCh+c6oawMKW35nFl1dxyQ==
+[email protected], ws@^8.13.0, ws@^8.17.1, ws@^8.8.0:
+  version "8.18.1"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.1.tgz#ea131d3784e1dfdff91adb0a4a116b127515e3cb"
+  integrity sha512-RKW2aJZMXeMxVpnZ6bck+RswznaxmzdULiBr6KY7XkTnW8uvt0iT9H5DkHUChXrc+uurzwa0rVI16n/Xzjdz1w==
 
 xml-writer@^1.6.0, xml-writer@~1.7.0:
   version "1.7.0"