The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code. Upstream Advisory: https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9 Upstream Fix: https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c
Looks like grafana upstream has been bumped to prism v1.21.0 (2 days ago): https://github.com/grafana/grafana/commit/2cd9b9a7b94fb47a5e1bf308aee68cb4914ad529
External References: https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
I was looking into the compiled/minified sources of Grafana 6.3.6 (RHEL 8.2) (which uses prismjs 1.16.0 [1], which is affected by this bug [2]), but couldn't find the affected code: [root@ci-vm-10-0-139-128 ~]# grep -REo 'marker-start....' /usr/share/grafana/ /usr/share/grafana/public/build/vendor.69fae754221074f118fc.js:marker-start,mar /usr/share/grafana/public/build/vendor.69fae754221074f118fc.js:marker-start ove /usr/share/grafana/public/build/vendor.69fae754221074f118fc.js:marker-start ove /usr/share/grafana/public/build/vendor.69fae754221074f118fc.js.map:marker-start,mar /usr/share/grafana/public/build/vendor.69fae754221074f118fc.js.map:marker-start ove /usr/share/grafana/public/build/vendor.69fae754221074f118fc.js.map:marker-start ove marker-start is a HTML tag, so - afaics - it shouldn't be affected by minification. Or am I overlooking something here? I also couldn't find it in Grafana 6.2.2 (RHEL 8.1) and 6.7.4 (RHEL 8.3). [1] https://github.com/grafana/grafana/blob/v6.3.6/package.json#L211 [2] https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9
@agerstmayr, what exactly are you looking for with marker-start? Or is that just an example? Also curious as to why you're using the build and not the source? It's hard when it compiled/minifed as it depends on what tools being used and how aggressive it is. But searching for 'prismjs' will certainly locate multiple areas where it's being used that match a general grep for prismjs in the source. Based off the documentation here: https://prismjs.com/plugins/previewers/ We can also see that one way to call this is through css, through something like: SCSS: $easing: linear; or CSS: transition-timing-function: ease; So we can search for references for that too in the minified version, but it's not the easiest thing to follow. But looking for transition-timining-function:ease we can at least see it being included here: public/build/grafana.light.e402a76d33a475eefbc0.css I hope that somewhat helps?
(In reply to Mark Cooper from comment #6) > @agerstmayr, what exactly are you looking for with marker-start? Or is that > just an example? I was looking after marker-start because the problematic code is near this string. And because it's a HTML attribute, this string shouldn't be minified imho. Looking at the patch at https://github.com/PrismJS/prism/pull/2506/commits/7bd7de05edf71112a3a77f87901a2409c9c5c20c, the "marker-start" string is also contained in the minified sources (prism-previewers.min.js). > Also curious as to why you're using the build and not the > source? It looks like that this file of prism isn't included in the compiled Grafana bundle (which gets executed in the browser), because this part of the prism library isn't used in Grafana, and therefore Grafana isn't affected. That's my impression based on looking at the build, which I wanted to double-check with you. > It's hard when it compiled/minifed as it depends on what tools being used > and how aggressive it is. +1 > But searching for 'prismjs' will certainly locate multiple areas where it's > being used that match a general grep for prismjs in the source. > > Based off the documentation here: > https://prismjs.com/plugins/previewers/ > We can also see that one way to call this is through css, through something > like: > SCSS: > $easing: linear; > or CSS: > transition-timing-function: ease; > > So we can search for references for that too in the minified version, but > it's not the easiest thing to follow. But looking for > transition-timining-function:ease we can at least see it being included > here: public/build/grafana.light.e402a76d33a475eefbc0.css > > I hope that somewhat helps? Yep, but the affected code is in the JS source, which I couldn't find in the compiled bundle for Grafana, which will run in the browser. transition-timing-function is a regular CSS property (https://developer.mozilla.org/en-US/docs/Web/CSS/transition-timing-function), the presence of it doesn't mandate use of PrismJS. Of course this bug should be fixed (maybe future versions will use this functionality), my point is that it looks to me that this functionality isn't used in the current versions of Grafana, which I wanted to double-check.
(In reply to Andreas Gerstmayr from comment #7) > it looks to me that this functionality isn't used in the current versions of Grafana At least those in RHEL which I checked, Grafana 6.2.2, 6.3.6 and 6.7.4.
Ah I see what you mean now and what you're trying to do. OK lets take a step back. Querying yarn list --prod, and doing a basic grep looks like prismjs in some form is being used. The doco on Previewers isn't exactly clear, load it globally and include a bit of CSS, but as you said that may not be a definite indicate that it's being used. That's what I was going off. So the real question is, "if" the plugin isn't being used or isn't being loaded correctly, does it included? I'm also curious because I didn't consider the actual webpack output as well and how much of an affect that has as well - mainly just the source. AND I think with your help we found the answer and I suspect you're right. This issue here I think points out to what's going on: https://github.com/PrismJS/prism/issues/1487 When used with webpack it looks like you have to specify the plugin to load as well. Something like the following in the .babelrc (unclear if you need https://www.npmjs.com/package/babel-plugin-prismjs installed as well): "prismjs", { "languages": ["clike", "javascript", "typescript", "java", "c", "cpp", "python", "ruby", "markup", "markup-templating", "php", "go", "csharp", "css", "markdown", "sql", "json" ], "plugins": ["line-numbers"], If you don't, then I don't think it actually gets included. There seems to be a lot of queries around loading of plugins and webpack for prismjs. So we can try and prove this, i.e. get the plugin to load or reference it directly then see, but I think the evidence here might be strong enough? > Of course this bug should be fixed (maybe future versions will use this functionality), my point is that it looks to me that this functionality isn't used in the current versions of Grafana, which I wanted to double-check. Credit where credit's due. I think you're right. What do you think @amctagga? I don't think grafana is actually affected.
@Mark. I agree with what we discussed in our call. It doesn't seem to actually use the plugin, and based on the attempt to load the plugin failing, it seems it isn't supported. I'm going to mark not affected based on our call. Although Prism is shipped, the affected code is never loaded. Want to confirm you think it should be not affected, and not "affected, but not impacted" before I send out for peer review.
I can finally confirm too. In the current state/build for grafana (I'm using 6.4.3 here), we can't find any evidence of prism-previewer-easing-marker. Even doing a manual build: $ grep -Ro prism-previewer-easing-marker public/build/ $ Adding the following to packages/grafana-ui/src/slate-plugins/slate-prism/index.ts: import 'prismjs/plugins/previewers/prism-previewers.min.js' Then rebuilding, make clean && yarn install && make build-js We can now see it's being included in the webpack: $ grep -Ro prism-previewer-easing-marker public/build/ public/build/vendors~app.7db74fe8c44d9e8b7106.js.map:prism-previewer-easing-marker ... public/build/vendors~app.7db74fe8c44d9e8b7106.js:prism-previewer-easing-marker ... I figured looking for "prism-previewer-easing-marker" might be a stronger unique indicator here. There might be other ways as well of including the plugin, but this is enough evidence to at least know that it's not being compiled in and to finish out this bug. Thanks again @agerstmayr!
Statement: While the grafana containers in OpenShift and ServiceMesh contain the prismjs plugin, they don't package the vulnerable previewer plugin and hence are not affected. The grafana containers in Ceph 3 contain the prismjs plugin, but do not package the vulnerable previewer plugin and are not affected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15138