Skip to content

[Security] Bump pymdown-extensions from 9.11 to 10.0

HIFIS Bot requested to merge dependabot-pip-pymdown-extensions-10.0 into master

Bumps pymdown-extensions from 9.11 to 10.0. This update includes a security fix.

Vulnerabilities fixed

Any file can be included with the pymdowm-snippets extension

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

PoC

</tr></table> 

... (truncated)

Patched versions: 10.0 Affected versions: >= 1.5, < 10.0

Release notes

Sourced from pymdown-extensions's releases.

10.0

  • Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy behavior.
Commits

Merge request reports

Loading