chore(deps): update dependency pymdown-extensions to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
pymdown-extensions	==7.1 -> ==10.0

GitHub Vulnerability Alerts

CVE-2023-32309

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal.
The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

PoC

import markdown

payload = "--8<-- \"/etc/passwd\""
html = markdown.markdown(payload, extensions=['pymdownx.snippets'])

print(html)

Impact

Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users.

It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.

Suggestion

Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.

---

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

v10.0

Compare Source

10.0

• Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets
  relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy
  behavior.

v9.11

Compare Source

9.11

• NEW: Emoji: Update to new CDN and use Twemoji 14.1.2.
• NEW: Snippets: Ignore nested snippet section syntax when including a section.

v9.10

Compare Source

9.10

• NEW: Blocks: Add new experimental general purpose blocks that provide a framework for creating fenced block
  containers for specialized parsing. A number of extensions utilizing general purpose blocks are included and are meant
  to be an alternative to (and maybe one day replace): Admonitions, Details, Definition Lists, and Tabbed. Also adds a
  new HTML plugin for quick wrapping of content with arbitrary HTML elements.
• NEW: Highlight: When enabling line spans and/or line anchors, if a code block has an ID associated with it, line
  ids will be generated using that code ID instead of the code block count.
• NEW: Snippets: Expand section syntax to allow section names with - and _.
• NEW: Snippets: When check_paths is enabled, and a specified section is not found, raise an error.
• NEW: Snippets: Add new experimental feature dedent_sections that will de-indent (remove any common leading
  whitespace from every line in text) from that block of text.
• NEW: MagicLink: Update GitLab links to match recent changes and to be more correct.
• NEW: MagicLink: Relax required hash length when performing link shortening.

v9.9.2

Compare Source

9.9.2

• FIX: Snippets syntax can break in XML comments as XML comments do not allow --. Relax Snippets syntax such that
  -8<- (single -) are allowed.

v9.9.1

Compare Source

9.9.1

• FIX: Use a different CDN for Twemoji icons as MaxCDN is no longer available.

v9.9

Compare Source

9.9

• ENHANCE: BetterEm: Further improvements to strong/emphasis handling:
  • Ensure that one or more consecutive * or _ surrounded by whitespace are not considered as a token.
• ENHANCE: Caret: Apply recent BetterEm improvements to Caret:
  • Fix case where ^^ nested between ^ would be handled in an unexpected way.
  • Ensure that one or more consecutive ^ surrounded by whitespace are not considered as a token.
• ENHANCE: Tilde: Apply recent BetterEm improvements to Tilde:
  • Fix case where ~~ nested between ~ would be handled in an unexpected way.
  • Ensure that one or more consecutive ~ surrounded by whitespace are not considered a token.
• ENHANCE: Mark: Apply recent BetterEm improvements to Mark:
  • Ensure that one or more consecutive = surrounded by whitespace are not considered a token.

v9.8

Compare Source

9.8

• NEW: Formally declare support for Python 3.11.
• FIX: BetterEm: Fix case where ** nested between * would be handled in an unexpected way.

v9.7

Compare Source

9.7

• NEW: Tabbed: Add new syntax to allow forcing a specific tab to be selected by default.
• NEW: Snippets: Add a new option to pass arbitrary HTTP headers.
• NEW: Snippets: Allow specifying sections in a snippet and including just the specified section.

v9.6

Compare Source

9.6

• NEW: Highlight: Allow greater granularity of specifying where language guessing takes place via guess_lang
  option (e.g. block vs inline).
• NEW: Tabbed: Add options for generating tab IDs from tab titles.
• NEW: Snippets: Add support for specifying specific lines for Snippets.
• NEW: Snippets: Commenting out files in block format no longer requires a space directly after ;.
• NEW: Snippets: A new sane way to escape snippets is now available.

v9.5

Compare Source

9.5

• NEW: InlineHilite: Custom inline code block formatters can now be forced to raise an exception by raising a
  InlineHiliteException.
• NEW: Snippets: Add new options to handle importing snippets from URL.
• NEW: Snippets: Snippets will only swallow missing file errors (unless check_paths is enabled), all other errors
  will be propagated up.
• NEW: Snippets: When a file or URL is missing, raise SnippetMissingError instead of IOError.
• FIX: Snippets: Small issues related to recursive inclusion of snippets.

v9.4

Compare Source

9.4

• NEW: Highlight: Changes in order to support Pygments 2.12+. If using Pygments and a version less than 2.12 is
  installed, Highlight will raise an exception.

v9.3

Compare Source

9.3

• NEW: B64: Allow SVG to be encoded and inlined.
• NEW: PathConverter: Add option to use file:// prefix on absolute paths.
• FIX: Highlight: Ensure that extend_pygments_lang is not case sensitive regarding language names.

v9.2

Compare Source

9.2

• NEW: Drop Python 3.6 support and formally add Python 3.10 support.
• NEW: Highlight: Add pygments_lang_option to enable attaching language classes to Pygments code blocks.
• NEW: SuperFences: Custom fence validators and formatters can now be forced to raise an exception by raising a
  SuperFencesException.
• NEW: Keys: Add power and fingerprint keys.
• FIX: SuperFences: Fix case where custom fence in a blockquote was not gracefully handled.
• FIX: Arithmatex: fix issue where if you limit the inline or block syntax to specific input types, access to
  certain matched groups could cause an error.

v9.1

Compare Source

9.1

• NEW: Highlight: If linenums is enabled globally via the highlight extension, and a code block specifies a line
  number of zero (e.g. SuperFences), disable line numbers for that code block.
• FIX: Snippets: Add missing documentation for auto_append feature that was added in 8.2.
• FIX: Highlight: When attr_list is enabled, attributes were not properly added to Pygments code blocks in the
  table format. (#​1505)

v9.0

Compare Source

9.0

Please see Migration Notes for details on upgrading to 9.0.

• NEW: Arithmatex: Wrap MathJax "script" format (non-preview) with a container element just like all other
  Arithmatex output formats.
• NEW: Arithmatex: MathJax (non-generic) form's container element now has the arithmatex class added just like
  everywhere else.
• NEW: Arithmatex: Add options to override HTML element container type of inline and block math.
• NEW: Arithmatex: Add new formatter functions intended to replace old math fenced/inline block formatters. New
  formatter functions are configurable. All others are marked as deprecated and will be removed at some future date.
• NEW: Emoji: Upgraded Twitter emoji database to support latest emoji. It is a known issue that Twitter has
  :man_in_santa_hat: and :mx_claus: backwards -- same for :mrs_claus: and :woman_in_santa_hat:. That is on
  Twitter's side, not ours.
• NEW: Highlight: Add support for the Pygments option linespans.
• NEW: Highlight: Add support for Pygments option lineanchors.
• NEW: Highlight: Add support for Pygments option anchorlinenos.
• NEW: Highlight: Remove legacy_no_wrap_code option.
• NEW: Add support for generating title headers pulled from the Pygments lexer for code blocks. Feature can be
  enabled via the new auto_title option. If a specific name is not preferred, these names can be overridden via
  a user defined mapping called auto_title_map.
• NEW: SuperFences: Allow setting a title, or overriding an auto title via the new title option in a fenced code
  header.
• NEW: SuperFences: Allow adding ID and arbitrary data- attributes on Pygments code blocks. The latter requires
  the attr_list extension to be enabled.
• NEW: SuperFences: Removed old deprecated option highlight_code which no longer did anything.
• NEW: SuperFences: Remove legacy code meant to help with transitioning to new custom fence function format.
• NEW: Tabbed: New alternate style that allows for a scrollable tabs if they overflow. Feature is experimental, see
  docs for more information.
• NEW: Slugs: Add new configurable slugify function that aims to replace all other slugify methods. Deprecate
  uslugify, uslugify_encoded, uslugify_case, uslugify_case_encoded, gfm, and gfm_encoded. slugify takes
  parameters returning a function that performs the desired slug handling. slugify adds new options case="fold" for
  case folding and normalize='<normalize format here>' (uses NFC by default).
• FIX: BetterEm: Fix some complex cases related to "smart" logic. (#​1413)
• FIX: EscapeAll: Fix issue where an escaped HTML entity may end up with incorrect slug and incorrect table of
  content entry.
• FIX: Highlight: Fix issue that occurs when showing only nth line numbers and using pymdownx-inline. Lines not
  showing a line number would not render with the proper leading space.

v8.2

Compare Source

8.2

• NEW: Snippets: now accepts a list of base paths which will be resolved in the order they are specified.
  Compatibility is present with legacy behavior, and a single string path will still be accepted.
• NEW: Snippets: allow for specifying certain snippets to auto-append to every file. Useful for appending
  abbreviations, reference links, etc.
• NEW: Snippets: a snippet base path can be a full path to a file. When a base path is a full path to a file, only
  that file will be included from the specified folder. This allows for targeting a one off file outside of the normal
  snippet paths(s).
• NEW: MagicLink: add GitHub Discussions support to MagicLink. Can now use ?<num> to link discussions. Full
  discussion links will also be shortened if shortening is enabled. (#​1187)
• NEW: MagicLink: add new normalize_issue_symbols option to make issues, pull request, and discussion links all
  render with # instead of #, !, and ? respectively. Input syntax is still the same. Great if you want a GitHub
  style look where all issue types are just rendered with #.
• FIX: MagicLink: documentation will not render links with special icons added via CSS so as not to confuse users
  that may think that is part of MagicLink. While possible with CSS, MagicLink provides no CSS automatically.
• FIX: Tabbed & Details: Fix corner case with lists. (#​1225)
• FIX: Fix issue with unescaping logic in code blocks.

v8.1.1

Compare Source

8.1.1

• FIX: Ensure content immediately before Details content or Tabbed content gets preserved.
• FIX: StripHTML: Fix some corner cases related to stripping comments.

v8.1

Compare Source

8.1

• NEW: Drop support for Python 3.5.
• NEW: Officially support Python 3.9.
• NEW: Tabbed titles can now have simple Markdown in them which can be parsed and rendered (like emoji, bold, etc.).
• FIX: Avoid parsing script tags in PathConverter and B64 extensions.

v8.0.1

Compare Source

8.0.1

• FIX: Fix issue with pymdownx-inline an Pygments 2.7+.

v8.0

Compare Source

8.0

Please see Release Notes for details on upgrading to 8.0.

• NEW: Added SaneHeaders extension.
• NEW: SuperFences & InlineHilite: gracefully handle failing custom formatters and/or validators. Users should add their own debug code to their formatter/validator if they suspect it isn't working.
• NEW: SuperFences: if a custom fence validator fails, try the next custom fence until all are exhausted.
• NEW: SuperFences: no longer allow custom options in the form key= (no value). Only keys with values or keys with no value and no = are accepted. Keys with no value will now assume the value to be the key name.
• NEW: SuperFences: if attr_list extension is enabled, fenced code that use brace attribute list style headers ( ```{lang #id .class attr=value}) will attach arbitrary attributes that are included in the header to the code element.
• NEW: SuperFences: when Pygments is disabled, options (such as linenums) included in fenced code headers no longer do anything. If attr_list is enabled, and the brace header is used, such options will be treated as HTML attributes. JavaScript highlighter options should be defined in the brace header form with attr_list enabled in order to generate appropriate, compatible HTML with the chosen JavaScript highlighter.
• NEW: SuperFences: backwards incompatible changes where made to custom fence API. See Release Notes for instructions on how to migrate to the new API. Some temporary support for most of the old format is in place, but is deprecated.
• NEW: SuperFences: has removed legacy code tab feature. Associated legacy_tab_classes option has been removed. Please use the Tabbed extension to create general purpose tabs for code blocks or other content.
• NEW: Highlight: add new option language_prefix which controls the prefix applied to language classes when Pygments is not being used.
• NEW: Highlight: A new option called code_attr_on_pre was added to the Highlight extension and controls whether language classes, and any ids, attributes, and classes that are defined in fenced code attribute list style headers, are attached to the code element or pre element. This has effect when using Pygments.
• NEW: Highlight: option linenums now defaults to None and accepts None, True, or False. None is disabled by default, but can be enabled per code block. True enables line numbers globally. False disables globally and cannot be enabled manually per code block.
• NEW: ExtraRawHTML: remove extension.
• FIX: Fix issues with complex emphasis combinations in BetterEm.
• FIX: Details: fix corner cases related to extension and lists.
• FIX: Tabbed: fix corner cases related to extension and lists.
• FIX: EscapeAll: Handle HTML entities special.
• FIX: SuperFences: Fix parameter unpacking bug.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.