chore(deps): update dependency pymdown-extensions to v10 [security] #179
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==7.1
->==10.0
GitHub Vulnerability Alerts
CVE-2023-32309
Summary
Arbitrary file read when using include file syntax.
Details
By using the syntax
--8<--"/etc/passwd"
or--8<--"/proc/self/environ"
the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths:--8<-- "../../../../etc/passwd"
.Within the Snippets extension, there exists a
base_path
option but the implementation is vulnerable to Directory Traversal.The vulnerable section exists in
get_snippet_path(self, path)
lines 155 to 174 in snippets.py.PoC
Impact
Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users.
It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.
Suggestion
Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.
Release Notes
facelessuser/pymdown-extensions (pymdown-extensions)
v10.0
Compare Source
10.0
base_path
preventing snippetsrelative to the
base_path
but not explicitly under it.restrict_base_path
can be set toFalse
for legacybehavior.
v9.11
Compare Source
9.11
v9.10
Compare Source
9.10
containers for specialized parsing. A number of extensions utilizing general purpose blocks are included and are meant
to be an alternative to (and maybe one day replace): Admonitions, Details, Definition Lists, and Tabbed. Also adds a
new HTML plugin for quick wrapping of content with arbitrary HTML elements.
ids will be generated using that code ID instead of the code block count.
-
and_
.check_paths
is enabled, and a specified section is not found, raise an error.dedent_sections
that will de-indent (remove any common leadingwhitespace from every line in text) from that block of text.
v9.9.2
Compare Source
9.9.2
--
. Relax Snippets syntax such that-8<-
(single-
) are allowed.v9.9.1
Compare Source
9.9.1
v9.9
Compare Source
9.9
*
or_
surrounded by whitespace are not considered as a token.^^
nested between^
would be handled in an unexpected way.^
surrounded by whitespace are not considered as a token.~~
nested between~
would be handled in an unexpected way.~
surrounded by whitespace are not considered a token.=
surrounded by whitespace are not considered a token.v9.8
Compare Source
9.8
**
nested between*
would be handled in an unexpected way.v9.7
Compare Source
9.7
v9.6
Compare Source
9.6
guess_lang
option (e.g.
block
vsinline
).;
.v9.5
Compare Source
9.5
InlineHiliteException
.check_paths
is enabled), all other errorswill be propagated up.
SnippetMissingError
instead ofIOError
.v9.4
Compare Source
9.4
installed, Highlight will raise an exception.
v9.3
Compare Source
9.3
file://
prefix on absolute paths.extend_pygments_lang
is not case sensitive regarding language names.v9.2
Compare Source
9.2
pygments_lang_option
to enable attaching language classes to Pygments code blocks.SuperFencesException
.power
andfingerprint
keys.certain matched groups could cause an error.
v9.1
Compare Source
9.1
linenums
is enabled globally via thehighlight
extension, and a code block specifies a linenumber of zero (e.g. SuperFences), disable line numbers for that code block.
auto_append
feature that was added in 8.2.attr_list
is enabled, attributes were not properly added to Pygments code blocks in thetable
format. (#1505)v9.0
Compare Source
9.0
Please see Migration Notes for details on upgrading to 9.0.
Arithmatex output formats.
arithmatex
class added just likeeverywhere else.
formatter functions are configurable. All others are marked as deprecated and will be removed at some future date.
:man_in_santa_hat:
and:mx_claus:
backwards -- same for:mrs_claus:
and:woman_in_santa_hat:
. That is onTwitter's side, not ours.
linespans
.lineanchors
.anchorlinenos
.legacy_no_wrap_code
option.enabled via the new
auto_title
option. If a specific name is not preferred, these names can be overridden viaa user defined mapping called
auto_title_map
.title
option in a fenced codeheader.
data-
attributes on Pygments code blocks. The latter requiresthe
attr_list
extension to be enabled.highlight_code
which no longer did anything.docs for more information.
slugify
function that aims to replace all other slugify methods. Deprecateuslugify
,uslugify_encoded
,uslugify_case
,uslugify_case_encoded
,gfm
, andgfm_encoded
.slugify
takesparameters returning a function that performs the desired slug handling.
slugify
adds new optionscase="fold"
forcase folding and
normalize='<normalize format here>'
(usesNFC
by default).content entry.
pymdownx-inline
. Lines notshowing a line number would not render with the proper leading space.
v8.2
Compare Source
8.2
Compatibility is present with legacy behavior, and a single string path will still be accepted.
abbreviations, reference links, etc.
that file will be included from the specified folder. This allows for targeting a one off file outside of the normal
snippet paths(s).
?<num>
to link discussions. Fulldiscussion links will also be shortened if shortening is enabled. (#1187)
normalize_issue_symbols
option to make issues, pull request, and discussion links allrender with
#
instead of#
,!
, and?
respectively. Input syntax is still the same. Great if you want a GitHubstyle look where all issue types are just rendered with
#
.that may think that is part of MagicLink. While possible with CSS, MagicLink provides no CSS automatically.
v8.1.1
Compare Source
8.1.1
v8.1
Compare Source
8.1
v8.0.1
Compare Source
8.0.1
pymdownx-inline
an Pygments 2.7+.v8.0
Compare Source
8.0
Please see Release Notes for details on upgrading to 8.0.
key=
(no value). Only keys with values or keys with no value and no=
are accepted. Keys with no value will now assume the value to be the key name.attr_list
extension is enabled, fenced code that use brace attribute list style headers (```{lang #id .class attr=value}
) will attach arbitrary attributes that are included in the header to the code element.linenums
) included in fenced code headers no longer do anything. Ifattr_list
is enabled, and the brace header is used, such options will be treated as HTML attributes. JavaScript highlighter options should be defined in the brace header form withattr_list
enabled in order to generate appropriate, compatible HTML with the chosen JavaScript highlighter.legacy_tab_classes
option has been removed. Please use the Tabbed extension to create general purpose tabs for code blocks or other content.language_prefix
which controls the prefix applied to language classes when Pygments is not being used.code_attr_on_pre
was added to the Highlight extension and controls whether language classes, and any ids, attributes, and classes that are defined in fenced code attribute list style headers, are attached to the code element or pre element. This has effect when using Pygments.linenums
now defaults toNone
and acceptsNone
,True
, orFalse
.None
is disabled by default, but can be enabled per code block.True
enables line numbers globally.False
disables globally and cannot be enabled manually per code block.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.