Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GHSA-7fh5-64p2-3v2j contains no security impact #2820

Closed
DCKcode opened this issue Oct 5, 2023 · 7 comments
Closed

GHSA-7fh5-64p2-3v2j contains no security impact #2820

DCKcode opened this issue Oct 5, 2023 · 7 comments

Comments

@DCKcode
Copy link

DCKcode commented Oct 5, 2023
edited
Loading

The GHSA-7fh5-64p2-3v2j advisory seems to be in a poor state at the moment. Neither the advisory text nor any of the references contain any description of any security impact, and no CWE category is given either. Readers can't distinguish between this being a security bug or a normal bugfix that has been mistakenly granted security vulnerability status.

My suggestion would be to add this context (maybe @ai as the author of the change can provide this). If context as to why there is security impact cannot be provided, my suggestion would be revert this advisory to "unreviewed" status.
@ai
Copy link

ai commented Oct 5, 2023
edited
Loading

Here are more details:

This vulnerability affects linters using PostCSS to parse external CSS. Attacker can prepare CSS, which will contains parts parsed by PostCSS as a CSS comment, but which will be visible for browser as other CSS nodes (rules, properties).

@ai
Copy link

ai commented Oct 5, 2023

But I think we need to change CVE database. I asked one person.

@DCKcode
Copy link
Author

DCKcode commented Oct 9, 2023

I see, thanks for clarifying! I can request a change.

Does this sound fair?

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment.

This seems to be CWE-93 and/or CWE-140, right?

@ai
Copy link

ai commented Oct 9, 2023

This seems to be CWE-93 and/or CWE-140, right?

It is not fit 100%. The source of the problem is that PostCSS parser and browsers parse the same CSS a little different. For one it will be a comment, for another a comment with a rule.

@DCKcode
Copy link
Author

DCKcode commented Oct 9, 2023

I've opened up an MR at #2828 - let's continue the discussion there 🙂

@DCKcode DCKcode mentioned this issue Oct 9, 2023
Merged
@darakian
Copy link
Contributor

darakian commented Oct 9, 2023
edited
Loading

I merged in the PR from #2828 before reading about the conversation moving, sorry about that 😞
Let me now if I shouldn't have or if there are any minor edits you'd like and I can get them in though 👍

@darakian
Copy link
Contributor

Gonna close this out since no one has followed up. Feel free to ping if anything 😄

@github-actions github-actions bot mentioned this issue Dec 12, 2023
Closed
@github-actions github-actions bot mentioned this issue May 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ai @DCKcode @darakian