security scan tool reports issue with the packaged version of marked

[scottdickerson]

Notebook Version 6.0.3

We ran our security scan tool on the library and it identified 3 security exposures with the packaged version of marked included here:

notebook/static/components/marked/lib/marked.js

marked before 0.7.0 vulnerable to Redos attack by he _label subrule that may significantly degrade parsing performance of malformed input.

markedjs/marked#1515

marked versions >0.3.14 and < 0.6.2 has Regular Expression Denial of Service vulnerability Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

markedjs/marked#1460

A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.

https://bugzilla.redhat.com/show_bug.cgi?id=1679550

It appears the fix is to upgrade marked to at least 0.7.0

[kevin-bates]

Hi @scottdickerson - thank you for raising this issue. Were you planning on providing a pull request to address this?

[scottdickerson]

I'm sorry @kevin-bates I'm not very familiar with this package or python so cannot make the change, I am only scanning all our python libraries for potential issues.

[kevin-bates]

Hi @scottdickerson - thank you for raising this issue. Were you planning on providing a pull request to address this?

[scottdickerson]

I'm sorry @kevin-bates I'm not very familiar with this package or python so cannot make the change, I am only scanning all our python libraries for potential issues.