Mention CVE-2021-23358 in code, test and documentation (#2915)

jashkenas · Mar 29, 2021 · c627e38 · c627e38
1 parent c9e803e
commit c627e38
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 6 deletions.
diff --git a/docs/modules/template.html b/docs/modules/template.html
@@ -1013,7 +1013,7 @@ <h1>template.js</h1>
  <div class="pilwrap ">
  <a class="pilcrow" href="#section-9">&#182;</a>
  </div>
- <p>Insure against third-party code injection.</p>
+ <p>Insure against third-party code injection. (CVE-2021-23358)</p>
 
  </div>
 

diff --git a/docs/underscore-esm.html b/docs/underscore-esm.html
@@ -2496,7 +2496,7 @@ <h1>underscore-esm.js</h1>
  <div class="pilwrap ">
  <a class="pilcrow" href="#section-129">&#182;</a>
  </div>
- <p>Insure against third-party code injection.</p>
+ <p>Insure against third-party code injection. (CVE-2021-23358)</p>
 
  </div>
 

diff --git a/index.html b/index.html
@@ -2714,7 +2714,9 @@ <h2 id="changelog">Change Log</h2>
  affects all versions of Underscore between 1.3.2 and 1.12.0,
  inclusive, as well as preview releases 1.13.0-0 and 1.13.0-1. The
  fix in this release is also included in the parallel preview
- release 1.13.0-2.
+ release 1.13.0-2. <a
+ href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358"
+ >CVE-2021-23358</a>
  </li>
  <li>
  Restores an optimization in <tt>_.debounce</tt> that was

diff --git a/modules/template.js b/modules/template.js
@@ -68,7 +68,7 @@ export default function template(text, settings, oldSettings) {
 
  var argument = settings.variable;
  if (argument) {
- // Insure against third-party code injection.
+ // Insure against third-party code injection. (CVE-2021-23358)
  if (!bareIdentifier.test(argument)) throw new Error(
  'variable is not a bare identifier: ' + argument
  );

diff --git a/test/utility.js b/test/utility.js
@@ -468,9 +468,11 @@
  QUnit.test('#2911 - _.templateSettings.variable must not allow third parties to inject code.', function(assert) {
  QUnit.holyProperty = 'holy';
  var invalidVariableNames = [
+ // CVE-2021-23337 (not applicable to Underscore)
  '){delete QUnit.holyProperty}; with(obj',
  '(x = QUnit.holyProperty = "evil"), obj',
  'document.write("got you!")',
+ // CVE-2021-23358 (our actual security leak, which we fixed)
  'a = (function() { delete QUnit.holyProperty; }())',
  'a = (QUnit.holyProperty = "evil")',
  'a = document.write("got you!")'

diff --git a/underscore-esm.js b/underscore-esm.js
diff --git a/underscore.js b/underscore.js