Update Vulnerable Underscore.js 1.8.3

[MechiH]

Context

No response

Description

Underscore.js 1.8.3, which is included in the built version of MkDocs Material documentation inside file site/assets/javascripts/lunr/wordcut.js, has a known high severity vulnerability (CVE-2021-23358).

Update to [email protected] is required

Related links

• https://security.snyk.io/package/npm/underscore/1.8.3
• https://nvd.nist.gov/vuln/detail/CVE-2021-23358

Use Cases

This has affect on all users of the project.

Visuals

No response

Before submitting

• I have read and followed the change request guidelines.
• I have verified that my idea is a change request and not a bug report.
• I have ensured that, to the best of my knowledge, my idea will benefit the entire community.
• I have included relevant links to the documentation, related issues, and discussions to underline the need for my idea.

[squidfunk]

Thanks for reporting. wordcut.js is provided by lunr-languages, a library that provides additional stemmers and stopword filters for lunr.js, the search we're currently using. Thus, this issue should be reported upstream, because we only consume wordcut.js from this library – we can't patch it ourselves. Could you please create an issue upstream?

Additionally, wordcut.js is only used for the Thai and Hindi language, and does not impact any of the other 60+ languages we're supporting, so the potential attack surface is low. Furthermore, search runs in a web worker, so wordcut.js is loaded inside a web worker context, which provides additional shielding from the main thread.

As mentioned, we can't fix it, but I currently assess the risk as being tolerable, given that it only affects a small subset of languages, and runs in an already isolated context. Also note that we're working on a new search to replace luns.js and lunr-languages in the near future, tracked in #6307. Other than that, if you have any idea how we can mitigate the situation without starting to patch wordcut.js on our side or losing functionality, please share them with us.

[squidfunk]

As an additional countermeasure, I've looked at wordcut.js to learn how underscore.js is used, and albeit the entirety of underscore.js is bundled, with most of the code being dead code, it appears the only method used is _.clone:

• wordcut.js#L53
• wordcut.js#L382
• wordcut.js#L417
• wordcut.js#L525

The CVE specifically concerns _.template, which is not being used by wordcut.js in any instance, so we don't have an urgent problem on our side here. Furthermore, the maintainers of lunr-languages could remove the use of underscore.js quite easily by replacing _.clone with a simple ...spread, i.e., vanilla JavaScript code:

var acceptors = _.clone(Acceptors);

// ... can be changed to:
var acceptors = {...Acceptors}

This would also reduce the payload by several dozen kilobytes.