Headline
CVE-2023-26487: Release v5.23.0 · vega/vega
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.lassoAppend' function accepts 3 arguments and internally invokes
pushfunction on the 1st argument specifying array consisting of 2nd and 3rd arguments as
pushcall argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a
pushfunction as the 1st argument,
pushfunction can be set to any function that can be access via
event.view(no all such functions can be exploited due to invalid context or signature, but some can, e.g.
console.log). The issue is that
lassoAppenddoesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS
setImmediatepolyfill basically allows
eval`-like functionality). This issue was patched in 5.23.0.
Changes from v5.22.1:
This version contains dependency updates, bug fixes, and security patches, plus a few extra utilities to aid Vega-Lite.
monorepo
- Update dependencies, including D3 packages.
- Update rollup config to use .mjs extensions.
vega-canvas
- Update rollup config.
vega-crossfilter
- Update rollup config.
vega-dataflow
- Update rollup config.
vega-encode
- Update rollup config.
vega-event-selector
- Update rollup config.
vega-expression
- Update rollup config.
vega-force
- Update rollup config.
vega-format
- Update rollup config.
vega-functions
- Fix lassoAppend expression function XSS. (Thanks @arvind!)
- Fix scale expression function XSS (Thanks @ajxchapman and @hydrosquall!)
- Update rollup config.
vega-geo
- Update rollup config.
vega-hierarchy
- Update rollup config.
vega-interpreter
- Update rollup config.
vega-label
- Prevent evaluation of unsafe methods, #3570 (Thanks @AMoo-Miki!)
- Update rollup config.
vega-loader
- Update rollup config.
vega-parser
- Add view style for Vega-Lite, #3480 (Thanks @arvind!)
- Update rollup config.
vega-projection
- Register projections as recognized Vega scales.
- Update rollup config.
vega-projection-extended
- Update rollup config.
vega-regression
- Update rollup config.
vega-runtime
- Update rollup config.
vega-scale
- Add registerScale() and isRegisteredScale() methods. (Thanks @hydrosquall!)
- Register scales as recognized Vega scales.
- Update rollup config.
vega-scenegraph
- Update test cases to match dependency updates.
- Update rollup config.
vega-schema
- Make count private from schema, #3659 (Thanks @lsh!)
- Update rollup config.
vega-selections
- Update rollup config.
vega-statistics
- Update rollup config.
vega-time
- Update rollup config.
vega-transforms
- Update rollup config.
vega-typings
- Make count private from schema, #3659 (Thanks @lsh!)
- Update scenegraph item typings (Thanks @jonathanzong!)
- Update rollup config.
vega-util
- Update typescript config.
- Update rollup config.
vega-view
- Wrap querySelectorAll in Array.from, #3639 (Thanks @ravron!)
- Update rollup config.
vega-view-transforms
- Update rollup config.
- Fix autosize="fit-x/y" when legend is larger than plot, #3474 (Thanks @stas-sl!)
vega-voronoi
- Update rollup config.
vega-wordcloud
- Update rollup config.
vega-cli
- Update rimraf version, adjust code in response.
- Update rollup config.
vega
- Update test scenes to match dependency updates.
- Update rollup config.
Related news
### Summary We (https://github.com/elastic/kibana) got a HackerOne report about XSS in Kibana via Vega's `lassoAppend` function (undisclosed, author asked us to report it on his behalf): `lassoAppend` accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The originally reported PoC below is based on `event.view.setImmediate` which is available in Kibana (via Core-JS polyfill, not sure how popular this shim these days), but it's not browser's built-in API, and hence not immediately exploitable via Vega alone. I couldn't quickly fi...