backport angular#17028 to fix CVE-2020-7676

mgoldspink-salesforce · mgoldspink-salesforce · commit f7ececcba7f0 · 2022-01-20T12:27:46.000Z
GHSA-mhp6-pxh8-r675
diff --git a/Gruntfile.js b/Gruntfile.js
@@ -138,8 +138,7 @@ module.exports = function(grunt) {
     tests: {
       jqlite: 'karma-jqlite.conf.js',
       jquery: 'karma-jquery.conf.js',
-      'jquery-2.2': 'karma-jquery-2.2.conf.js',
-      'jquery-2.1': 'karma-jquery-2.1.conf.js',
+      'jquery-3.5': 'karma-jquery-3.5.conf.js',
       docs: 'karma-docs.conf.js',
       modules: 'karma-modules.conf.js'
     },
@@ -148,8 +147,7 @@ module.exports = function(grunt) {
     autotest: {
       jqlite: 'karma-jqlite.conf.js',
       jquery: 'karma-jquery.conf.js',
-      'jquery-2.2': 'karma-jquery-2.2.conf.js',
-      'jquery-2.1': 'karma-jquery-2.1.conf.js',
+      'jquery-3.5': 'karma-jquery-3.5.conf.js',
       modules: 'karma-modules.conf.js',
       docs: 'karma-docs.conf.js'
     },
@@ -437,10 +435,9 @@ module.exports = function(grunt) {
     'tests:docs',
     'test:protractor'
   ]);
-  grunt.registerTask('test:jqlite', 'Run the unit tests with Karma' , ['tests:jqlite']);
+  grunt.registerTask('test:jqlite', 'Run the unit tests with Karma', ['tests:jqlite']);
   grunt.registerTask('test:jquery', 'Run the jQuery (latest) unit tests with Karma', ['tests:jquery']);
-  grunt.registerTask('test:jquery-2.2', 'Run the jQuery 2.2 unit tests with Karma', ['tests:jquery-2.2']);
-  grunt.registerTask('test:jquery-2.1', 'Run the jQuery 2.1 unit tests with Karma', ['tests:jquery-2.1']);
+  grunt.registerTask('test:jquery-3.5', 'Run the jQuery 3.5 unit tests with Karma', ['tests:jquery-3.5']);
   grunt.registerTask('test:modules', 'Run the Karma module tests with Karma', [
     'build',
     'tests:modules'
@@ -449,8 +446,7 @@ module.exports = function(grunt) {
   grunt.registerTask('test:unit', 'Run unit, jQuery and Karma module tests with Karma', [
     'test:jqlite',
     'test:jquery',
-    'test:jquery-2.2',
-    'test:jquery-2.1',
+    'test:jquery-3.5',
     'test:modules'
   ]);
   grunt.registerTask('test:protractor', 'Run the end to end tests with Protractor and keep a test server running in the background', [
diff --git a/angularFiles.js b/angularFiles.js
@@ -244,7 +244,7 @@ var angularFiles = {
   ]
 };
 
-['2.1', '2.2'].forEach(function(jQueryVersion) {
+['3.5'].forEach(function(jQueryVersion) {
   angularFiles['karmaJquery' + jQueryVersion] = []
     .concat(angularFiles.karmaJquery)
     .map(function(path) {
diff --git a/karma-jquery-2.2.conf.js b/karma-jquery-2.2.conf.js
diff --git a/karma-jquery-3.5.conf.js b/karma-jquery-3.5.conf.js
@@ -2,4 +2,4 @@
 
 var karmaConfigFactory = require('./karma-jquery.conf-factory');
 
-module.exports = karmaConfigFactory('2.1');
+module.exports = karmaConfigFactory('3.5');
diff --git a/lib/grunt/utils.js b/lib/grunt/utils.js
@@ -182,23 +182,24 @@ module.exports = {
     var errorFileName = file.replace(/\.js$/, '-errors.json');
     var versionNumber = grunt.config('NG_VERSION').full;
     var compilationLevel = (file === 'build/angular-message-format.js') ?
-        'ADVANCED_OPTIMIZATIONS' : 'SIMPLE_OPTIMIZATIONS';
+      'ADVANCED_OPTIMIZATIONS' : 'SIMPLE_OPTIMIZATIONS';
+    var command = 'java ' +
+      this.java32flags() + ' ' +
+      this.memoryRequirement() + ' ' +
+      '-cp vendor/closure-compiler/compiler.jar' + classPathSep +
+      'vendor/ng-closure-runner/ngcompiler.jar ' +
+      'org.angularjs.closurerunner.NgClosureRunner ' +
+      '--compilation_level ' + compilationLevel + ' ' +
+      '--language_in ECMASCRIPT5_STRICT ' +
+      '--minerr_pass ' +
+      '--minerr_errors ' + errorFileName + ' ' +
+      '--minerr_url http://errors.angularjs.org/' + versionNumber + '/ ' +
+      '--source_map_format=V3 ' +
+      '--create_source_map ' + mapFile + ' ' +
+      '--js ' + file + ' ' +
+      '--js_output_file ' + minFile;
     shell.exec(
-        'java ' +
-            this.java32flags() + ' ' +
-            this.memoryRequirement() + ' ' +
-            '-cp vendor/closure-compiler/compiler.jar' + classPathSep +
-            'vendor/ng-closure-runner/ngcompiler.jar ' +
-            'org.angularjs.closurerunner.NgClosureRunner ' +
-            '--compilation_level ' + compilationLevel + ' ' +
-            '--language_in ECMASCRIPT5_STRICT ' +
-            '--minerr_pass ' +
-            '--minerr_errors ' + errorFileName + ' ' +
-            '--minerr_url http://errors.angularjs.org/' + versionNumber + '/ ' +
-            '--source_map_format=V3 ' +
-            '--create_source_map ' + mapFile + ' ' +
-            '--js ' + file + ' ' +
-            '--js_output_file ' + minFile,
+      command,
       function(code) {
         if (code !== 0) grunt.fail.warn('Error minifying ' + file);
 
@@ -221,7 +222,7 @@ module.exports = {
   //returns the 32-bit mode force flags for java compiler if supported, this makes the build much faster
   java32flags: function() {
     if (process.platform === 'win32') return '';
-    if (shell.exec('java -version -d32 2>&1', {silent: true}).code !== 0) return '';
+    if (shell.exec('java -d32 2>&1', {silent: true}).code !== 0) return '';
     return ' -d32 -client';
   },
 
diff --git a/package.json b/package.json
@@ -60,9 +60,8 @@
     "jasmine-core": "^2.8.0",
     "jasmine-node": "^2.0.0",
     "jasmine-reporters": "^2.2.0",
-    "jquery": "3.2.1",
-    "jquery-2.1": "npm:jquery@2.1.4",
-    "jquery-2.2": "npm:jquery@2.2.4",
+    "jquery": "3.5.1",
+    "jquery-3.5": "npm:jquery@3.5.1",
     "karma": "^2.0.0",
     "karma-browserstack-launcher": "^1.2.0",
     "karma-chrome-launcher": "^2.1.1",
diff --git a/scripts/travis/build.sh b/scripts/travis/build.sh
@@ -39,8 +39,7 @@ case "$JOB" in
     ;;
   "unit-jquery")
     grunt test:jquery --browsers="$BROWSERS" --reporters=spec
-    grunt test:jquery-2.2 --browsers="$BROWSERS" --reporters=spec
-    grunt test:jquery-2.1 --browsers="$BROWSERS" --reporters=spec
+    grunt test:jquery-3.5 --browsers="$BROWSERS" --reporters=spec
     ;;
   "docs-app")
     grunt tests:docs --browsers="$BROWSERS" --reporters=spec
diff --git a/src/Angular.js b/src/Angular.js
@@ -95,6 +95,7 @@
   hasOwnProperty,
   createMap,
   stringify,
+  UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
 
   NODE_TYPE_ELEMENT,
   NODE_TYPE_ATTRIBUTE,
@@ -1965,6 +1966,25 @@ function bindJQuery() {
   bindJQueryFired = true;
 }
 
+/**
+ * @ngdoc function
+ * @name angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement
+ * @module ng
+ * @kind function
+ *
+ * @description
+ * Restores the pre-1.8 behavior of jqLite that turns XHTML-like strings like
+ * `<div /><span />` to `<div></div><span></span>` instead of `<div><span></span></div>`.
+ * The new behavior is a security fix. Thus, if you need to call this function, please try to adjust
+ * your code for this change and remove your use of this function as soon as possible.
+ * Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the
+ * [jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details
+ * about the workarounds.
+ */
+ function UNSAFE_restoreLegacyJqLiteXHTMLReplacement() {
+  JQLite.legacyXHTMLReplacement = true;
+}
+
 /**
  * throw error if the argument is falsy.
  */
diff --git a/src/AngularPublic.js b/src/AngularPublic.js
@@ -51,6 +51,7 @@
   ngModelOptionsDirective,
   ngAttributeAliasDirectives,
   ngEventDirectives,
+  UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
 
   $AnchorScrollProvider,
   $AnimateProvider,
@@ -155,6 +156,7 @@ function publishExternalAPI(angular) {
     'callbacks': {$$counter: 0},
     'getTestability': getTestability,
     'reloadWithDebugInfo': reloadWithDebugInfo,
+    'UNSAFE_restoreLegacyJqLiteXHTMLReplacement': UNSAFE_restoreLegacyJqLiteXHTMLReplacement,
     '$$minErr': minErr,
     '$$csp': csp,
     '$$encodeUriSegment': encodeUriSegment,
diff --git a/src/jqLite.js b/src/jqLite.js
@@ -90,6 +90,16 @@
  * - [`val()`](http://api.jquery.com/val/)
  * - [`wrap()`](http://api.jquery.com/wrap/)
  *
+ * jqLite also provides a method restoring pre-1.8 insecure treatment of XHTML-like tags.
+ * This legacy behavior turns input like `<div /><span />` to `<div></div><span></span>`
+ * instead of `<div><span></span></div>` like version 1.8 & newer do. To restore it, invoke:
+ * ```js
+ * angular.UNSAFE_restoreLegacyJqLiteXHTMLReplacement();
+ * ```
+ * Note that this only patches jqLite. If you use jQuery 3.5.0 or newer, please read the
+ * [jQuery 3.5 upgrade guide](https://jquery.com/upgrade-guide/3.5/) for more details
+ * about the workarounds.
+ *
  * ## jQuery/jqLite Extras
  * AngularJS also provides the following additional methods and events to both jQuery and jqLite:
  *
@@ -169,20 +179,36 @@ var HTML_REGEXP = /<|&#?\w+;/;
 var TAG_NAME_REGEXP = /<([\w:-]+)/;
 var XHTML_TAG_REGEXP = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi;
 
+// Table parts need to be wrapped with `<table>` or they're
+// stripped to their contents when put in a div.
+// XHTML parsers do not magically insert elements in the
+// same way that tag soup parsers do, so we cannot shorten
+// this by omitting <tbody> or other required elements.
 var wrapMap = {
-  'option': [1, '<select multiple="multiple">', '</select>'],
-
-  'thead': [1, '<table>', '</table>'],
-  'col': [2, '<table><colgroup>', '</colgroup></table>'],
-  'tr': [2, '<table><tbody>', '</tbody></table>'],
-  'td': [3, '<table><tbody><tr>', '</tr></tbody></table>'],
-  '_default': [0, '', '']
+  thead: ['table'],
+  col: ['colgroup', 'table'],
+  tr: ['tbody', 'table'],
+  td: ['tr', 'tbody', 'table']
 };
 
-wrapMap.optgroup = wrapMap.option;
 wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead;
 wrapMap.th = wrapMap.td;
 
+// Support: IE <10 only
+// IE 9 requires an option wrapper & it needs to have the whole table structure
+// set up in advance; assigning `"<td></td>"` to `tr.innerHTML` doesn't work, etc.
+var wrapMapIE9 = {
+  option: [1, '<select multiple="multiple">', '</select>'],
+  _default: [0, '', '']
+};
+
+for (var key in wrapMap) {
+  var wrapMapValueClosing = wrapMap[key];
+  var wrapMapValue = wrapMapValueClosing.slice().reverse();
+  wrapMapIE9[key] = [wrapMapValue.length, '<' + wrapMapValue.join('><') + '>', '</' + wrapMapValueClosing.join('></') + '>'];
+}
+
+wrapMapIE9.optgroup = wrapMapIE9.option;
 
 function jqLiteIsTextNode(html) {
   return !HTML_REGEXP.test(html);
@@ -203,7 +229,7 @@ function jqLiteHasData(node) {
 }
 
 function jqLiteBuildFragment(html, context) {
-  var tmp, tag, wrap,
+  var tmp, tag, wrap, finalHtml,
       fragment = context.createDocumentFragment(),
       nodes = [], i;
 
@@ -214,13 +240,30 @@ function jqLiteBuildFragment(html, context) {
     // Convert html into DOM nodes
     tmp = fragment.appendChild(context.createElement('div'));
     tag = (TAG_NAME_REGEXP.exec(html) || ['', ''])[1].toLowerCase();
-    wrap = wrapMap[tag] || wrapMap._default;
-    tmp.innerHTML = wrap[1] + html.replace(XHTML_TAG_REGEXP, '<$1></$2>') + wrap[2];
+    finalHtml = JQLite.legacyXHTMLReplacement ?
+      html.replace(XHTML_TAG_REGEXP, '<$1></$2>') :
+      html;
+
+    if (msie < 10) {
+      wrap = wrapMapIE9[tag] || wrapMapIE9._default;
+      tmp.innerHTML = wrap[1] + finalHtml + wrap[2];
+
+      // Descend through wrappers to the right content
+      i = wrap[0];
+      while (i--) {
+        tmp = tmp.firstChild;
+      }
+    } else {
+      wrap = wrapMap[tag] || [];
 
-    // Descend through wrappers to the right content
-    i = wrap[0];
-    while (i--) {
-      tmp = tmp.lastChild;
+      // Create wrappers & descend into them
+      i = wrap.length;
+      while (--i > -1) {
+        tmp.appendChild(window.document.createElement(wrap[i]));
+        tmp = tmp.firstChild;
+      }
+
+      tmp.innerHTML = finalHtml;
     }
 
     nodes = concat(nodes, tmp.childNodes);
diff --git a/test/jqLiteSpec.js b/test/jqLiteSpec.js
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -244,7 +244,7 @@ var angularFiles = {`
`244`	`244`	`]`
`245`	`245`	`};`
`246`	`246`
`247`		`-['2.1', '2.2'].forEach(function(jQueryVersion) {`
	`247`	`+['3.5'].forEach(function(jQueryVersion) {`
`248`	`248`	`angularFiles['karmaJquery' + jQueryVersion] = []`
`249`	`249`	`.concat(angularFiles.karmaJquery)`
`250`	`250`	`.map(function(path) {`
Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@`
`2`	`2`
`3`	`3`	`var karmaConfigFactory = require('./karma-jquery.conf-factory');`
`4`	`4`
`5`		`-module.exports = karmaConfigFactory('2.1');`
	`5`	`+module.exports = karmaConfigFactory('3.5');`