Mention CVE-2021-23358 in code, test and documentation (#2915)

jgonggrijp · jgonggrijp · commit c627e3847981 · 2021-03-29T17:13:23.000+02:00
diff --git a/docs/modules/template.html b/docs/modules/template.html
@@ -1013,7 +1013,7 @@ <h1>template.js</h1>
               <div class="pilwrap ">
                 <a class="pilcrow" href="#section-9">&#182;</a>
               </div>
-              <p>Insure against third-party code injection.</p>
+              <p>Insure against third-party code injection. (CVE-2021-23358)</p>
 
             </div>
             
diff --git a/docs/underscore-esm.html b/docs/underscore-esm.html
@@ -2496,7 +2496,7 @@ <h1>underscore-esm.js</h1>
               <div class="pilwrap ">
                 <a class="pilcrow" href="#section-129">&#182;</a>
               </div>
-              <p>Insure against third-party code injection.</p>
+              <p>Insure against third-party code injection. (CVE-2021-23358)</p>
 
             </div>
             
diff --git a/index.html b/index.html
@@ -2714,7 +2714,9 @@ <h2 id="changelog">Change Log</h2>
             affects all versions of Underscore between 1.3.2 and 1.12.0,
             inclusive, as well as preview releases 1.13.0-0 and 1.13.0-1. The
             fix in this release is also included in the parallel preview
-            release 1.13.0-2.
+            release 1.13.0-2. <a
+                href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358"
+            >CVE-2021-23358</a>
           </li>
           <li>
             Restores an optimization in <tt>_.debounce</tt> that was
diff --git a/modules/template.js b/modules/template.js
@@ -68,7 +68,7 @@ export default function template(text, settings, oldSettings) {
 
   var argument = settings.variable;
   if (argument) {
-    // Insure against third-party code injection.
+    // Insure against third-party code injection. (CVE-2021-23358)
     if (!bareIdentifier.test(argument)) throw new Error(
       'variable is not a bare identifier: ' + argument
     );
diff --git a/test/utility.js b/test/utility.js
@@ -468,9 +468,11 @@
   QUnit.test('#2911 - _.templateSettings.variable must not allow third parties to inject code.', function(assert) {
     QUnit.holyProperty = 'holy';
     var invalidVariableNames = [
+      // CVE-2021-23337 (not applicable to Underscore)
       '){delete QUnit.holyProperty}; with(obj',
       '(x = QUnit.holyProperty = "evil"), obj',
       'document.write("got you!")',
+      // CVE-2021-23358 (our actual security leak, which we fixed)
       'a = (function() { delete QUnit.holyProperty; }())',
       'a = (QUnit.holyProperty = "evil")',
       'a = document.write("got you!")'
diff --git a/underscore-esm.js b/underscore-esm.js
diff --git a/underscore.js b/underscore.js
