🐛 FIX: CVE-2023-26303 (#246)

chrisjsewell · web-flow · commit ae03c6107dfa · 2023-02-22T05:56:39.000+01:00
Fix unnecessary asserts, leading to crashes
diff --git a/markdown_it/renderer.py b/markdown_it/renderer.py
@@ -83,8 +83,8 @@ def render(
 
         for i, token in enumerate(tokens):
             if token.type == "inline":
-                assert token.children is not None
-                result += self.renderInline(token.children, options, env)
+                if token.children:
+                    result += self.renderInline(token.children, options, env)
             elif token.type in self.rules:
                 result += self.rules[token.type](tokens, i, options, env)
             else:
@@ -206,8 +206,8 @@ def renderInlineAsText(
             if token.type == "text":
                 result += token.content
             elif token.type == "image":
-                assert token.children is not None
-                result += self.renderInlineAsText(token.children, options, env)
+                if token.children:
+                    result += self.renderInlineAsText(token.children, options, env)
             elif token.type == "softbreak":
                 result += "\n"
 
@@ -305,14 +305,10 @@ def image(
 
         # "alt" attr MUST be set, even if empty. Because it's mandatory and
         # should be placed on proper position for tests.
-
-        assert (
-            token.attrs and "alt" in token.attrs
-        ), '"image" token\'s attrs must contain `alt`'
-
-        # Replace content with actual value
-
-        token.attrSet("alt", self.renderInlineAsText(token.children, options, env))
+        if token.children:
+            token.attrSet("alt", self.renderInlineAsText(token.children, options, env))
+        else:
+            token.attrSet("alt", "")
 
         return self.renderToken(tokens, idx, options, env)
 
diff --git a/markdown_it/rules_core/replacements.py b/markdown_it/rules_core/replacements.py
@@ -116,7 +116,8 @@ def replace(state: StateCore) -> None:
     for token in state.tokens:
         if token.type != "inline":
             continue
-        assert token.children is not None
+        if token.children is None:
+            continue
 
         if SCOPED_ABBR_RE.search(token.content):
             replace_scoped(token.children)
diff --git a/markdown_it/rules_core/smartquotes.py b/markdown_it/rules_core/smartquotes.py
@@ -197,5 +197,5 @@ def smartquotes(state: StateCore) -> None:
     for token in state.tokens:
         if token.type != "inline" or not QUOTE_RE.search(token.content):
             continue
-        assert token.children is not None
-        process_inlines(token.children, state)
+        if token.children is not None:
+            process_inlines(token.children, state)
diff --git a/tests/test_port/fixtures/issue-fixes.md b/tests/test_port/fixtures/issue-fixes.md
@@ -36,3 +36,12 @@
 .
 <p>💬</p>
 .
+
+Fix CVE-2023-26303
+.
+![![]()
+]([)
+.
+<p><img src="%5B" alt="
+" /></p>
+.
diff --git a/tests/test_port/test_fixtures.py b/tests/test_port/test_fixtures.py
@@ -111,4 +111,5 @@ def test_strikethrough(line, title, input, expected):
 def test_issue_fixes(line, title, input, expected):
     md = MarkdownIt()
     text = md.render(input)
+    print(text)
     assert text.rstrip() == expected.rstrip()

Original file line number	Diff line number	Diff line change
`@@ -36,3 +36,12 @@`
`36`	`36`	`.`
`37`	`37`	`<p>💬</p>`
`38`	`38`	`.`
	`39`	`+`
	`40`	`+Fix CVE-2023-26303`
	`41`	`+.`
	`42`	`+![![]()`
	`43`	`+]([)`
	`44`	`+.`
	`45`	`+<p><img src="%5B" alt="`
	`46`	`+" /></p>`
	`47`	`+.`