Описание
@digitalocean/do-markdownit has Type Confusion vulnerability
Overview
A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fence_environment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes directly on the string, resulting in substring matching instead of membership checks against an array.
Affected Versions
All versions up to and including 1.16.1 (npm).
Impact
Supplying crafted input can bypass intended allow-lists (e.g., class/environment constraints) due to substring checks, which may enable rendering of unintended classes or environments and lead to policy bypass in downstream consumers.
Mitigation
Until an upstream fix is released, ensure configuration normalization before invoking the plugins:
- Validate that
allowedClassesandallowedEnvironmentsare arrays (Array.isArray(...)), converting single strings into one-element arrays when necessary. - Consider sanitizing or strictly validating user-controlled values that influence Markdown rendering.
Пакеты
@digitalocean/do-markdownit
<= 1.16.1
Отсутствует
Связанные уязвимости
In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array).