Improve branch env feature

[mattbell87]

Ensures that the symlink for system is set correctly when specifying a branch.

[github-actions]

Overview

Image reference	ghcr.io/2pisoftware/cmfive:develop	ghcr.io/2pisoftware/cmfive:pr-121
- digest	b072a51716fe	d5d64e3f8e86
- provenance	b2725ea	880d9bc
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	328 MB	357 MB (+28 MB)
- packages	205	205
Base Image	alpine:3 also known as: • 3.19 • 3.19.1 • latest	alpine:3 also known as: • 3.19 • 3.19.1 • latest
- vulnerabilities

Labels (3 changes)

• ± 3 changed
• 6 unchanged

-org.opencontainers.image.created=2024-03-11T02:49:03.355Z
+org.opencontainers.image.created=2024-03-13T01:26:56.043Z
 org.opencontainers.image.description=Cmfive in a docker image
 org.opencontainers.image.licenses=GPL-3.0
-org.opencontainers.image.revision=b2725eab19b6615504b1db5b07f89f8395e33a74
+org.opencontainers.image.revision=880d9bc7ef0792357225a1bb7dc2c36cfe00172c
 org.opencontainers.image.source=https://github.com/2pisoftware/cmfive-boilerplate
 org.opencontainers.image.title=Cmfive
 org.opencontainers.image.url=https://github.com/2pisoftware/cmfive-boilerplate
 org.opencontainers.image.vendor=2pisoftware
-org.opencontainers.image.version=develop
+org.opencontainers.image.version=pr-121

[github-actions]

🔍 Vulnerabilities of ghcr.io/2pisoftware/cmfive:pr-121

📦 Image Reference ghcr.io/2pisoftware/cmfive:pr-121

digest	sha256:d5d64e3f8e86590d7a897d8e48d04ddb51dd69c02139fe7633a51cca8e10f5ad
vulnerabilities
platform	linux/amd64
size	357 MB
packages	205

📦 Base Image alpine:3

also known as	3.19 3.19.1 latest
digest	sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0
vulnerabilities

chart.js 2.5.0 (npm) pkg:npm/[email protected] Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <2.9.4 Fixed version 2.9.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

libxml2 2.11.7-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 Affected range <2.12.5-r0 Fixed version 2.12.5-r0 Description

twig/twig 3.3.10 (composer) pkg:composer/twig/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=3.0.0 <3.4.3 Fixed version 3.4.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere/../some.file (in such a case, validation is bypassed). Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

jquery-ui 1.10.4 (npm) pkg:npm/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later.

curl 8.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 Affected range <8.6.0-r0 Fixed version 8.6.0-r0 Description

codemirror 4.4.0 (npm) pkg:npm/[email protected] Uncontrolled Resource Consumption Affected range <5.58.2 Fixed version 5.58.2 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Description This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

aws/aws-sdk-php 3.224.0 (composer) pkg:composer/aws/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <3.288.1 Fixed version 3.288.1 CVSS Score 6 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Description Impact Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in thebuildEndpoint method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The buildEndpoint method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. Versions of the AWS SDK for PHP v3 before 3.288.1 are affected by this issue. Patches Upgrade to the AWS SDK for PHP >= 3.288.1, if you are on version < 3.288.1. References RFC 3986 - https://datatracker.ietf.org/doc/html/rfc3986 For more information If you have any questions or comments about this advisory, please contact AWS's Security team.