Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerabilities #323

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dotam99
Copy link
Owner

@dotam99 dotam99 commented Jun 23, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 658/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: copy-webpack-plugin The new version differs by 4 commits.

See the full diff

Package name: linkinator The new version differs by 108 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@guardrails
Copy link

guardrails bot commented Jun 23, 2023

⚠️ We detected 98 security issues in this pull request:

Mode: paranoid | Total findings: 98 | Considered vulnerability: 98

Insecure File Management (11)
Severity Details Docs
High Title: Path Traversal from user input
'/developers/apps'
📚
High Title: Path Traversal from user input
newHref = path.join('/', languageCode, href)
📚
High Title: Path Traversal from user input
newHref = path.join('/', languageCode, href)
📚
High Title: Path Traversal from user input
const mapTopicOrArticlePath = path.posix.join(categoryPath, pathParts[2])
📚
High Title: Path Traversal from user input
const categoryPath = removeFPTFromPath(path.posix.join('/', 'en', req.context.currentVersion, 'early-access', pathParts[0], pathParts[1]))
📚
High Title: Path Traversal from user input
title: product.title
📚
High Title: Path Traversal from user input
const categoryPath = removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath, pathParts[1]))
📚
High Title: Path Traversal from user input
const productPath = path.posix.join('/', req.context.currentProduct)
📚
High Title: Path Traversal from user input
href: removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath)),
📚
High Title: Path Traversal from user input
const proxyPath = path.join('/', requestedVersion, assetPath)
📚
High Title: Path Traversal from user input
const href = removeFPTFromPath(path.join('/', context.currentLanguage, version, linkPath))
📚

More info on how to fix Insecure File Management in JavaScript.


Vulnerable Libraries (32)
Severity Details
Informational pkg:npm/compression@1.7.4@1.7.4 (t) upgrade to: 3.1.0
Critical pkg:npm/browser-date-formatter@3.0.3@3.0.3 (t) upgrade to: 1.2.6, 1.0.7
High pkg:npm/walk-sync@1.1.4@1.1.4 (t) upgrade to: 3.0.5
Critical pkg:npm/mini-css-extract-plugin@1.4.1@1.4.1 (t) upgrade to: 2.0.4, 3.2.1, 1.2.6, 2.2.2, 2.0.3, 1.4.2
High pkg:npm/node-fetch@2.6.1@2.6.1 (t) upgrade to: 3.1.1,2.6.7
Informational pkg:npm/algoliasearch@3.35.1@3.35.1 (t) upgrade to: 3.1.0
Medium pkg:npm/webpack-cli@4.6.0@4.6.0 (t) upgrade to: 1.0.7
Critical pkg:npm/copy-webpack-plugin@7.0.0@7.0.0 (t) upgrade to: 2.2.2, 1.2.6
Critical pkg:npm/style-loader@1.2.1@1.2.1 (t) upgrade to: 2.0.3, 1.4.2, 2.0.4, 3.2.1, 2.2.2, 1.2.6
Critical pkg:npm/babel-loader@8.1.0@8.1.0 (t) upgrade to: 1.4.2, 2.0.4, 3.2.1, 2.0.3, 2.2.2, 1.2.6
High pkg:npm/got@9.6.0@9.6.0 (t) upgrade to: 10.2.7, 4.1.1
High pkg:npm/remark-parse@7.0.2@7.0.2 (t) upgrade to: 0.0.3
High pkg:npm/rimraf@3.0.0@3.0.0 (t) upgrade to: 3.0.5
High pkg:npm/hast-util-select@4.0.2@4.0.2 (t) upgrade to: 2.0.1
Informational pkg:npm/rehype-highlight@3.1.0@3.1.0 (t) upgrade to: 10.4.1
High pkg:npm/rss-parser@3.12.0@3.12.0 (t) - no patch available
High pkg:npm/cheerio@1.0.0-rc.3@1.0.0-rc.3 (t) upgrade to: 4.17.21, 2.0.1
Informational pkg:npm/morgan@1.9.1@1.9.1 (t) upgrade to: 3.1.0
High pkg:npm/sass@1.32.8@1.32.8 (t) upgrade to: 5.1.2, 6.0.1
High pkg:npm/express@4.17.1@4.17.1 (t) upgrade to: 4.17.3,6.10.3,6.9.7,6.8.3,6.7.3,6.6.1,6.5.3,6.4.1,6.3.3,6.2.4
Critical pkg:npm/sass-loader@9.0.2@9.0.2 (t) upgrade to: 2.0.4, 3.2.1, 2.2.2, 1.2.6, 2.0.3, 1.4.2
High pkg:npm/lodash@4.17.20@4.17.20 (t) upgrade to: 4.17.21,4.17.21
Medium pkg:npm/webpack@5.30.0@5.30.0 (t) upgrade to: 4.16.5, 4.8.1, 5.14.2
Critical pkg:npm/linkinator@4.0.0@4.0.0 (t) upgrade to: 1.2.6
Critical pkg:npm/css-loader@5.0.0@5.0.0 (t) upgrade to: 1.2.6, 2.2.2, 2.0.3, 1.4.2, 2.0.4, 3.2.1, 3.1.31
High pkg:npm/throng@5.0.0@5.0.0 (t) upgrade to: 4.17.21
Critical pkg:npm/resolve-url-loader@4.0.0@4.0.0 (t) upgrade to: 1.2.6, 2.0.3, 1.4.2, 2.0.4, 3.2.1, 2.2.2
High pkg:npm/babel-preset-env@1.7.0@1.7.0 (t) upgrade to: 4.17.21, 3.1.0
High pkg:npm/remark-rehype@5.0.0@5.0.0 (t) upgrade to: 0.0.3
High pkg:npm/@babel/plugin-transform-runtime@7.11.0@7.11.0 (t) upgrade to: 4.17.21, 1.0.7
Medium pkg:npm/liquidjs@9.22.1@9.22.1 (t) upgrade to: 10.0.0
N/A pkg:npm/flat@5.0.0@5.0.0 (t) upgrade to: 5.0.1

More info on how to fix Vulnerable Libraries in JavaScript.


Insecure Use of Regular Expressions (1)
Severity Details Docs
Medium Title: Tainted input passed to Regular Expression
const englishPath = req.path.replace(new RegExp(`^/${req.language}`), '/en')
📚

More info on how to fix Insecure Use of Regular Expressions in JavaScript.


Insecure Processing of Data (6)
Severity Details Docs
High Title: Insecure Deserialization (js-yaml)
const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })
📚
High Title: Insecure Deserialization (js-yaml)
return yaml.load(fs.readFileSync(filename, 'utf8'), { filename })
📚
Medium Title: Tainted input passed to Express response
return res.send(await liquid.parseAndRender(layouts['dev-toc'], req.context))
📚
Medium Title: Tainted input passed to Express response
return res.send(req.path.replace(/\//g, ''))
📚
Medium Title: Tainted input passed to Express response
return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))
📚
Medium Title: Tainted input passed to Express response
res.send(addCsrf(req, output))
📚

More info on how to fix Insecure Processing of Data in JavaScript.


Insecure Use of Language/Framework API (42)
Severity Details Docs
Medium Title: User Controlled Method Invocation
schema.send(:own_orphan_types).clear
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.(yml|md)$"', { maxBuffer: 1024 * 1024 * 100 }).toString().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const fixable = execSync(`cat ${fixableErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const filesToAdd = execSync(`cat ${parsingErrorsLog} ${renderingErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const allErrors = execSync('cat ~/docs-*').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git checkout main -- ${relativePath}`, { stdio: 'pipe' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const githubBranch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: githubRepoDir }).toString().trim()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('git pull', { cwd: githubRepoDir })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`${path.join(githubRepoDir, 'bin/openapi')} bundle -o ${tempDocsDir} --include_unpublished`, { stdio: 'inherit' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`find ${tempDocsDir} -type f -name "*deref.json" -exec mv '{}' ${dereferencedPath} ';'`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const gitStatusOfFile = execSync(`git status --porcelain ${oldContentPath}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`mv ${oldContentPath} ${newContentPath}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git mv ${oldContentPath} ${newContentPath}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
await exec(`script/reset-translated-file.js --prefer-main ${file}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const currentBranch = execSync('git symbolic-ref --short HEAD', { encoding: 'utf8' }).trim()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const filenames = execSync('git diff --cached --name-only').toString().trim().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const result = execSync(`${purgeCommand} ${localizedUrl}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const secondResult = execSync(`${purgeCommand} ${localizedUrl}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`TEST_TRANSLATION=true npx jest content/lint-files > ${parsingErrorsLog}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`script/test-render-translation.js > ${renderErrorsLog}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`cat ${parsingErrorsLog} ${renderErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | uniq | xargs -L1 script/reset-translated-file.js --prefer-main`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`mkdir ${productDir}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git mv ${oldCategoryDir} ${productDir}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const grepResults = execSync(grepCmd).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync(cmd).toString().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const newPath = execSync(`find ${newDotcomDir} -name ${filename}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('gem which graphql')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('npx prettier -w "**/*.{yml,yaml}"')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const remoteClean = execSync(`${removeHiddenMembersScript} ${tempSchemaFilePath}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('npm run build', { stdio: 'inherit' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
currentBranch = execSync('git branch --show-current').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
let branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
cwd: earlyAccessCloningParentDir
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec(`git reset $(git merge-base ${base} HEAD)`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec('git add -A')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec(`git commit -m "${message}"`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
while ((optionsMatch = OptionsSyntax.exec(match.groups.options))) {
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFiles = execSync('git diff --name-only HEAD').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.md$"', { maxBuffer: 1024 * 1024 * 100 })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const grepResults = execSync(grepCmd).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const match = liquidVariableSyntax.exec(this.param)
📚

More info on how to fix Insecure Use of Language/Framework API in Ruby and JavaScript.


Insecure Access Control (6)
Severity Details Docs
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, externalSites[req.path])
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, redirect)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(`https://enterprise.github.com/releases/${requestedVersion}.0/notes`)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, req.baseUrl + req.path.replace(/^\/en/, ''))
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, redirect)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, req.path.replace(redirectPattern, `/${language.code}`))
📚

More info on how to fix Insecure Access Control in JavaScript.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants