Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade express from 4.17.1 to 4.21.2 #348

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dotam99
Copy link
Owner

@dotam99 dotam99 commented Dec 12, 2024

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-8482416
  738  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

Copy link

guardrails bot commented Dec 12, 2024

⚠️ We detected 102 security issues in this pull request:

Mode: paranoid | Total findings: 102 | Considered vulnerability: 102

Insecure Access Control (6)
Severity Details Docs
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, externalSites[req.path])
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, redirect)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(`https://enterprise.github.com/releases/${requestedVersion}.0/notes`)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, req.baseUrl + req.path.replace(/^\/en/, ''))
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, redirect)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, req.path.replace(redirectPattern, `/${language.code}`))
📚

More info on how to fix Insecure Access Control in JavaScript.


Insecure File Management (11)
Severity Details Docs
High Title: Path Traversal from user input
'/developers/apps'
📚
High Title: Path Traversal from user input
newHref = path.join('/', languageCode, href)
📚
High Title: Path Traversal from user input
newHref = path.join('/', languageCode, href)
📚
High Title: Path Traversal from user input
const mapTopicOrArticlePath = path.posix.join(categoryPath, pathParts[2])
📚
High Title: Path Traversal from user input
const categoryPath = removeFPTFromPath(path.posix.join('/', 'en', req.context.currentVersion, 'early-access', pathParts[0], pathParts[1]))
📚
High Title: Path Traversal from user input
title: product.title
📚
High Title: Path Traversal from user input
const categoryPath = removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath, pathParts[1]))
📚
High Title: Path Traversal from user input
const productPath = path.posix.join('/', req.context.currentProduct)
📚
High Title: Path Traversal from user input
href: removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath)),
📚
High Title: Path Traversal from user input
const proxyPath = path.join('/', requestedVersion, assetPath)
📚
High Title: Path Traversal from user input
const href = removeFPTFromPath(path.join('/', context.currentLanguage, version, linkPath))
📚

More info on how to fix Insecure File Management in JavaScript.


Insecure Processing of Data (6)
Severity Details Docs
High Title: Insecure Deserialization (js-yaml)
const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })
📚
High Title: Insecure Deserialization (js-yaml)
return yaml.load(fs.readFileSync(filename, 'utf8'), { filename })
📚
Medium Title: Tainted input passed to Express response
return res.send(await liquid.parseAndRender(layouts['dev-toc'], req.context))
📚
Medium Title: Tainted input passed to Express response
return res.send(req.path.replace(/\//g, ''))
📚
Medium Title: Tainted input passed to Express response
return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))
📚
Medium Title: Tainted input passed to Express response
res.send(addCsrf(req, output))
📚

More info on how to fix Insecure Processing of Data in JavaScript.


Insecure Use of Language/Framework API (42)
Severity Details Docs
Medium Title: User Controlled Method Invocation
schema.send(:own_orphan_types).clear
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.(yml|md)$"', { maxBuffer: 1024 * 1024 * 100 }).toString().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const fixable = execSync(`cat ${fixableErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const filesToAdd = execSync(`cat ${parsingErrorsLog} ${renderingErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const allErrors = execSync('cat ~/docs-*').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git checkout main -- ${relativePath}`, { stdio: 'pipe' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const githubBranch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: githubRepoDir }).toString().trim()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('git pull', { cwd: githubRepoDir })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`${path.join(githubRepoDir, 'bin/openapi')} bundle -o ${tempDocsDir} --include_unpublished`, { stdio: 'inherit' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`find ${tempDocsDir} -type f -name "*deref.json" -exec mv '{}' ${dereferencedPath} ';'`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const gitStatusOfFile = execSync(`git status --porcelain ${oldContentPath}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`mv ${oldContentPath} ${newContentPath}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git mv ${oldContentPath} ${newContentPath}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
await exec(`script/reset-translated-file.js --prefer-main ${file}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const currentBranch = execSync('git symbolic-ref --short HEAD', { encoding: 'utf8' }).trim()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const filenames = execSync('git diff --cached --name-only').toString().trim().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const result = execSync(`${purgeCommand} ${localizedUrl}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const secondResult = execSync(`${purgeCommand} ${localizedUrl}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`TEST_TRANSLATION=true npx jest content/lint-files > ${parsingErrorsLog}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`script/test-render-translation.js > ${renderErrorsLog}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`cat ${parsingErrorsLog} ${renderErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | uniq | xargs -L1 script/reset-translated-file.js --prefer-main`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`mkdir ${productDir}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git mv ${oldCategoryDir} ${productDir}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const grepResults = execSync(grepCmd).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync(cmd).toString().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const newPath = execSync(`find ${newDotcomDir} -name ${filename}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('gem which graphql')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('npx prettier -w "**/*.{yml,yaml}"')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const remoteClean = execSync(`${removeHiddenMembersScript} ${tempSchemaFilePath}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('npm run build', { stdio: 'inherit' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
currentBranch = execSync('git branch --show-current').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
let branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
cwd: earlyAccessCloningParentDir
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec(`git reset $(git merge-base ${base} HEAD)`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec('git add -A')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec(`git commit -m "${message}"`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
while ((optionsMatch = OptionsSyntax.exec(match.groups.options))) {
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFiles = execSync('git diff --name-only HEAD').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.md$"', { maxBuffer: 1024 * 1024 * 100 })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const grepResults = execSync(grepCmd).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const match = liquidVariableSyntax.exec(this.param)
📚

More info on how to fix Insecure Use of Language/Framework API in Ruby and JavaScript.


Insecure Use of Regular Expressions (1)
Severity Details Docs
Medium Title: Tainted input passed to Regular Expression
const englishPath = req.path.replace(new RegExp(`^/${req.language}`), '/en')
📚

More info on how to fix Insecure Use of Regular Expressions in JavaScript.


Vulnerable Libraries (36)
Severity Details
High pkg:npm/node-fetch@2.6.1 upgrade to: 3.1.1,2.6.7
Critical pkg:npm/style-loader@1.2.1 upgrade to: > 1.2.1
High pkg:npm/sass@1.32.8 upgrade to: > 1.32.8
High pkg:npm/walk-sync@1.1.4 upgrade to: > 1.1.4
High pkg:npm/cross-env@7.0.2 upgrade to: > 7.0.2
Critical pkg:npm/copy-webpack-plugin@6.4.1 upgrade to: > 6.4.1
High pkg:npm/express@4.21.2 upgrade to: > 4.21.2
Critical pkg:npm/sass-loader@9.0.2 upgrade to: > 9.0.2
Medium pkg:npm/semver@5.7.1 upgrade to: 7.5.2
High pkg:npm/remark-rehype@5.0.0 upgrade to: > 5.0.0
Medium pkg:npm/liquidjs@9.22.1 upgrade to: 10.0.0
High pkg:npm/algoliasearch@3.35.1 upgrade to: > 3.35.1
Medium pkg:npm/lodash@4.17.20 upgrade to: 4.17.21
High pkg:npm/webpack-cli@4.6.0 upgrade to: > 4.6.0
Critical pkg:npm/browser-date-formatter@3.0.3 upgrade to: > 3.0.3
High pkg:npm/@babel/plugin-transform-runtime@7.11.0 upgrade to: > 7.11.0
High pkg:npm/throng@5.0.0 upgrade to: > 5.0.0
Critical pkg:npm/mini-css-extract-plugin@1.4.1 upgrade to: > 1.4.1
High pkg:npm/remark-parse@7.0.2 upgrade to: > 7.0.2
High pkg:npm/rimraf@3.0.0 upgrade to: > 3.0.0
Critical pkg:npm/resolve-url-loader@4.0.0 upgrade to: > 4.0.0
Critical pkg:npm/css-loader@5.0.0 upgrade to: > 5.0.0
High pkg:npm/morgan@1.9.1 upgrade to: > 1.9.1
Critical pkg:npm/babel-preset-env@1.7.0 upgrade to: > 1.7.0
Critical pkg:npm/flat@5.0.0 upgrade to: 5.0.1
High pkg:npm/compression@1.7.4 upgrade to: > 1.7.4
High pkg:npm/cheerio@1.0.0-rc.3 upgrade to: > 1.0.0-rc.3
Informational pkg:npm/cookie-parser@1.4.5 upgrade to: > 1.4.5
High pkg:npm/rss-parser@3.12.0 upgrade to: > 3.12.0
Informational pkg:npm/csurf@1.11.0 upgrade to: > 1.11.0
High pkg:npm/hast-util-select@4.0.2 upgrade to: > 4.0.2
Informational pkg:npm/rehype-highlight@3.1.0 upgrade to: > 3.1.0
Critical pkg:npm/linkinator@2.13.1 upgrade to: > 2.13.1
Medium pkg:npm/webpack@5.30.0 upgrade to: 5.94.0
Critical pkg:npm/babel-loader@8.1.0 upgrade to: > 8.1.0
N/A pkg:npm/got@9.6.0 upgrade to: 11.8.5,12.1.0

More info on how to fix Vulnerable Libraries in JavaScript.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants