Fix bugs in ip and socket.io packages to improve security and stability #1340
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi, Interesting PR, why did you close it? |
|
Hi @unocelli, I closed the PR because the fuxa stopped working correctly after the socketio update. Specifically, the connection between the front and back ends gets lost after some time. I’ll keep the bug open so we can work on a solution together. best regards! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug 1:
Incorrect Handling of Certain Private IP Formats in ip Package The isPublic() function in the NPM package ip incorrectly identifies certain private IP addresses in uncommon formats, such as 0x7F.1, as public. This issue could lead to security vulnerabilities like Server-Side Request Forgery (SSRF) when isPublic() is used to protect sensitive code paths against user input. This commit updates the ip package to versions 1.1.9 and 2.0.1, which include a fix for this issue.
References:
CVE-2023-42282
Cosmos of Cyberspace Advisory
Related comments and commits:
JoshGlazebrook/socks#93,
github/advisory-database#3504,
indutny/node-ip#138,
indutny/node-ip@32f468f,
indutny/node-ip@6a3ada9
Bug 2:
Uncaught Exception Vulnerability in socket.io Package The socket.io package for Node.js is vulnerable to uncaught exceptions when handling error events. Without a proper listener for these events, an attacker could send specially crafted packets that trigger unhandled exceptions, potentially crashing the Node process. This commit upgrades the socket.io package to versions 2.5.1, 4.6.2, or higher, which include fixes for this vulnerability.