-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk] Security upgrade react-docgen from 2.21.0 to 5.2.0 #962
base: master
Are you sure you want to change the base?
Conversation
…vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
Prototype PollutionClick here to find a Prototype Pollution training lab DescriptionThe problem lies with the manner in which JavaScript implements inheritance by using a prototype. What this means, in a nutshell, is that every object contains a reference to the prototype of its class. When a property is requested from a particular object, the runtime first checks if the instance has the aforementioned property; otherwise, it looks it up in the prototype chain, recursively. The reference to the prototype is available via the Read moreImpactThe impact of Prototype Pollution is ultimately determined by the sensitivity and criticality of the data ingested by the application. It is not a vulnerability that is dangerous per se; rather, it all depends on how the application uses such untrusted properties. In other words, it merely alters the program data and flow. Scenario 1The following example considers an object (in a JavaScript console): > o = {x: 123, __proto__: {toString: () => console.log('Triggered!')}}
{ x: 123 }
> o + ''
Triggered!
'undefined' We have created an object with its own prototype that redefines the While this is important, it is unlikely that some kind of injection (e.g., an injection via GET parameters, cookies, etc.) ends up creating a JavaScript function ( In this case, there is no direct code execution, and the impact is merely that of adding another property to the object; since we are already injecting Scenario 2In this case, however, the application allows the alteration of an existing prototype. Consider the following: const someObject = {};
const someOtherObject = {};
// ...
someObject[UNTRUSTED_NAME] = UNTRUSTED_VALUE;
// ...
if (someOtherObject.isAdminEnabled) {
// do some sensitive stuff
} Being able to control UNTRUSTED_NAME = '__proto__';
UNTRUSTED_VALUE = {isAdminEnabled: 'whatever'}; PreventionThere are different approaches to preventing Prototype Pollution, the most trivial of which is to disallow untrusted data being assigned to arbitrary properties altogether. If this is not possible, developers might implement some filtering so that it is not possible to overwrite TestingVerify that the application protects against JavaScript injection attacks, including for eval attacks, remote JavaScript includes, DOM XSS, and JavaScript expression evaluation.
ReferencesMedium - What is Prototype Pollution and why is it such a big deal? |
Micro-Learning Topic: Stack overflow (Detected by phrase)Matched on "stack overflow"Also referred to as Stack buffer overflows. This vulnerability occurs when data received by a program is written to a memory location on the stack and the allocated space is not large enough to take the whole input. If proper boundary checks are not implemented, or unsafe functions like sprintf, fgets etc. are used which don't require a destination size limit the stack memory after the target buffer may be written to, allowing an attacker to alter the normal behaviour of the program. Most modern compilers now have a secure switch which may reorder stack variables and generate extra code to protect against this type of vulnerability. Try this challenge in Secure Code Warrior |
Micro-Learning Topic: Injection attack (Detected by phrase)Matched on "injection attack"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try this challenge in Secure Code WarriorMicro-Learning Topic: DOM-based cross-site scripting (Detected by phrase)Matched on "DOM XSS"DOM-based cross-site scripting vulnerabilities occur when unescaped input is processed by client-side script and insecurely written into the page Document Object Model (DOM). This will result in immediate changes to the page, potentially without any call to the server. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "XSS"Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Denial of service (Detected by phrase)Matched on "denial of service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try this challenge in Secure Code Warrior |
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5
SNYK-JS-ASYNC-2441827
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: react-docgen
The new version differs by 189 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution