It has vulnerability #1

New Issue

Closed

opened 2018-05-17 03:45:19 +00:00 by Ghost · 4 comments

Ghost commented 2018-05-17 03:45:19 +00:00

Copy Link

npm audit

                       === npm audit security report ===

# Run  npm install testcafe@15.1.317522  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ atob                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ testcafe                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ testcafe > testcafe-hammerhead > css > source-map-resolve >  │
│               │ atob                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/646                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ atob                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ testcafe-hammerhead                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ testcafe-hammerhead > css > source-map-resolve > atob        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/646                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 2 vulnerabilities found - Packages audited: 3352 (55 dev, 0 optional)
    Severity: 2 Moderate

`npm audit` ``` === npm audit security report === # Run npm install testcafe@15.1.317522 to resolve 1 vulnerability SEMVER WARNING: Recommended action is a potentially breaking change ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Out-of-bounds Read │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ testcafe │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ testcafe > testcafe-hammerhead > css > source-map-resolve > │ │ │ atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/646 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Out-of-bounds Read │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.1.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ testcafe-hammerhead │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ testcafe-hammerhead > css > source-map-resolve > atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/646 │ └───────────────┴──────────────────────────────────────────────────────────────┘ [!] 2 vulnerabilities found - Packages audited: 3352 (55 dev, 0 optional) Severity: 2 Moderate ```

coolaj86 commented 2018-05-17 08:16:22 +00:00

Owner

Copy Link

Unless there's a vulnerability in node's Buffer itself, I don't see how I could be introducing a vulnerability:

"use strict";

function atob(str) {
  return Buffer.from(str, 'base64').toString('binary');
}

module.exports = atob.atob = atob;

And what's the recommendation? I suppose I could test that 'str' is a string and not a number (not allowed anyway) an array?

Unless there's a vulnerability in node's Buffer itself, I don't see how I could be introducing a vulnerability: ``` "use strict"; function atob(str) { return Buffer.from(str, 'base64').toString('binary'); } module.exports = atob.atob = atob; ``` And what's the recommendation? I suppose I could test that 'str' is a string and not ~~a number (not allowed anyway)~~ an array?

coolaj86 commented 2018-05-17 08:20:49 +00:00

Owner

Copy Link

Actually, the advisory you linked to (https://nodesecurity.io/advisories/646) says that there is no vulnerability in the current version.

All you have to do is update to v2.1.0

I believe that was to address a security issue with node's deprecated buffer constructor, not this module itself.

Thanks for the report. I'll go ahead and close this, but let me know if you think something else should be changed.

Actually, the advisory you linked to (https://nodesecurity.io/advisories/646) says that there is no vulnerability in the current version. All you have to do is update to v2.1.0 I believe that was to address a security issue with node's deprecated buffer constructor, not this module itself. Thanks for the report. I'll go ahead and close this, but let me know if you think something else should be changed.

coolaj86 closed this issue 2018-05-17 08:20:49 +00:00

Ghost commented 2018-05-17 09:08:40 +00:00

Author

Copy Link

Thank you for replying.

I updated by npm install atob@2.1.1.
The Issue was close but the Warning not resolved.

Thank you for replying. I updated by `npm install atob@2.1.1`. The Issue was close but the Warning not resolved.

coolaj86 commented 2018-05-17 10:14:35 +00:00

Owner

Copy Link

One of these modules is the one that has the older version:

testcafe > testcafe-hammerhead > css > source-map-resolve

It's probably source-map-resolve.

One of these modules is the one that has the older version: ``` testcafe > testcafe-hammerhead > css > source-map-resolve ``` It's probably `source-map-resolve`.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

v2.1.2

v2.1.1

v2.0.3

v2.0.2

v2.1.0

v2.0.1

v2.0.0

v1.2.0

v1.1.3

v1.1.2

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/atob.js#1

No description provided.