It has vulnerability #1

Questão nova

fechada(s)

2018-05-17 03:45:19 +00:00 aberta(s) por Ghost · 4 comentários

Ghost comentou 2018-05-17 03:45:19 +00:00

Copiar ligação

npm audit

                       === npm audit security report ===

# Run  npm install testcafe@15.1.317522  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ atob                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ testcafe                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ testcafe > testcafe-hammerhead > css > source-map-resolve >  │
│               │ atob                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/646                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Out-of-bounds Read                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ atob                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ testcafe-hammerhead                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ testcafe-hammerhead > css > source-map-resolve > atob        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/646                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 2 vulnerabilities found - Packages audited: 3352 (55 dev, 0 optional)
    Severity: 2 Moderate

`npm audit` ``` === npm audit security report === # Run npm install testcafe@15.1.317522 to resolve 1 vulnerability SEMVER WARNING: Recommended action is a potentially breaking change ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Out-of-bounds Read │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ testcafe │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ testcafe > testcafe-hammerhead > css > source-map-resolve > │ │ │ atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/646 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Out-of-bounds Read │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.1.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ testcafe-hammerhead │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ testcafe-hammerhead > css > source-map-resolve > atob │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/646 │ └───────────────┴──────────────────────────────────────────────────────────────┘ [!] 2 vulnerabilities found - Packages audited: 3352 (55 dev, 0 optional) Severity: 2 Moderate ```

coolaj86 comentou 2018-05-17 08:16:22 +00:00

Proprietário(a)

Copiar ligação

Unless there's a vulnerability in node's Buffer itself, I don't see how I could be introducing a vulnerability:

"use strict";

function atob(str) {
  return Buffer.from(str, 'base64').toString('binary');
}

module.exports = atob.atob = atob;

And what's the recommendation? I suppose I could test that 'str' is a string and not a number (not allowed anyway) an array?

Unless there's a vulnerability in node's Buffer itself, I don't see how I could be introducing a vulnerability: ``` "use strict"; function atob(str) { return Buffer.from(str, 'base64').toString('binary'); } module.exports = atob.atob = atob; ``` And what's the recommendation? I suppose I could test that 'str' is a string and not ~~a number (not allowed anyway)~~ an array?

coolaj86 comentou 2018-05-17 08:20:49 +00:00

Proprietário(a)

Copiar ligação

Actually, the advisory you linked to (https://nodesecurity.io/advisories/646) says that there is no vulnerability in the current version.

All you have to do is update to v2.1.0

I believe that was to address a security issue with node's deprecated buffer constructor, not this module itself.

Thanks for the report. I'll go ahead and close this, but let me know if you think something else should be changed.

Actually, the advisory you linked to (https://nodesecurity.io/advisories/646) says that there is no vulnerability in the current version. All you have to do is update to v2.1.0 I believe that was to address a security issue with node's deprecated buffer constructor, not this module itself. Thanks for the report. I'll go ahead and close this, but let me know if you think something else should be changed.

coolaj86 encerrou esta questão 2018-05-17 08:20:49 +00:00

Ghost comentou 2018-05-17 09:08:40 +00:00

Autor(a)

Copiar ligação

Thank you for replying.

I updated by npm install atob@2.1.1.
The Issue was close but the Warning not resolved.

Thank you for replying. I updated by `npm install atob@2.1.1`. The Issue was close but the Warning not resolved.

coolaj86 comentou 2018-05-17 10:14:35 +00:00

Proprietário(a)

Copiar ligação

One of these modules is the one that has the older version:

testcafe > testcafe-hammerhead > css > source-map-resolve

It's probably source-map-resolve.

One of these modules is the one that has the older version: ``` testcafe > testcafe-hammerhead > css > source-map-resolve ``` It's probably `source-map-resolve`.

Inicie a sessão para participar neste diálogo.

Sem ramo ou etiqueta especificados

Ramos Etiquetas

master

v2.1.2

v2.1.1

v2.0.3

v2.0.2

v2.1.0

v2.0.1

v2.0.0

v1.2.0

v1.1.3

v1.1.2

Rótulos

Sem itens

Sem rótulo

Etapa

Sem itens

Sem etapa

Encarregados

Retirar todos os encarregados

coolaj86

Sem encarregados

2 Participantes

Notificações

Subscrever

Data de vencimento

Sem data de vencimento definida.

Dependências

Não estão definidas dependências.

Referência: coolaj86/atob.js#1

Nenhuma descrição fornecida.