Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix vulnerabilities #317

Merged
merged 2 commits into from
Jan 11, 2022
Merged

Fix vulnerabilities #317

merged 2 commits into from
Jan 11, 2022

Conversation

The-EDev
Copy link
Member

@The-EDev The-EDev commented Jan 11, 2022

The PR fixes 2 Vulnerabilities found in Crow.

  1. A Path Traversal exploit made possible by Crow's default static directory and Mustache's templates directory.
  2. A Content Injection exploit made possible by Crow's Mustache implementation not escaping some characters.

Once merged, This PR, along with #292, #296, and #304 Will be released immediately as part of v0.3+4.

Note: This PR introduces a slowdown between 50µs and 1.5ms for any static file or template being loaded (depending on the length of the filename). Therefore I would advise optimization of the sanitize_filename() function before the next minor/major release.

A special Thank you to the Snyk Security team for their effort in identifying and reporting these vulnerabilities.

@The-EDev The-EDev added this to the v0.4 (v1.0 possibly) milestone Jan 11, 2022
@The-EDev The-EDev merged commit 8cfdfca into master Jan 11, 2022
The-EDev added a commit that referenced this pull request Jan 12, 2022
@The-EDev The-EDev deleted the fix_vulnerabilities branch January 12, 2022 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants