Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Speccy uses dompurify with XSS vulnerability #157

Open
riderjensen opened this issue Mar 9, 2022 · 5 comments
Open

Speccy uses dompurify with XSS vulnerability #157

riderjensen opened this issue Mar 9, 2022 · 5 comments
Labels

Comments

@riderjensen
Copy link

Thought I would bring this up here as Speccy is a dead repo (last updated 3 years ago). It looks like Speccy is being used here and the latest version of Speccy is using an older version of redoc which is using a bad version of dompurify according to snyk .

Wondering what are thoughts around removing speccy from the repo?

@cebe
Copy link
Owner

cebe commented Mar 11, 2022

it is used in the CI pipeline to compare whether specs that are valid in speccy are valid here too, so I'm not very concerned about any XSS in it.
However I'm open to replace it with a more up to date tooling from the JS world.

@cebe cebe added the overhead label Apr 20, 2022
@vvanpo
Copy link

vvanpo commented Apr 21, 2022

@cebe even though the JavaScript dependency is not included in the release tarball, the presence of the yarn.lock file causes security scanning tools like Snyk to report a critical vulnerability (since it can be configured to crawl the a project after installing all Composer dependencies, looking for dependency manifests like yarn.lock). Would it be possible to package and release php-openapi without the yarn.lock file present?

@cebe
Copy link
Owner

cebe commented Apr 21, 2022

As far as I remember that is possible by adding a .gitattributes file to exclude files like that, e.g. https://github.com/cebe/markdown/blob/2b2461bed9e15305486319ee552bafca75d1cdaa/.gitattributes

Happy to merge a PR that adds one.

@cebe
Copy link
Owner

cebe commented Apr 29, 2022

However I'm open to replace it with a more up to date tooling from the JS world.

https://openapi.tools/#description-validators

@philsturgeon
Copy link

Hey hey! I made Speccy and it got trapped and promptly abandoned at WeWork when I left. Spectral is the successor, it does severything Speccy did and a million times more. https://github.com/stoplightio/spectral/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants