Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade express from 4.17.1 to 4.19.2 #333

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dotam99
Copy link
Owner

@dotam99 dotam99 commented Mar 26, 2024

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 591/1000
Why? Recently disclosed, Has a fix available, CVSS 6.1
Open Redirect
SNYK-JS-EXPRESS-6474509
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: express The new version differs by 250 commits.

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect

Copy link

guardrails bot commented Mar 26, 2024

⚠️ We detected 99 security issues in this pull request:

Mode: paranoid | Total findings: 99 | Considered vulnerability: 99

Insecure Access Control (6)
Severity Details Docs
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, externalSites[req.path])
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, redirect)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(`https://enterprise.github.com/releases/${requestedVersion}.0/notes`)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, req.baseUrl + req.path.replace(/^\/en/, ''))
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, redirect)
📚
Medium Title: Tainted input passed to an open redirect (express)
return res.redirect(301, req.path.replace(redirectPattern, `/${language.code}`))
📚

More info on how to fix Insecure Access Control in JavaScript.


Insecure File Management (11)
Severity Details Docs
High Title: Path Traversal from user input
'/developers/apps'
📚
High Title: Path Traversal from user input
newHref = path.join('/', languageCode, href)
📚
High Title: Path Traversal from user input
newHref = path.join('/', languageCode, href)
📚
High Title: Path Traversal from user input
const mapTopicOrArticlePath = path.posix.join(categoryPath, pathParts[2])
📚
High Title: Path Traversal from user input
const categoryPath = removeFPTFromPath(path.posix.join('/', 'en', req.context.currentVersion, 'early-access', pathParts[0], pathParts[1]))
📚
High Title: Path Traversal from user input
title: product.title
📚
High Title: Path Traversal from user input
const categoryPath = removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath, pathParts[1]))
📚
High Title: Path Traversal from user input
const productPath = path.posix.join('/', req.context.currentProduct)
📚
High Title: Path Traversal from user input
href: removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath)),
📚
High Title: Path Traversal from user input
const proxyPath = path.join('/', requestedVersion, assetPath)
📚
High Title: Path Traversal from user input
const href = removeFPTFromPath(path.join('/', context.currentLanguage, version, linkPath))
📚

More info on how to fix Insecure File Management in JavaScript.


Insecure Processing of Data (6)
Severity Details Docs
High Title: Insecure Deserialization (js-yaml)
const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })
📚
High Title: Insecure Deserialization (js-yaml)
return yaml.load(fs.readFileSync(filename, 'utf8'), { filename })
📚
Medium Title: Tainted input passed to Express response
return res.send(await liquid.parseAndRender(layouts['dev-toc'], req.context))
📚
Medium Title: Tainted input passed to Express response
return res.send(req.path.replace(/\//g, ''))
📚
Medium Title: Tainted input passed to Express response
return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))
📚
Medium Title: Tainted input passed to Express response
res.send(addCsrf(req, output))
📚

More info on how to fix Insecure Processing of Data in JavaScript.


Insecure Use of Language/Framework API (42)
Severity Details Docs
Medium Title: User Controlled Method Invocation
schema.send(:own_orphan_types).clear
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.(yml|md)$"', { maxBuffer: 1024 * 1024 * 100 }).toString().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const fixable = execSync(`cat ${fixableErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const filesToAdd = execSync(`cat ${parsingErrorsLog} ${renderingErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | sed -e 's/^/- [ ] /' | uniq`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const allErrors = execSync('cat ~/docs-*').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git checkout main -- ${relativePath}`, { stdio: 'pipe' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const githubBranch = execSync('git rev-parse --abbrev-ref HEAD', { cwd: githubRepoDir }).toString().trim()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('git pull', { cwd: githubRepoDir })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`${path.join(githubRepoDir, 'bin/openapi')} bundle -o ${tempDocsDir} --include_unpublished`, { stdio: 'inherit' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`find ${tempDocsDir} -type f -name "*deref.json" -exec mv '{}' ${dereferencedPath} ';'`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const gitStatusOfFile = execSync(`git status --porcelain ${oldContentPath}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`mv ${oldContentPath} ${newContentPath}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git mv ${oldContentPath} ${newContentPath}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
await exec(`script/reset-translated-file.js --prefer-main ${file}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const currentBranch = execSync('git symbolic-ref --short HEAD', { encoding: 'utf8' }).trim()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const filenames = execSync('git diff --cached --name-only').toString().trim().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const result = execSync(`${purgeCommand} ${localizedUrl}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const secondResult = execSync(`${purgeCommand} ${localizedUrl}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`TEST_TRANSLATION=true npx jest content/lint-files > ${parsingErrorsLog}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`script/test-render-translation.js > ${renderErrorsLog}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`cat ${parsingErrorsLog} ${renderErrorsLog} | egrep "^translations/.*/(.+.md|.+.yml)$" | uniq | xargs -L1 script/reset-translated-file.js --prefer-main`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`mkdir ${productDir}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync(`git mv ${oldCategoryDir} ${productDir}`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const grepResults = execSync(grepCmd).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync(cmd).toString().split('\n')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const newPath = execSync(`find ${newDotcomDir} -name ${filename}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('gem which graphql')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('npx prettier -w "**/*.{yml,yaml}"')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const remoteClean = execSync(`${removeHiddenMembersScript} ${tempSchemaFilePath}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
execSync('npm run build', { stdio: 'inherit' })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
currentBranch = execSync('git branch --show-current').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
let branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
branchExists = execSync(`git ls-remote --heads ${earlyAccessFullRepo} ${earlyAccessBranch}`).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
cwd: earlyAccessCloningParentDir
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec(`git reset $(git merge-base ${base} HEAD)`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec('git add -A')
📚
High Title: Child process (child_process) methods accept untrusted data to execute
exec(`git commit -m "${message}"`)
📚
High Title: Child process (child_process) methods accept untrusted data to execute
while ((optionsMatch = OptionsSyntax.exec(match.groups.options))) {
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFiles = execSync('git diff --name-only HEAD').toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const changedFilesRelPaths = execSync('git diff --name-only origin/main | egrep "^translations/.*/.+.md$"', { maxBuffer: 1024 * 1024 * 100 })
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const grepResults = execSync(grepCmd).toString()
📚
High Title: Child process (child_process) methods accept untrusted data to execute
const match = liquidVariableSyntax.exec(this.param)
📚

More info on how to fix Insecure Use of Language/Framework API in Ruby and JavaScript.


Insecure Use of Regular Expressions (1)
Severity Details Docs
Medium Title: Tainted input passed to Regular Expression
const englishPath = req.path.replace(new RegExp(`^/${req.language}`), '/en')
📚

More info on how to fix Insecure Use of Regular Expressions in JavaScript.


Vulnerable Libraries (33)
Severity Details
High pkg:npm/remark-rehype@5.0.0 upgrade to: > 5.0.0
Medium pkg:npm/webpack-cli@4.6.0 upgrade to: > 4.6.0
Critical pkg:npm/css-loader@5.0.0 upgrade to: > 5.0.0
Critical pkg:npm/flat@5.0.0 upgrade to: 5.0.1
Critical pkg:npm/sass-loader@9.0.2 upgrade to: > 9.0.2
High pkg:npm/babel-preset-env@1.7.0 upgrade to: > 1.7.0
High pkg:npm/algoliasearch@3.35.1 upgrade to: > 3.35.1
High pkg:npm/webpack@5.30.0 upgrade to: 5.76.0
Critical pkg:npm/linkinator@2.13.1 upgrade to: > 2.13.1
High pkg:npm/throng@5.0.0 upgrade to: > 5.0.0
Critical pkg:npm/mini-css-extract-plugin@1.4.1 upgrade to: > 1.4.1
Critical pkg:npm/style-loader@1.2.1 upgrade to: > 1.2.1
High pkg:npm/cheerio@1.0.0-rc.3 upgrade to: > 1.0.0-rc.3
High pkg:npm/rimraf@3.0.0 upgrade to: > 3.0.0
High pkg:npm/node-fetch@2.6.1 upgrade to: 3.1.1,2.6.7
Medium pkg:npm/semver@5.7.1 upgrade to: 7.5.2
Critical pkg:npm/resolve-url-loader@4.0.0 upgrade to: > 4.0.0
High pkg:npm/morgan@1.9.1 upgrade to: > 1.9.1
Medium pkg:npm/liquidjs@9.22.1 upgrade to: 10.0.0
High pkg:npm/compression@1.7.4 upgrade to: > 1.7.4
High pkg:npm/sass@1.32.8 upgrade to: > 1.32.8
High pkg:npm/@babel/plugin-transform-runtime@7.11.0 upgrade to: > 7.11.0
Critical pkg:npm/browser-date-formatter@3.0.3 upgrade to: > 3.0.3
High pkg:npm/hast-util-select@4.0.2 upgrade to: > 4.0.2
High pkg:npm/walk-sync@1.1.4 upgrade to: > 1.1.4
High pkg:npm/remark-parse@7.0.2 upgrade to: > 7.0.2
Critical pkg:npm/babel-loader@8.1.0 upgrade to: > 8.1.0
N/A pkg:npm/got@9.6.0 upgrade to: 12.1.0,11.8.5
Critical pkg:npm/copy-webpack-plugin@6.4.1 upgrade to: > 6.4.1
High pkg:npm/rss-parser@3.12.0 upgrade to: > 3.12.0
High pkg:npm/express@4.19.2 upgrade to: > 4.19.2
Informational pkg:npm/rehype-highlight@3.1.0 upgrade to: > 3.1.0
Medium pkg:npm/lodash@4.17.20 upgrade to: 4.17.21

More info on how to fix Vulnerable Libraries in JavaScript.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants