Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 1 vulnerabilities #71

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Fix for 1 vulnerabilities #71

wants to merge 1 commit into from

Conversation

harunpehlivan
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • packages/socket/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
critical severity 776/1000
Why? Recently disclosed, Has a fix available, CVSS 9.8		 Improper Input Validation
SNYK-JS-SOCKETIOPARSER-3091012		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: socket.io The new version differs by 154 commits.
  • 1af3267 chore(release): 3.0.0
  • 02951c4 chore(release): 3.0.0-rc4
  • 54bf4a4 feat: emit an Error object upon middleware error
  • aa7574f feat: serve msgpack bundle
  • 64056d6 docs(examples): update TypeScript example
  • cacad70 chore(release): 3.0.0-rc3
  • d16c035 refactor: rename ERROR to CONNECT_ERROR
  • 5c73733 feat: add support for catch-all listeners
  • 129c641 feat: make Socket#join() and Socket#leave() synchronous
  • 0d74f29 refactor(typings): export Socket class
  • 7603da7 feat: remove prod dependency to socket.io-client
  • a81b9f3 docs(examples): add example with TypeScript
  • 20ea6bd docs(examples): add example with ES modules
  • 0ce5b4c chore(release): 3.0.0-rc2
  • 8a5db7f refactor: remove duplicate _sockets map
  • 2a05042 refactor: add additional typings
  • 91cd255 fix: close clients with no namespace
  • 58b66f8 refactor: hide internal methods and properties
  • 669592d feat: move binary detection back to the parser
  • 2d2a31e chore: publish the wrapper.mjs file
  • ebb0575 chore(release): 3.0.0-rc1
  • c0d171f test: use the reconnect event of the Manager
  • 9c7a48d test: use the complete export name
  • 4bd5b23 feat: throw upon reserved event names

See the full diff

Package name: socket.io-client The new version differs by 104 commits.
  • b7e07ba chore(release): 3.0.0
  • ffa2804 chore(release): 3.0.0-rc4
  • 0939395 feat: emit an Error object upon middleware error
  • 969debe refactor: rework of the Manager events
  • a9127ce chore(release): 3.0.0-rc3
  • 13e1db7 refactor: rename ERROR to CONNECT_ERROR
  • 55f464f feat: add support for catch-all listeners
  • 71d6048 feat: add bundle with msgpack parser
  • f3cbe98 refactor: additional typings
  • 7ddad2c feat: add volatile events
  • b600e78 chore(release): 3.0.0-rc2
  • 1789094 feat: move binary detection back to the parser
  • c7998d5 refactor: add Manager and Socket typings
  • 2c7c230 chore: publish the wrapper.mjs file
  • a66473f chore: use socketio GitHub organization
  • 946a9f0 chore: fix test script
  • a838ff1 chore(release): 3.0.0-rc1
  • b68f816 chore: bump debug
  • cbabb03 feat: add ES6 module export
  • e826992 refactor: remove the 'connect_timeout' event
  • b60e909 refactor: remove the 'connecting' event
  • 6494f61 feat: throw upon reserved event names
  • 132f8ec feat: split the events of the Manager and Socket
  • 6cd2e4e refactor: remove the packetBuffer array

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Input Validation

@secure-code-warrior-for-github
Copy link

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

@secureflag-knowledge-base
Copy link

SQL Injection

Click here to find a SQL Injection training lab

Description

A SQL Injection is not a new or overly complicated type of attack, yet it continues to sit atop the OWASP Top Ten Application Security Risks after more than 20 years of it having been publicly utilized. This is primarily due to its inherent relative ease of use, coupled with its severity of impact when directed toward the staggeringly high number of websites with poorly written, vulnerable code.

SQL is a query language that is designed to access, modify, and delete data stored in relational databases. Numerous web applications and websites use SQL databases as their method of data storage. Applications with a higher prevalence of older functional interfaces such as PHP and ASP are relatively more susceptible to SQL Injection flaws than applications based on more recent technologies.

Applications are vulnerable to attacks when user-supplied data is not validated, filtered for escape characters or sanitized by the application.

An attacker can use SQL Injection to manipulate an SQL query via the input data from the client to the application, thus forcing the SQL server to execute an unintended operation constructed using untrusted input.

Read more

Impact

A successful SQL Injection attack can result in a malicious user gaining complete access to all data in a database server with the ability to execute unauthorized SQL queries and compromise the confidentiality, integrity, and availability of the application. Depending on the backend DBMS used and the permissions granted to the user on the database, a SQL Injection could result in arbitrary file read/write and even remote code execution.

The severity of attacks that have leveraged SQL Injection should not be understated. Notorious breaches, including the devastating and internationally renowned hacks of Sony Pictures and LinkedIn, for example, are reported to have been executed using SQL Injection.

Scenarios

Subverting application logic through SQL can lead to unpredictable outcomes depending on the context of the SQL statement the strategy of the attacker.

There are well-known exploitation techniques that attackers leverage depending on the vulnerability within the implementation of the code:

  • Manipulating an SQL query logic to bypass access controls.
  • Retrieving hidden data to return additional results, including data from other tables within the databases, e.g., leveraging the UNION keyword.
  • Executing arbitrary SQL code in the context of the database whether stacked queries are allowed.
  • Accessing files and executing commands in the operating system, depending on the vulnerable code and the database management system.

It is called blind SQL Injection when the injection succeeds, but the code doesn't return the result of the manipulated query to the attacker. Blind injections are still exploitable to retrieve the content using timing analysis, content analysis, or other out-of-bound techniques.

The following is a classic example of subverting application logic to bypass access controls.

Usernames and passwords are ubiquitous as the method for logging into applications. In this benign scenario, a user submits the username user and the password secret. The application then performs a SQL query to verify the credentials:

SELECT * FROM users WHERE username = 'user' AND password = 'secret'

The login is successful if the query returns the details of the user. If the query doesn't return the user details, it is rejected.

By leveraging single quotes and SQL comments (--), it is possible to log in as any user without a password, as the password check from the WHERE clause is removed from the query.

The following example illustrates this in action. By entering administrator'-- in the username field and leaving the password field blank, the SQL statement would result as the following:

SELECT * FROM users WHERE username = 'administrator'--' AND password = '

The database evaluates this statement without the commented out part, executing just the first part:

SELECT * FROM users WHERE username = 'administrator'

Since the manipulated query always returns the details of the administrator user, the attacker can successfully log in without knowing the correct password.

Prevention

To avoid SQL Injection vulnerabilities, developers need to use parameterized queries, specifying placeholders for parameters so that they are not considered as a part of the SQL command; rather, as solely data by the database.

When working with legacy systems, developers need to escape inputs before adding them to the query. Object Relational Mappers (ORMs) make this easier for the developer; however, they are not a panacea, with the underlying mitigations still entirely relevant: untrusted data needs to be validated, query concatenation should be avoided unless absolutely necessary, and minimizing unnecessary SQL account privileges is crucial.

Testing

Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL Injection.

View this in the SecureFlag Knowledge Base

@secure-code-warrior-for-github
Copy link

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "Injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "SQL Injection"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@harunpehlivan @snyk-bot