Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary File Upload in formidable versions <3.2.4 #1725

Closed
SimonEspositoTG opened this issue May 20, 2022 · 12 comments
Closed

Arbitrary File Upload in formidable versions <3.2.4 #1725

SimonEspositoTG opened this issue May 20, 2022 · 12 comments

Comments

@SimonEspositoTG
Copy link

Snyk has detected a critical level vulnerability in formidable versions <3.2.4. The vulnerability allows attackers to execute arbitrary code via a crafted filename.

https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956

superagent is currently compatible with version 2.0.1

@ejodet
Copy link

ejodet commented May 23, 2022

Do you have an estimate on when this might be fixed (by adopting formidable 3.2.4)?

@titanism
Copy link
Collaborator

titanism commented May 31, 2022

Please file a request or submit a PR in formidable for the vulnerability fix to be backported to v2.x tag of formidable, the non-ESM version, as it should be backported for community CJS support.

Ref:

@ghost
Copy link

ghost commented Jun 8, 2022

Looks like Formidable will not be backporting a fix and they recommend to upgrade to v3 as "the codebase between v3 and v2 is almost the same".
node-formidable/formidable#856 (comment)

@titanism
Copy link
Collaborator

titanism commented Jun 8, 2022

We are going to wait until they release a new version with both CJS and ESM support (as @tunnckoCore has shared they plan to do). The vulnerability is not as severe as everyone is making it out to be. Please read the CVE completely.

@tunnckoCore
Copy link

@tunnckoCore
Copy link

tunnckoCore commented Jun 8, 2022

Also, if someone PR to the v2 branch (master is v3), with the changes and my recent comments from this PR node-formidable/formidable#857 we can land v2 patch version sooner than the v3 cjs/esm thing.

My comment on 856, was befote seeing this pr.

@titanism
Copy link
Collaborator

titanism commented Jun 8, 2022

@tunnckoCore we can gladly award a bug bounty over PayPal if you're able to do this quicker than we can - a bit tied up at the moment!

@tunnckoCore
Copy link

I can try in the next few hours, or ultimately next 2-3 days.

@titanism
Copy link
Collaborator

titanism commented Jun 8, 2022

@tunnckoCore np 😄 you rock 🤘

Also we've had a lot of success using np for releases (and generating nice release pages) (it doesn't auto-add to the CHANGELOG.md though, maybe you can use generate-changelog separately or deprecate the CHANGELOG.md in favor of Releases tab; which I've seen a lot of projects doing lately). Hard to maintain both let alone the code!

@tunnckoCore
Copy link

Yea.. There are plans to switching to monorepo for quite some time, and I'm curious to try Nrwl's Nx + Lerna.

Ultimately release v3 & v4 to latest soon, and drop and deprecate all olders versions altogether, because v2 is already 1 and a half years old, many should already switched.

Turns out managing multiple parallel versions on an old codebase (since node 0.6-8), millions of downloads, and team of two.. isn't working well haha..

@titanism
Copy link
Collaborator

The advisory has been revoked https://security.snyk.io/vuln/SNYK-JS-FORMIDABLE-2838956.

@titanism titanism unpinned this issue Jun 24, 2022
@titanism
Copy link
Collaborator

🚀 v9.0.0 released to npm 🚀

https://github.com/ladjs/superagent/releases/tag/v9.0.0

ref: #1800

Forward Email
https://forwardemail.net

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants