Snyk high severity security warnings #149
Comments
|
Hi, thanks for the note! It looks like Snyk might be inspecting the package dependency graph rather than the resolved versions in the context of your target framework. Tools might do this because the dependency graph is easy to walk, while the resolution logic is extremely tough to get right. Under the Information Exposure heading above:
This applies to all of these. They're showing up because Sprache allows targeting of .NET Standard 1.0. If you're targeting a recent, supported version of .NET, you'll get whatever dependencies versions are present in that version of the platform. You can find out more about Sprache's platform support in: https://github.com/sprache/Sprache/blob/develop/src/Sprache/Sprache.csproj The only way to "fix" this in Sprache itself would be to drop support for older framework versions, which has a wider negative impact on users and wouldn't improve anyone's security - so reconfiguring Snyk will be the best option, here. Cheers! |
|
Fwiw, my library encountered this, and the workaround we chose was to override the versions of the at-risk dependencies: tonerdo/dotnet-env#68 + https://github.com/tonerdo/dotnet-env/pull/83/files |
When using https://app.snyk.io to monitor my project, Sprache displays some errors about security.
Denial of Service (DoS)
Affected module: System.Net.Http@4.3.0
Introduced through: Sprache.Signed@2.2.0
Detailed paths
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview
system.net.http is an interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Affected versions of this package are vulnerable to Denial of Service (DoS) as ASP.NET Core fails to properly validate web requests.
NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.
Improper Certificate Validation
Affected module: System.Net.Http@4.3.0
Introduced through: Sprache.Signed@2.2.0
Detailed paths
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview
system.net.http is an interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Affected versions of this package are vulnerable to Improper Certificate Validation. It allows an attacker to bypass Enhanced Security Usage tagging when they present a certificate that is invalid for a specific use.
Privilege Escalation
Affected module: System.Net.Http@4.3.0
Introduced through: Sprache.Signed@2.2.0
Detailed paths
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview
system.net.http interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Affected versions of this package are vulnerable to Privilege Escalation due to failing to properly sanitize web requests.
Information Exposure
Affected module: System.Net.Http@4.3.0
Introduced through: Sprache.Signed@2.2.0
Detailed paths
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview
system.net.http interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
Affected versions of this package are vulnerable to Information Exposure. When HTTP authentication information is inadvertently exposed in an outbound request that encounters an HTTP redirect. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application.
Note: The presence of System.Net.Http in the dependency graph of netcoreapp2.0 isn't the final determination of what is loaded at runtime. The version conflict resolution logic will prefer what is present in Microsoft.NETCore.App/2.1.5, or latest patch release. As such, is not considered to an issue.
Regular Expression Denial of Service (ReDoS)
Affected module: System.Text.RegularExpressions@4.3.0
Introduced through: Sprache.Signed@2.2.0
Detailed paths
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Text.RegularExpressions@4.3.0
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0
Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Xml.XDocument@4.3.0 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0
Overview
System.Text.RegularExpressions is a regular expression engine.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improperly processing of RegEx strings.
The text was updated successfully, but these errors were encountered: