Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerabilities #32

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

harunpehlivan
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • ai-jam-js/static/package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 661/1000
Why? Recently disclosed, Has a fix available, CVSS 7.5
Prototype Pollution
SNYK-JS-LOADERUTILS-3043105
Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: css-loader The new version differs by 250 commits.
  • 7857d8f chore(release): 4.0.0
  • 5604205 feat: support `file:` protocol
  • 5303db2 chore(deps): update (#1131)
  • 9aa0549 chore(deps): update
  • a54c955 test: imports
  • 5b45d87 test: support in `@ import` at-rule
  • 83515fa refactor: code
  • 1c20b1e fix: parsing
  • 7f49a0a feat: `@ value` supports importing `url()` (#1126)
  • 791fff3 refactor: named export (#1125)
  • 01e8c76 refactor: change function arguments of the `import` option (#1124)
  • c153fe6 refactor: improve schema options (#1123)
  • 58b4b98 test: unresolved (#1122)
  • d2f6bd2 refactor: getLocalIdent function (#1121)
  • 069dbb0 refactor: the `modules.localsConvention` option was renamed to the `modules.exportLocalsConvention` option (#1120)
  • fc04401 refactor: the `modules.context` option was renamed to the `modules.localIdentContext` option (#1119)
  • 3a96a3d refactor: the `hashPrefix` option was renamed to the `localIdentHashPrefix` option (#1118)
  • 0080f88 refactor: default values `modules` and `module.auto` are true (#1117)
  • e1c55e4 refactor: rename the `onlyLocals` option (#1116)
  • ac5f413 refactor: code
  • a5c1b5f test: code coverange (#1114)
  • 908ecee refactor: `esModule` option is `true` by default (#1111)
  • 7cca035 test: coverange (#1112)
  • bc19ddd feat: improve `url()` resolving algorithm

See the full diff

Package name: exports-loader The new version differs by 15 commits.

See the full diff

Package name: file-loader The new version differs by 125 commits.
  • e44eb73 chore(release): 6.0.0
  • ad39022 chore(deps): update (#369)
  • e1fe27c docs: update README.md (#368)
  • c2aded7 chore(release): 5.1.0
  • cd8698b feat: support the `query` template for the `name` option (#366)
  • 5703c58 chore(deps): update (#365)
  • 521bff2 chore: remove duplicate prettier config file (#357)
  • 5ffac2e refactor: added description on esModule (#358)
  • 190829e docs: fix the description of the `esModule` option (#348)
  • f1b071c chore(release): 5.0.2
  • 6431101 chore: add the `funding` field in `package.json` (#347)
  • 90302cd chore(release): 5.0.1
  • 31d6589 fix: name of `esModule` option in source code (#346)
  • 2a18cba chore(release): 5.0.0
  • 98a6c1d refactor: next (#345)
  • 0df6c8d chore(release): 4.3.0
  • a2f5faf refactor: code (#344)
  • 9b9cd8d feat: new options flag to output ES2015 modules (#340)
  • ba0fd4c chore(release): 4.2.0
  • 642ee74 docs: improve readme (#341)
  • c136f44 feat: `postTransformPublicPath` option (#334)
  • d441daa chore(release): 4.1.0
  • 705eed4 feat: improved validation error messages (#339)
  • d016daa chore(release): 4.0.0

See the full diff

Package name: sass-loader The new version differs by 250 commits.
  • 45bd865 chore(release): 9.0.0
  • 0629915 refactor: code before release
  • c11478d test: ambiguous imports (#855)
  • 73009fd docs: yarn pnp + using `dart-sass` by default (#854)
  • d487683 feat: pass the loader context to custom importers under `this.webpackLoaderContext` property (#853)
  • b3ffd5b test: resolution logic (#852)
  • 3abe3f5 fix: resolution logic
  • 20b7a11 docs: fix link for prependData (#847)
  • 006c02e refactor: code
  • 2a18d5b ci: node@14 (#842)
  • 17832fd fix: resolution for `file` scheme
  • 744112d fix: perf (#840)
  • aeb86f0 fix: resolution logic (#839)
  • 7380b7b fix: resolution logic (#838)
  • 0c8d3b3 feat: support `process.cwd()` resolution (#837)
  • 8376179 feat: support SASS-PATH env variable (#836)
  • ddeff88 test: refactor (#835)
  • 24c852a docs: options table (#834)
  • f892eba refactor: code (#833)
  • 68dd278 fix: avoid different content on different os (#832)
  • 1655baf fix: resolution logic (#831)
  • fe3b33b fix: resolution logic (#830)
  • 41e0e45 test: foundation-sites (#829)
  • a3dec34 chore: minimum supported Nodejs version is `10.13` (#828)

See the full diff

Package name: style-loader The new version differs by 165 commits.
  • 171a747 chore(release): 1.1.4
  • af1b4a9 chore(deps): update
  • a003f05 docs: add links for the options table (#460)
  • 2756e03 chore(release): 1.1.3
  • 236b243 fix: injection algorithm (#456)
  • 36bd8f1 docs: fix typos (#453)
  • de38c39 chore(release): 1.1.2
  • 91ceaf2 fix: algorithm for importing modules (#449)
  • 1138ed7 fix: checking that the list of modules is an array (#448)
  • aa418dd chore(release): 1.1.1
  • 7ee8b04 fix: add empty default export for `linkTag` value
  • c69ea6c chore(release): 1.1.0
  • c7d6e3a fix: order of imported styles (#443)
  • a283b30 test: more manual test (#442)
  • 3415266 feat: `esModule` option (#441)
  • 907aed8 test: refactor (#440)
  • 28e1628 refactor: code (#438)
  • 5c51b90 refactor: cjs (#437)
  • 609263a test: refactor
  • 7768fce chore(release): 1.0.2
  • dcbfadb fix: support ES module syntax (#435)
  • d515edc chore(deps): update (#434)
  • 4c1e3f3 docs: fixed typo 'doom' to 'DOM' in README.md (#432)
  • c6164d5 chore(release): 1.0.1

See the full diff

Package name: url-loader The new version differs by 69 commits.
  • 8828d64 chore(release): 4.0.0
  • fc8721f chore(deps): migrate on `mime-types` package (#209)
  • f13757a chore(deps): update (#208)
  • a2f127d fix: description on the `esModule` option (#204)
  • 4301f87 chore(release): 3.0.0
  • 3f0bbc5 refactor: next (#198)
  • 2451157 chore(release): 2.3.0
  • 0ee2b99 feat: new `esModules` option to output ES modules
  • cbd1950 chore(release): 2.2.0
  • 196110e fix: yarn pnp support (#195)
  • 9431124 docs: improve documentation about `fallback` (#194)
  • a251a23 chore(deps): update (#193)
  • 2bffcfd fix: limit must allow infinity and max value (#192)
  • 1b9dbd1 chore(release): 2.1.0
  • f3d4dd2 feat: improved validation error messages (#187)
  • 37c6acc chore(release): 2.0.1
  • 4842f93 fix: allow using limit as string when you use loader with query string (#185)
  • c0341da chore(defaults): update (#184)
  • 78833ac chore(release): 2.0.0
  • 4386b3e chore(deps): update (#182)
  • 60d2cb3 feat: limit option can be boolean (#181)
  • d82e453 fix: `limit` should always be a number and 0 value handles as number (#180)
  • 3c24545 fix: fallback loader will be used than limit is equal or greater (#179)
  • a6705cc test: test svg scenario. #176 (#177)

See the full diff

Package name: webpack The new version differs by 250 commits.
  • 610f368 5.0.0
  • 5ce65c1 update examples
  • bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
  • 75ecff2 5.0.0-rc.6
  • bfc35d6 Merge pull request #11603 from MayaWolf/master
  • 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
  • 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
  • 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
  • 9130d10 fix called variables with ProvidePlugin
  • 3e42105 Merge pull request #11620 from webpack/bugfix/11617
  • 4709719 skip connections copied to concatenated module
  • 57b493f 5.0.0-rc.5
  • 1658e2f Merge pull request #11618 from webpack/bugfix/11615
  • a8fb45d fixes crash in SideEffectsFlagPlugin
  • 84b196d emit error instead of crashing when unexpected problem occurs
  • 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
  • 9b5cce9 Merge pull request #11609 from snitin315/export-types
  • 37c495c export type RuleSetUseItem
  • 39faf34 export type RuleSetUse
  • e5fd246 export type RuleSetConditionAbsolute
  • 660baad export RuleSetCondition types
  • 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
  • 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
  • 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

@secureflag-knowledge-base
Copy link

Code Injection

Click here to find a Code Injection training lab

Description

Code Injection, also known as Remote Code Execution (RCE), is possible when unsafe user-supplied data is used to run server-side code. This is typically as a result of an application executing code without prior validation, thus allowing an attacker to execute arbitrary code within the context of the vulnerable application.

Not to be confused with OS Command Injection, Code Injection attacks allow the attacker to add their own code to be executed by the application, whereas OS Command Injection extends the preset functionality of the application to execute system commands, usually within the context of a shell.

Code Injection attacks are only limited by the functionality of the language the attacker has injected i.e. not very limited at all! If PHP code is the language chosen for the injection and is executed successfully, the attacker has every utility available in PHP at her/his disposal.

The Code Injection attack category encompasses multiple types of injection attacks, all of which are very prevalent and capable of extremely high levels of compromise. Indeed, OWASP has listed injection attacks as one of the most dangerous web application security risk since 2013.

Read more

Impact

Malicious attackers can leverage Code Injection vulnerabilities to gain a foothold in the hosting infrastructure, pivot to connected systems throughout the organization, execute unauthorized commands, and fully compromise the confidentiality, integrity, and availability of the application. Depending on the injection, this can usually lead to the complete compromise of the underlying operating system.

The list of devastating Code Injection attacks, both public and behind closed doors, is far too long to list. Hot off the press in 2020, this Code Injection discovery was shown to affect the default Mail application on stock iPhones and iPads, resulting in remote code execution.

In this particular instance, the vulnerability was identified by a security company which notified the vendor, Apple, of the issue. However, it is important as a developer to internalize the glaring reality that poorly written, unsecure code opens the way for attackers to potentially wreak havoc, which is why learning secure codeing skills from the beginning can potentially prevent an employer-destroying headline down the track.

Prevention

Code Injection attacks leveraging any language can be avoided by simply following some basic, yet essential, security practices. Overarching these general practices is the rule that a developer should treat all data as untrusted.

Developers must not dynamically generate code that can be interpreted or executed by the application using user-provided data. Evaluating code that contains user input should only be implemented if there is no other way of achieving the same result without code execution.

Testing

Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.

View this in the SecureFlag Knowledge Base

@secure-code-warrior-for-github

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

@secure-code-warrior-for-github

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "OS Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references
  • OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
  • OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try a challenge in Secure Code Warrior

Helpful references

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "Injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants