Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP do not merge] Pairing branch #376

Draft
wants to merge 19 commits into
base: master
Choose a base branch
from
Draft

[WIP do not merge] Pairing branch #376

wants to merge 19 commits into from

Conversation

sauntimo
Copy link
Contributor

@sauntimo sauntimo commented Mar 1, 2024

✏️ Changes

DESCRIPTION GOES HERE. Try to describe both what is changing and why this is important

  • Make sure you run when adding / updating a package
  • What did you change from a design standpoint?
  • What did you change in the code itself?
  • If you are updating a dependency, explain why this is needed.

📷 Screenshots

If there were visual changes to the application with this change, please include before and after screenshots here. If it has animation, please use screen capture software like to make a gif.

🔗 References

Include at at least one link to an explanation + requirements for this change, and more if at all possible. Typically this is a Jira/GitHub Issue, but could also be links to Zendesk tickets, RFCs, rollout plan or Slack conversations (for Slack conversations, make sure you provide a summary of the conversation under “Changes”).

🎯 Testing

Describe how this can be tested by reviewers. Please be specific about anything not tested and reasons why.

  • Make sure you add unit and integration tests.
  • If this is on a hot path, add load or performance tests
  • Especially for dependency updates we also need to make sure that there is no impact on performance.

✅🚫 This change has been tested in a Webtask

✅🚫 This change has unit test coverage

✅🚫 This change has integration test coverage

✅🚫 This change has been tested for performance

🚀 Deployment

Can this change be merged at any time? What will the deployment of the change look like? Does this need to be released in lockstep with something else?

✅🚫 This can be deployed any time

or
⚠️ This should not be merged until:

  • Other PR is merged because REASON
  • After date because REASON
  • Other condition: REASON

🎡 Rollout

Explain how the change will be verified once released. Manual testing? Functional testing?

In order to verify that the deployment was successful we will …

🔥 Rollback

Explain when and why we will rollback the change.

We will rollback if …

📄 Procedure

Explain how the rollback for this change will look like, how we can recover fast.

🖥 Appliance

Note to reviewers: ensure that this change is compatible with the Appliance.

@sauntimo sauntimo self-assigned this Mar 1, 2024
semgrep-app[bot]
semgrep-app bot reviewed Mar 1, 2024
View reviewed changes
server/lib/tools/server.js
/* eslint-disable no-useless-escape */

const Boom = require('@hapi/boom');
const Request = require('request');
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: Affected versions of @cypress/request and request are vulnerable to Server-Side Request Forgery (Ssrf). The vulnerability arises when SSRF filters implemented in request and cypress/request library, inadvertently delete all configured agents upon redirects involving protocol switches, thus nullifying established event listeners and anti-SSRF mechanisms, thereby enabling attackers to circumvent SSRF protections and potentially acquire unauthorized access to internal or restricted resources.

Fix: Upgrade this library to at least version 3.0.0 at auth0-authorization-extension/package-lock.json:28776.

Reference(s): GHSA-p8p7-x288-28g6, CVE-2023-28155

Ignore this finding from ssc-9bb58177-527a-4665-8cfc-e343dc367d9b.

@semgrep-app semgrep-app
Copy link

semgrep-app bot commented Mar 1, 2024

Semgrep found 1 ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6 finding:

Risk: Affected version of handlebars is vulnerable to Improper Neutralization Of Special Elements In Output Used By A Downstream Component ('Injection') / Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The vulnerability allows for Prototype Pollution, potentially leading to Remote Code Execution, as templates can modify an object's __proto__ and __defineGetter__ properties, enabling attackers to execute arbitrary code using specially crafted payloads.

Fix: Upgrade this library to at least version 4.3.0 at auth0-authorization-extension/package-lock.json:24406.

Reference(s): GHSA-w457-6q6x-cgp9, CVE-2019-19919

Ignore this finding from ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6.

@semgrep-app semgrep-app
Copy link

semgrep-app bot commented Aug 12, 2024

Semgrep found 7 ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e findings:

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at auth0-authorization-extension/package-lock.json:34662.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.

Semgrep found 7 ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f findings:

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at auth0-authorization-extension/package-lock.json:34662.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.

Semgrep found 2 ssc-aff5e8de-c638-4356-8a93-120597e35ce9 findings:

Risk: Affected versions of @babel/traverse are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use a 3rd party plugin that relies on the path.evaluate()or path.evaluateTruthy() internal Babel methods, or one of the known affected plugins (@babel/plugin-transform-runtime, Any 'polyfill provider' plugin that depends on @babel/helper-define-polyfill-provider, or @babel/preset-env when using its useBuiltIns option)

Fix: There are no safe versions of this library available for upgrade. Library included at auth0-authorization-extension/package-lock.json:24156.

Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133

Ignore this finding from ssc-aff5e8de-c638-4356-8a93-120597e35ce9.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@sauntimo sauntimo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sauntimo