From 5bca648c382962df817009d16c05528d8cd5130d Mon Sep 17 00:00:00 2001 From: Mathilde Date: Mon, 25 Oct 2021 15:50:00 +0100 Subject: [PATCH] fix: failure following lib upgrade --- package-lock.json | 1037 +- package.json | 4 +- .../SNYK-JS-ACORN-559469-issue-paths.json | 17 + ...K-JS-DOTPROP-543489-issue-paths-page1.json | 20 + ...K-JS-DOTPROP-543489-issue-paths-page2.json | 610 ++ ...YK-JS-PACRESOLVER-1564857-issue-paths.json | 15 + .../test-goof-aggregated-one-license.json | 38 + ...-goof-aggregated-one-vuln-one-license.json | 86 + .../test-goof-aggregated-one-vuln.json | 52 + test/fixtures/api-test-goof-aggregated.json | 1278 +++ test/fixtures/apitest-gomod-aggregated.json | 4 + test/fixtures/goof-depgraph-from-api.json | 9268 +++++++++++++++++ test/fixtures/projectDepGraph.json | 58 + ...snyk-lic-npm-goof-GPL-2-0-issue-paths.json | 8 + ...test-goof-with-one-more-license-issue.json | 1973 ++++ ...snykTest-test-goof-with-one-more-vuln.json | 2021 ++++ .../snykTestOutput/test-goof-one-vuln.json | 908 ++ .../test-goof-two-vuln-two-license.json | 1024 ++ .../snykTestOutput/test-goof-two-vuln.json | 972 ++ ...-vuln-for-one-project-and-unmonitored.json | 804 -- ...th-one-more-vuln-for-one-project-only.json | 2938 ++---- ...h-one-more-vuln-and-one-more-license2.json | 853 ++ test/lib/index.test.ts | 123 +- 23 files changed, 20439 insertions(+), 3672 deletions(-) create mode 100644 test/fixtures/SNYK-JS-ACORN-559469-issue-paths.json create mode 100644 test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page1.json create mode 100644 test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page2.json create mode 100644 test/fixtures/SNYK-JS-PACRESOLVER-1564857-issue-paths.json create mode 100644 test/fixtures/api-response/test-goof-aggregated-one-license.json create mode 100644 test/fixtures/api-response/test-goof-aggregated-one-vuln-one-license.json create mode 100644 test/fixtures/api-response/test-goof-aggregated-one-vuln.json create mode 100644 test/fixtures/api-test-goof-aggregated.json create mode 100644 test/fixtures/apitest-gomod-aggregated.json create mode 100644 test/fixtures/goof-depgraph-from-api.json create mode 100644 test/fixtures/projectDepGraph.json create mode 100644 test/fixtures/snyk-lic-npm-goof-GPL-2-0-issue-paths.json create mode 100644 test/fixtures/snykTest-test-goof-with-one-more-license-issue.json create mode 100644 test/fixtures/snykTest-test-goof-with-one-more-vuln.json create mode 100644 test/fixtures/snykTestOutput/test-goof-one-vuln.json create mode 100644 test/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json create mode 100644 test/fixtures/snykTestOutput/test-goof-two-vuln.json create mode 100644 test/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license2.json diff --git a/package-lock.json b/package-lock.json index 8aea878..c57a1e3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4,14 +4,15 @@ "requires": true, "packages": { "": { + "name": "snyk-prevent-gh-commit-status", "license": "Apache-2.0", "dependencies": { "@snyk/configstore": "^3.2.0-rc1", - "axios": "^0.21.1", + "axios": "^0.21.3", "debug": "^4.1.1", "lodash": "^4.17.21", "snyk-config": "^3.0.0", - "snyk-delta": "^1.4.9", + "snyk-delta": "^1.5.4", "source-map-support": "^0.5.16", "tslib": "^1.10.0" }, @@ -40,9 +41,9 @@ } }, "node_modules/@babel/code-frame": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.14.5.tgz", - "integrity": "sha512-9pzDqyc6OLDaqe+zbACgFkb6fKMNG6CObKpnYXChRsvYGyEdc7CA2BaqeOM+vOtCS5ndmJicPJhKAwYRI6UfFw==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.15.8.tgz", + "integrity": "sha512-2IAnmn8zbvC/jKYhq5Ki9I+DwjlrtMPUCH/CpHvqI4dNnlwHwsxoIhlc8WcYY5LSYknXQtAlFYuHfqAFCvQ4Wg==", "dev": true, "dependencies": { "@babel/highlight": "^7.14.5" @@ -61,20 +62,20 @@ } }, "node_modules/@babel/core": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.15.0.tgz", - "integrity": "sha512-tXtmTminrze5HEUPn/a0JtOzzfp0nk+UEXQ/tqIJo3WDGypl/2OFQEMll/zSFU8f/lfmfLXvTaORHF3cfXIQMw==", - "dev": true, - "dependencies": { - "@babel/code-frame": "^7.14.5", - "@babel/generator": "^7.15.0", - "@babel/helper-compilation-targets": "^7.15.0", - "@babel/helper-module-transforms": "^7.15.0", - "@babel/helpers": "^7.14.8", - "@babel/parser": "^7.15.0", - "@babel/template": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.15.8.tgz", + "integrity": "sha512-3UG9dsxvYBMYwRv+gS41WKHno4K60/9GPy1CJaH6xy3Elq8CTtvtjT5R5jmNhXfCYLX2mTw+7/aq5ak/gOE0og==", + "dev": true, + "dependencies": { + "@babel/code-frame": "^7.15.8", + "@babel/generator": "^7.15.8", + "@babel/helper-compilation-targets": "^7.15.4", + "@babel/helper-module-transforms": "^7.15.8", + "@babel/helpers": "^7.15.4", + "@babel/parser": "^7.15.8", + "@babel/template": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.6", "convert-source-map": "^1.7.0", "debug": "^4.1.0", "gensync": "^1.0.0-beta.2", @@ -109,12 +110,12 @@ } }, "node_modules/@babel/generator": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.15.0.tgz", - "integrity": "sha512-eKl4XdMrbpYvuB505KTta4AV9g+wWzmVBW69tX0H2NwKVKd2YJbKgyK6M8j/rgLbmHOYJn6rUklV677nOyJrEQ==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.15.8.tgz", + "integrity": "sha512-ECmAKstXbp1cvpTTZciZCgfOt6iN64lR0d+euv3UZisU5awfRawOvg07Utn/qBGuH4bRIEZKrA/4LzZyXhZr8g==", "dev": true, "dependencies": { - "@babel/types": "^7.15.0", + "@babel/types": "^7.15.6", "jsesc": "^2.5.1", "source-map": "^0.5.0" }, @@ -132,9 +133,9 @@ } }, "node_modules/@babel/helper-compilation-targets": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.15.0.tgz", - "integrity": "sha512-h+/9t0ncd4jfZ8wsdAsoIxSa61qhBYlycXiHWqJaQBCXAhDCMbPRSMTGnZIkkmt1u4ag+UQmuqcILwqKzZ4N2A==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.15.4.tgz", + "integrity": "sha512-rMWPCirulnPSe4d+gwdWXLfAXTTBj8M3guAf5xFQJ0nvFY7tfNAFnWdqaHegHlgDZOCT4qvhF3BYlSJag8yhqQ==", "dev": true, "dependencies": { "@babel/compat-data": "^7.15.0", @@ -159,93 +160,93 @@ } }, "node_modules/@babel/helper-function-name": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.14.5.tgz", - "integrity": "sha512-Gjna0AsXWfFvrAuX+VKcN/aNNWonizBj39yGwUzVDVTlMYJMK2Wp6xdpy72mfArFq5uK+NOuexfzZlzI1z9+AQ==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.15.4.tgz", + "integrity": "sha512-Z91cOMM4DseLIGOnog+Z8OI6YseR9bua+HpvLAQ2XayUGU+neTtX+97caALaLdyu53I/fjhbeCnWnRH1O3jFOw==", "dev": true, "dependencies": { - "@babel/helper-get-function-arity": "^7.14.5", - "@babel/template": "^7.14.5", - "@babel/types": "^7.14.5" + "@babel/helper-get-function-arity": "^7.15.4", + "@babel/template": "^7.15.4", + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-get-function-arity": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.14.5.tgz", - "integrity": "sha512-I1Db4Shst5lewOM4V+ZKJzQ0JGGaZ6VY1jYvMghRjqs6DWgxLCIyFt30GlnKkfUeFLpJt2vzbMVEXVSXlIFYUg==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.15.4.tgz", + "integrity": "sha512-1/AlxSF92CmGZzHnC515hm4SirTxtpDnLEJ0UyEMgTMZN+6bxXKg04dKhiRx5Enel+SUA1G1t5Ed/yQia0efrA==", "dev": true, "dependencies": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-hoist-variables": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.14.5.tgz", - "integrity": "sha512-R1PXiz31Uc0Vxy4OEOm07x0oSjKAdPPCh3tPivn/Eo8cvz6gveAeuyUUPB21Hoiif0uoPQSSdhIPS3352nvdyQ==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.15.4.tgz", + "integrity": "sha512-VTy085egb3jUGVK9ycIxQiPbquesq0HUQ+tPO0uv5mPEBZipk+5FkRKiWq5apuyTE9FUrjENB0rCf8y+n+UuhA==", "dev": true, "dependencies": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-member-expression-to-functions": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.15.0.tgz", - "integrity": "sha512-Jq8H8U2kYiafuj2xMTPQwkTBnEEdGKpT35lJEQsRRjnG0LW3neucsaMWLgKcwu3OHKNeYugfw+Z20BXBSEs2Lg==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.15.4.tgz", + "integrity": "sha512-cokOMkxC/BTyNP1AlY25HuBWM32iCEsLPI4BHDpJCHHm1FU2E7dKWWIXJgQgSFiu4lp8q3bL1BIKwqkSUviqtA==", "dev": true, "dependencies": { - "@babel/types": "^7.15.0" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-module-imports": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.14.5.tgz", - "integrity": "sha512-SwrNHu5QWS84XlHwGYPDtCxcA0hrSlL2yhWYLgeOc0w7ccOl2qv4s/nARI0aYZW+bSwAL5CukeXA47B/1NKcnQ==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.15.4.tgz", + "integrity": "sha512-jeAHZbzUwdW/xHgHQ3QmWR4Jg6j15q4w/gCfwZvtqOxoo5DKtLHk8Bsf4c5RZRC7NmLEs+ohkdq8jFefuvIxAA==", "dev": true, "dependencies": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-module-transforms": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.15.0.tgz", - "integrity": "sha512-RkGiW5Rer7fpXv9m1B3iHIFDZdItnO2/BLfWVW/9q7+KqQSDY5kUfQEbzdXM1MVhJGcugKV7kRrNVzNxmk7NBg==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.15.8.tgz", + "integrity": "sha512-DfAfA6PfpG8t4S6npwzLvTUpp0sS7JrcuaMiy1Y5645laRJIp/LiLGIBbQKaXSInK8tiGNI7FL7L8UvB8gdUZg==", "dev": true, "dependencies": { - "@babel/helper-module-imports": "^7.14.5", - "@babel/helper-replace-supers": "^7.15.0", - "@babel/helper-simple-access": "^7.14.8", - "@babel/helper-split-export-declaration": "^7.14.5", - "@babel/helper-validator-identifier": "^7.14.9", - "@babel/template": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0" + "@babel/helper-module-imports": "^7.15.4", + "@babel/helper-replace-supers": "^7.15.4", + "@babel/helper-simple-access": "^7.15.4", + "@babel/helper-split-export-declaration": "^7.15.4", + "@babel/helper-validator-identifier": "^7.15.7", + "@babel/template": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.6" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-optimise-call-expression": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.14.5.tgz", - "integrity": "sha512-IqiLIrODUOdnPU9/F8ib1Fx2ohlgDhxnIDU7OEVi+kAbEZcyiF7BLU8W6PfvPi9LzztjS7kcbzbmL7oG8kD6VA==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.15.4.tgz", + "integrity": "sha512-E/z9rfbAOt1vDW1DR7k4SzhzotVV5+qMciWV6LaG1g4jeFrkDlJedjtV4h0i4Q/ITnUu+Pk08M7fczsB9GXBDw==", "dev": true, "dependencies": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" @@ -261,48 +262,48 @@ } }, "node_modules/@babel/helper-replace-supers": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.15.0.tgz", - "integrity": "sha512-6O+eWrhx+HEra/uJnifCwhwMd6Bp5+ZfZeJwbqUTuqkhIT6YcRhiZCOOFChRypOIe0cV46kFrRBlm+t5vHCEaA==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.15.4.tgz", + "integrity": "sha512-/ztT6khaXF37MS47fufrKvIsiQkx1LBRvSJNzRqmbyeZnTwU9qBxXYLaaT/6KaxfKhjs2Wy8kG8ZdsFUuWBjzw==", "dev": true, "dependencies": { - "@babel/helper-member-expression-to-functions": "^7.15.0", - "@babel/helper-optimise-call-expression": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0" + "@babel/helper-member-expression-to-functions": "^7.15.4", + "@babel/helper-optimise-call-expression": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-simple-access": { - "version": "7.14.8", - "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.14.8.tgz", - "integrity": "sha512-TrFN4RHh9gnWEU+s7JloIho2T76GPwRHhdzOWLqTrMnlas8T9O7ec+oEDNsRXndOmru9ymH9DFrEOxpzPoSbdg==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.15.4.tgz", + "integrity": "sha512-UzazrDoIVOZZcTeHHEPYrr1MvTR/K+wgLg6MY6e1CJyaRhbibftF6fR2KU2sFRtI/nERUZR9fBd6aKgBlIBaPg==", "dev": true, "dependencies": { - "@babel/types": "^7.14.8" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-split-export-declaration": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.14.5.tgz", - "integrity": "sha512-hprxVPu6e5Kdp2puZUmvOGjaLv9TCe58E/Fl6hRq4YiVQxIcNvuq6uTM2r1mT/oPskuS9CgR+I94sqAYv0NGKA==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.15.4.tgz", + "integrity": "sha512-HsFqhLDZ08DxCpBdEVtKmywj6PQbwnF6HHybur0MAnkAKnlS6uHkwnmRIkElB2Owpfb4xL4NwDmDLFubueDXsw==", "dev": true, "dependencies": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-validator-identifier": { - "version": "7.14.9", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.14.9.tgz", - "integrity": "sha512-pQYxPY0UP6IHISRitNe8bsijHex4TWZXi2HwKVsjPiltzlhse2znVcm9Ace510VT1kxIHjGJCZZQBX2gJDbo0g==", + "version": "7.15.7", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.15.7.tgz", + "integrity": "sha512-K4JvCtQqad9OY2+yTU8w+E82ywk/fe+ELNlt1G8z3bVGlZfn/hOcQQsUhGhW/N+tb3fxK800wLtKOE/aM0m72w==", "dev": true, "engines": { "node": ">=6.9.0" @@ -318,14 +319,14 @@ } }, "node_modules/@babel/helpers": { - "version": "7.15.3", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.15.3.tgz", - "integrity": "sha512-HwJiz52XaS96lX+28Tnbu31VeFSQJGOeKHJeaEPQlTl7PnlhFElWPj8tUXtqFIzeN86XxXoBr+WFAyK2PPVz6g==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.15.4.tgz", + "integrity": "sha512-V45u6dqEJ3w2rlryYYXf6i9rQ5YMNu4FLS6ngs8ikblhu2VdR1AqAd6aJjBzmf2Qzh6KOLqKHxEN9+TFbAkAVQ==", "dev": true, "dependencies": { - "@babel/template": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0" + "@babel/template": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" @@ -346,9 +347,9 @@ } }, "node_modules/@babel/parser": { - "version": "7.15.3", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.15.3.tgz", - "integrity": "sha512-O0L6v/HvqbdJawj0iBEfVQMc3/6WP+AeOsovsIgBFyJaG+W2w7eqvZB7puddATmWuARlm1SX7DwxJ/JJUnDpEA==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.15.8.tgz", + "integrity": "sha512-BRYa3wcQnjS/nqI8Ac94pYYpJfojHVvVXJ97+IDCImX4Jc8W8Xv1+47enbruk+q1etOpsQNwnfFcNGw+gtPGxA==", "dev": true, "bin": { "parser": "bin/babel-parser.js" @@ -490,32 +491,32 @@ } }, "node_modules/@babel/template": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.14.5.tgz", - "integrity": "sha512-6Z3Po85sfxRGachLULUhOmvAaOo7xCvqGQtxINai2mEGPFm6pQ4z5QInFnUrRpfoSV60BnjyF5F3c+15fxFV1g==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.15.4.tgz", + "integrity": "sha512-UgBAfEa1oGuYgDIPM2G+aHa4Nlo9Lh6mGD2bDBGMTbYnc38vulXPuC1MGjYILIEmlwl6Rd+BPR9ee3gm20CBtg==", "dev": true, "dependencies": { "@babel/code-frame": "^7.14.5", - "@babel/parser": "^7.14.5", - "@babel/types": "^7.14.5" + "@babel/parser": "^7.15.4", + "@babel/types": "^7.15.4" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/traverse": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.15.0.tgz", - "integrity": "sha512-392d8BN0C9eVxVWd8H6x9WfipgVH5IaIoLp23334Sc1vbKKWINnvwRpb4us0xtPaCumlwbTtIYNA0Dv/32sVFw==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.15.4.tgz", + "integrity": "sha512-W6lQD8l4rUbQR/vYgSuCAE75ADyyQvOpFVsvPPdkhf6lATXAsQIG9YdtOcu8BB1dZ0LKu+Zo3c1wEcbKeuhdlA==", "dev": true, "dependencies": { "@babel/code-frame": "^7.14.5", - "@babel/generator": "^7.15.0", - "@babel/helper-function-name": "^7.14.5", - "@babel/helper-hoist-variables": "^7.14.5", - "@babel/helper-split-export-declaration": "^7.14.5", - "@babel/parser": "^7.15.0", - "@babel/types": "^7.15.0", + "@babel/generator": "^7.15.4", + "@babel/helper-function-name": "^7.15.4", + "@babel/helper-hoist-variables": "^7.15.4", + "@babel/helper-split-export-declaration": "^7.15.4", + "@babel/parser": "^7.15.4", + "@babel/types": "^7.15.4", "debug": "^4.1.0", "globals": "^11.1.0" }, @@ -533,9 +534,9 @@ } }, "node_modules/@babel/types": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.15.0.tgz", - "integrity": "sha512-OBvfqnllOIdX4ojTHpwZbpvz4j3EWyjkZEdmjH0/cgsd6QOdSgU8rLSk6ard/pcW7rlmjdVSX/AWOaORR1uNOQ==", + "version": "7.15.6", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.15.6.tgz", + "integrity": "sha512-BPU+7QhqNjmWyDO0/vitH/CuhpV8ZmK1wpKva8nuyNF5MJfuRNWMc+hc14+u9xT93kvykMdncrJT19h74uB1Ig==", "dev": true, "dependencies": { "@babel/helper-validator-identifier": "^7.14.9", @@ -794,12 +795,12 @@ } }, "node_modules/@jest/core/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -1225,9 +1226,9 @@ } }, "node_modules/@snyk/dep-graph": { - "version": "1.28.1", - "resolved": "https://registry.npmjs.org/@snyk/dep-graph/-/dep-graph-1.28.1.tgz", - "integrity": "sha512-ti5fPYivhBGCJ7rZGznMX2UJE1M5lR811WvVyBWTRJwLYVFYkhxRXKfgZUXEB0tq8vpo3V7tm3syrBd5TLPIMA==", + "version": "1.29.0", + "resolved": "https://registry.npmjs.org/@snyk/dep-graph/-/dep-graph-1.29.0.tgz", + "integrity": "sha512-pk3QSRyCFVaZ9qTdPuQCmDsLL9w5X+28KiwabYlTndSixg0Sj4fGygxziGj7xf/y/15WvwWwL4knnw96Zccr9w==", "dependencies": { "event-loop-spinner": "^2.1.0", "lodash.clone": "^4.5.0", @@ -1254,9 +1255,9 @@ } }, "node_modules/@types/babel__core": { - "version": "7.1.15", - "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.1.15.tgz", - "integrity": "sha512-bxlMKPDbY8x5h6HBwVzEOk2C8fb6SLfYQ5Jw3uBYuYF1lfWk/kbLd81la82vrIkBb0l+JdmrZaDikPrNxpS/Ew==", + "version": "7.1.16", + "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.1.16.tgz", + "integrity": "sha512-EAEHtisTMM+KaKwfWdC3oyllIqswlznXCIVCt7/oRNrh+DhgT4UEBNC/jlADNjvw7UnfbcdkGQcPVZ1xYiLcrQ==", "dev": true, "dependencies": { "@babel/parser": "^7.1.0", @@ -1364,9 +1365,9 @@ "dev": true }, "node_modules/@types/lodash": { - "version": "4.14.172", - "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.172.tgz", - "integrity": "sha512-/BHF5HAx3em7/KkzVKm3LrsD6HZAXuXO1AJZQ3cRRBZj4oHZDviWPYu0aEplAqDFNHZPW6d3G7KN+ONcCCC7pw==" + "version": "4.14.175", + "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.175.tgz", + "integrity": "sha512-XmdEOrKQ8a1Y/yxQFOMbC47G/V2VDO1GvMRnl4O75M4GW/abC5tnfzadQYkqEveqRM1dEJGFFegfPNA2vvx2iw==" }, "node_modules/@types/ms": { "version": "0.7.31", @@ -1374,9 +1375,9 @@ "integrity": "sha512-iiUgKzV9AuaEkZqkOLDIvlQiL6ltuZd9tGcW3gwpnX8JbuiuhFlEGmmFXEXkN50Cvq7Os88IY2v0dkDqXYWVgA==" }, "node_modules/@types/node": { - "version": "12.20.20", - "resolved": "https://registry.npmjs.org/@types/node/-/node-12.20.20.tgz", - "integrity": "sha512-kqmxiJg4AT7rsSPIhO6eoBIx9mNwwpeH42yjtgQh6X2ANSpLpvToMXv+LMFdfxpwG1FZXZ41OGZMiUAtbBLEvg==", + "version": "12.20.28", + "resolved": "https://registry.npmjs.org/@types/node/-/node-12.20.28.tgz", + "integrity": "sha512-cBw8gzxUPYX+/5lugXIPksioBSbE42k0fZ39p+4yRzfYjN6++eq9kAPdlY9qm+MXyfbk9EmvCYAYRn380sF46w==", "dev": true }, "node_modules/@types/normalize-package-data": { @@ -1445,6 +1446,21 @@ } } }, + "node_modules/@typescript-eslint/eslint-plugin/node_modules/tsutils": { + "version": "3.21.0", + "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", + "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", + "dev": true, + "dependencies": { + "tslib": "^1.8.1" + }, + "engines": { + "node": ">= 6" + }, + "peerDependencies": { + "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta" + } + }, "node_modules/@typescript-eslint/experimental-utils": { "version": "2.34.0", "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-2.34.0.tgz", @@ -1521,6 +1537,21 @@ } } }, + "node_modules/@typescript-eslint/typescript-estree/node_modules/tsutils": { + "version": "3.21.0", + "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", + "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", + "dev": true, + "dependencies": { + "tslib": "^1.8.1" + }, + "engines": { + "node": ">= 6" + }, + "peerDependencies": { + "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta" + } + }, "node_modules/abab": { "version": "2.0.5", "resolved": "https://registry.npmjs.org/abab/-/abab-2.0.5.tgz", @@ -1621,9 +1652,9 @@ } }, "node_modules/ansi-regex": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz", - "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==", + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "engines": { "node": ">=8" } @@ -1793,11 +1824,11 @@ "dev": true }, "node_modules/axios": { - "version": "0.21.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz", - "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==", + "version": "0.21.4", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz", + "integrity": "sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==", "dependencies": { - "follow-redirects": "^1.10.0" + "follow-redirects": "^1.14.0" } }, "node_modules/babel-jest": { @@ -2046,16 +2077,16 @@ "dev": true }, "node_modules/browserslist": { - "version": "4.16.8", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.16.8.tgz", - "integrity": "sha512-sc2m9ohR/49sWEbPj14ZSSZqp+kbi16aLao42Hmn3Z8FpjuMaq2xCA2l4zl9ITfyzvnvyE0hcg62YkIGKxgaNQ==", + "version": "4.17.3", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.17.3.tgz", + "integrity": "sha512-59IqHJV5VGdcJZ+GZ2hU5n4Kv3YiASzW6Xk5g9tf5a/MAzGeFwgGWU39fVzNIOVcgB3+Gp+kiQu0HEfTVU/3VQ==", "dev": true, "dependencies": { - "caniuse-lite": "^1.0.30001251", - "colorette": "^1.3.0", - "electron-to-chromium": "^1.3.811", + "caniuse-lite": "^1.0.30001264", + "electron-to-chromium": "^1.3.857", "escalade": "^3.1.1", - "node-releases": "^1.1.75" + "node-releases": "^1.1.77", + "picocolors": "^0.2.1" }, "bin": { "browserslist": "cli.js" @@ -2133,9 +2164,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001251", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001251.tgz", - "integrity": "sha512-HOe1r+9VkU4TFmnU70z+r7OLmtR+/chB1rdcJUeQlAinjEeb0cKL20tlAtOagNZhbrtLnCvV19B4FmF1rgzl6A==", + "version": "1.0.30001265", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001265.tgz", + "integrity": "sha512-YzBnspggWV5hep1m9Z6sZVLOt7vrju8xWooFAgN6BA5qvy98qPAPb7vNUzypFaoh2pb3vlfzbDO8tB57UPGbtw==", "dev": true, "funding": { "type": "opencollective", @@ -2317,12 +2348,12 @@ } }, "node_modules/cliui/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -2380,12 +2411,6 @@ "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", "dev": true }, - "node_modules/colorette": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/colorette/-/colorette-1.3.0.tgz", - "integrity": "sha512-ecORCqbSFP7Wm8Y6lyqMJjexBQqXSF7SSeaTyGGphogUjBlFP9m9o08wy86HL2uB7fMTxtOUzLMk7ogKcxMg1w==", - "dev": true - }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", @@ -2548,9 +2573,9 @@ } }, "node_modules/deep-is": { - "version": "0.1.3", - "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz", - "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=", + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz", + "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==", "dev": true }, "node_modules/deepmerge": { @@ -2660,9 +2685,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.3.816", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.816.tgz", - "integrity": "sha512-/AvJPIJldO0NkwkfpUD7u1e4YEGRFBQpFuvl9oGCcVgWOObsZB1loxVGeVUJB9kmvfsBUUChPYdgRzx6+AKNyg==", + "version": "1.3.861", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.861.tgz", + "integrity": "sha512-GZyflmpMnZRdZ1e2yAyvuFwz1MPSVQelwHX4TJZyXypB8NcxdPvPNwy5lOTxnlkrK13EiQzyTPugRSnj6cBgKg==", "dev": true }, "node_modules/emoji-regex": { @@ -3454,9 +3479,9 @@ "dev": true }, "node_modules/follow-redirects": { - "version": "1.14.2", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.2.tgz", - "integrity": "sha512-yLR6WaE2lbF0x4K2qE2p9PEXKLDjUjnR/xmjS3wHAYxtlsI9MLLBJUZirAHKzUZDGLxje7w/cXR49WOUo4rbsA==", + "version": "1.14.4", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz", + "integrity": "sha512-zwGkiSXC1MUJG/qmeIFH2HBJx9u0V46QGUe3YR1fXG8bXQxq7fLj0RjLZQ5nubr9qNJUZrH+xUcwXEoXNpfS+g==", "funding": [ { "type": "individual", @@ -3623,9 +3648,9 @@ } }, "node_modules/glob": { - "version": "7.1.7", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.7.tgz", - "integrity": "sha512-OvD9ENzPLbegENnYP5UUfJIirTg4+XwMWGaQfQTY0JenxNvvIKP3U3/tAQSPIu/lHxXYSZmpXlUHeqAIdKzBLQ==", + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.0.tgz", + "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==", "dev": true, "dependencies": { "fs.realpath": "^1.0.0", @@ -3871,9 +3896,9 @@ } }, "node_modules/import-local": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/import-local/-/import-local-3.0.2.tgz", - "integrity": "sha512-vjL3+w0oulAVZ0hBHnxa/Nm5TAurf9YLQJDhqRZyqb+VKGOB6LU8t9H1Nr5CIo16vh9XfJTOoHwU0B71S557gA==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/import-local/-/import-local-3.0.3.tgz", + "integrity": "sha512-bE9iaUY3CXH8Cwfan/abDKAxe1KGT9kyGsBPqf6DMK/z0a2OzAsrukeYNgIH6cH5Xr452jb1TUL8rSfCLjZ9uA==", "dev": true, "dependencies": { "pkg-dir": "^4.2.0", @@ -3998,12 +4023,12 @@ } }, "node_modules/inquirer/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -4075,9 +4100,9 @@ } }, "node_modules/is-core-module": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.6.0.tgz", - "integrity": "sha512-wShG8vs60jKfPWpF2KZRaAtvt3a20OAn7+IJ6hLPECpSABLcKtFKTTI4ZtH5QcBruBHlq+WsdHWyz0BCZW7svQ==", + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.7.0.tgz", + "integrity": "sha512-ByY+tjCciCr+9nLryBYcSD50EOGWt95c7tIsKTG1J2ixKKXPvF7Ej3AVd+UfDydAJom3biBGDBALaO79ktwgEQ==", "dev": true, "dependencies": { "has": "^1.0.3" @@ -4167,9 +4192,9 @@ } }, "node_modules/is-glob": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.1.tgz", - "integrity": "sha512-5G0tKtBTFImOqDnLB2hG6Bp2qcKEFduo4tZu9MT/H6NQv/ghhy30o55ufafxJ/LdH79LLs2Kfrn85TLKyA7BUg==", + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", "dev": true, "dependencies": { "is-extglob": "^2.1.1" @@ -4386,9 +4411,9 @@ } }, "node_modules/istanbul-reports": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.0.2.tgz", - "integrity": "sha512-9tZvz7AiR3PEDNGiV9vIouQ/EAcqMXFmkcA1CDFTwOB98OZVDL0PH9glHotf5Ugp6GCOTypfzGWI/OqjWNCRUw==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.0.3.tgz", + "integrity": "sha512-0i77ZFLsb9U3DHi22WzmIngVzfoyxxbQcZRqlF3KoKmCJGq9nhFHoGi8FqBztN2rE8w6hURnZghetn0xpkVb6A==", "dev": true, "dependencies": { "html-escaper": "^2.0.0", @@ -6368,21 +6393,21 @@ } }, "node_modules/mime-db": { - "version": "1.49.0", - "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.49.0.tgz", - "integrity": "sha512-CIc8j9URtOVApSFCQIF+VBkX1RwXp/oMMOrqdyXSBXq5RWNEsRfyj1kiRnQgmNXmHxPoFIxOroKA3zcU9P+nAA==", + "version": "1.50.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.50.0.tgz", + "integrity": "sha512-9tMZCDlYHqeERXEHO9f/hKfNXhre5dK2eE/krIvUjZbS2KPcqGDfNShIWS1uW9XOTKQKqK6qbeOci18rbfW77A==", "dev": true, "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { - "version": "2.1.32", - "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.32.tgz", - "integrity": "sha512-hJGaVS4G4c9TSMYh2n6SQAGrC4RnfU+daP8G7cSCmaqNjiOoUY0VHCMS42pxnQmVF1GWwFhbHWn3RIxCqTmZ9A==", + "version": "2.1.33", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.33.tgz", + "integrity": "sha512-plLElXp7pRDd0bNZHw+nMd52vRYjLwQjygaNg7ddJ2uJtTlmnTCjWuPKxVu6//AdaRuME84SvLW91sIkBqGT0g==", "dev": true, "dependencies": { - "mime-db": "1.49.0" + "mime-db": "1.50.0" }, "engines": { "node": ">= 0.6" @@ -6591,9 +6616,9 @@ "dev": true }, "node_modules/nock": { - "version": "13.1.2", - "resolved": "https://registry.npmjs.org/nock/-/nock-13.1.2.tgz", - "integrity": "sha512-BDjokoeGZnBghmvwCcDJ1yM5TDRMRAJfGi1xIzX5rKTlifbyx1oRpAVl3aNhEA3kGbUSEPD7gBLmwVdnQibrIA==", + "version": "13.1.3", + "resolved": "https://registry.npmjs.org/nock/-/nock-13.1.3.tgz", + "integrity": "sha512-YKj0rKQWMGiiIO+Y65Ut8OEgYM3PplLU2+GAhnPmqZdBd6z5IskgdBqWmjzA6lH3RF0S2a3wiAlrMOF5Iv2Jeg==", "dev": true, "dependencies": { "debug": "^4.1.0", @@ -6651,9 +6676,9 @@ } }, "node_modules/node-releases": { - "version": "1.1.75", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.75.tgz", - "integrity": "sha512-Qe5OUajvqrqDSy6wrWFmMwfJ0jVgwiw4T3KqmbTcZ62qW0gQkheXYhcFM1+lOVcGUoRxcEcfyvFMAnDgaF1VWw==", + "version": "1.1.77", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.77.tgz", + "integrity": "sha512-rB1DUFUNAN4Gn9keO2K1efO35IDK7yKHCdCaIMvFO7yUYmmZYeDjnGKle26G4rwj+LKRQpjyUUvMkPglwGCYNQ==", "dev": true }, "node_modules/normalize-package-data": { @@ -7058,6 +7083,12 @@ "integrity": "sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=", "dev": true }, + "node_modules/picocolors": { + "version": "0.2.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-0.2.1.tgz", + "integrity": "sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA==", + "dev": true + }, "node_modules/picomatch": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.0.tgz", @@ -7948,9 +7979,9 @@ "optional": true }, "node_modules/signal-exit": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.3.tgz", - "integrity": "sha512-VUJ49FC8U1OxwZLxIbTTrDvLnf/6TDgxZcK8wxR8zs13xpx7xbG60ndBlhNrFi2EMuFRoeDoJO7wthSLq42EjA==" + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.5.tgz", + "integrity": "sha512-KWcOiKeQj6ZyXx7zq4YxSMgHRlod4czeBQZrPb8OKcohcqAXShm7E20kEMle9WBt26hFcAf0qLOcp5zmY7kOqQ==" }, "node_modules/sisteransi": { "version": "1.0.5", @@ -8188,9 +8219,9 @@ } }, "node_modules/snyk": { - "version": "1.687.0", - "resolved": "https://registry.npmjs.org/snyk/-/snyk-1.687.0.tgz", - "integrity": "sha512-eFiCgTGAkAeeUtcSxD3+fBYjhF7JvYZ4KmbbXPO6UnWUfThm082kf2Aw9eS5RlD1hXO8P41d8DeCYzJgEoid9w==", + "version": "1.733.0", + "resolved": "https://registry.npmjs.org/snyk/-/snyk-1.733.0.tgz", + "integrity": "sha512-Mi/wk9tw8ma4P2+2QwgzGDHcIG0Tfj0Wn7cliuUqd7CM8bg+Oryq3g4NcNK6mJZz0VaISF8MCIcIzbqV8v0JYg==", "bin": { "snyk": "bin/snyk" }, @@ -8199,9 +8230,9 @@ } }, "node_modules/snyk-api-ts-client": { - "version": "1.7.2", - "resolved": "https://registry.npmjs.org/snyk-api-ts-client/-/snyk-api-ts-client-1.7.2.tgz", - "integrity": "sha512-7IWrF1500lQuf4M1SeC4eLuVkZBtB7hTi2XfadYIp09P2AqEGajlxLLGZjmz5RHdLB4fH6zVWOefeApvW9A3ew==", + "version": "1.8.0", + "resolved": "https://registry.npmjs.org/snyk-api-ts-client/-/snyk-api-ts-client-1.8.0.tgz", + "integrity": "sha512-BiZpl8A7q34BHmizUIr4R2a+Y9Iq8i4pxNkfgSJm93YD926KRA0Xb2uRGhmJ+Pw8duYX/EZvOwlw2q6qJb+cGA==", "dependencies": { "@snyk/configstore": "^3.2.0-rc1", "@snyk/dep-graph": "^1.23.0", @@ -8224,9 +8255,9 @@ } }, "node_modules/snyk-api-ts-client/node_modules/@types/node": { - "version": "14.17.11", - "resolved": "https://registry.npmjs.org/@types/node/-/node-14.17.11.tgz", - "integrity": "sha512-n2OQ+0Bz6WEsUjrvcHD1xZ8K+Kgo4cn9/w94s1bJS690QMUWfJPW/m7CCb7gPkA1fcYwL2UpjXP/rq/Eo41m6w==" + "version": "14.17.21", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.17.21.tgz", + "integrity": "sha512-zv8ukKci1mrILYiQOwGSV4FpkZhyxQtuFWGya2GujWg+zVAeRQ4qbaMmWp9vb9889CFA8JECH7lkwCL6Ygg8kA==" }, "node_modules/snyk-api-ts-client/node_modules/async": { "version": "3.2.1", @@ -8255,9 +8286,9 @@ } }, "node_modules/snyk-delta": { - "version": "1.4.10", - "resolved": "https://registry.npmjs.org/snyk-delta/-/snyk-delta-1.4.10.tgz", - "integrity": "sha512-hNefsgbAGcIAFI/8g5kxykCypMSmtQzuxwgcapWjAGsiSXIYMo/WBSm250PBTwivlHpIwem/JeI4rqL1cBCDrw==", + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/snyk-delta/-/snyk-delta-1.5.4.tgz", + "integrity": "sha512-BxlTjuRUDsPFbressaDhRxttPqSMsowHsOYUnn15etA4KxY6KTheg1kW57ndcgHXkm6vhfrA+SQe46eCqyELhQ==", "dependencies": { "@snyk/configstore": "^3.2.0-rc1", "@snyk/dep-graph": "^1.18.1", @@ -8268,8 +8299,8 @@ "debug": "^4.1.1", "is-uuid": "^1.0.2", "lodash": "^4.17.15", - "snyk": "^1.316.1", - "snyk-api-ts-client": "^1.6.0", + "snyk": "^1.667.0", + "snyk-api-ts-client": "^1.8.0", "source-map-support": "^0.5.16", "terminal-link": "^2.1.1", "tslib": "^1.10.0", @@ -8346,11 +8377,11 @@ } }, "node_modules/snyk-delta/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -8417,18 +8448,18 @@ } }, "node_modules/snyk-request-manager": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/snyk-request-manager/-/snyk-request-manager-1.4.1.tgz", - "integrity": "sha512-WCnu3SUD2U8kUZ1R/amKm58LWE2at+jsoiwOLJgCQSVPvrVkioqtArEhe+tQf1MVq6fcwOZ/WgYcDQ4MbAWWJw==", + "version": "1.4.2", + "resolved": "https://registry.npmjs.org/snyk-request-manager/-/snyk-request-manager-1.4.2.tgz", + "integrity": "sha512-vCVQ4tkbuAQu5a0H1ArfkvOF6cQwwEOYvMJzErsu9rpj+TnRXtp2+rGq2hOwm61MBHA5LSVAdlJPok13xh+/1A==", "dependencies": { "@snyk/configstore": "^3.2.0-rc1", + "@types/debug": "^4.1.7", "@types/uuid": "^7.0.3", "axios": "^0.21.1", "chalk": "^4.0.0", "debug": "^4.1.1", "leaky-bucket-queue": "0.0.2", "lodash": "4.17.21", - "snyk": "^1.323.2", "snyk-config": "^4.0.0", "source-map-support": "^0.5.16", "tslib": "^1.10.0", @@ -8548,9 +8579,9 @@ } }, "node_modules/source-map-support": { - "version": "0.5.19", - "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", - "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "version": "0.5.20", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.20.tgz", + "integrity": "sha512-n1lZZ8Ve4ksRqizaBQgxXDgKwttHDhyfQjA6YZZn8+AroHbsIz+JjwxQDxbp+7y5OYCI8t1Yk7etjD9CRd2hIw==", "dependencies": { "buffer-from": "^1.0.0", "source-map": "^0.6.0" @@ -8807,24 +8838,24 @@ } }, "node_modules/string-width": { - "version": "4.2.2", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.2.tgz", - "integrity": "sha512-XBJbT3N4JhVumXE0eoLU9DCjcaF92KLNqTmFCnG1pf8duUxFGwtP6AD6nkjw9a3IdiRtL3E2w3JDiE/xi3vOeA==", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.0" + "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/string-width/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -9043,9 +9074,9 @@ } }, "node_modules/tmpl": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz", - "integrity": "sha1-I2QN17QtAEM5ERQIIOXPRA5SHdE=", + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/tmpl/-/tmpl-1.0.5.tgz", + "integrity": "sha512-3f0uOEAQwIqGuWW2MVzYg8fV/QNnc/IpuJNG837rLuczAaLVHslWHZQj4IGiEl5Hs3kkbhwL9Ab7Hrsmuj+Smw==", "dev": true }, "node_modules/to-fast-properties": { @@ -9258,12 +9289,12 @@ } }, "node_modules/tsc-watch/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -9289,21 +9320,6 @@ "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==" }, - "node_modules/tsutils": { - "version": "3.21.0", - "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", - "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", - "dev": true, - "dependencies": { - "tslib": "^1.8.1" - }, - "engines": { - "node": ">= 6" - }, - "peerDependencies": { - "typescript": ">=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta" - } - }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", @@ -9699,12 +9715,12 @@ "dev": true }, "node_modules/wrap-ansi/node_modules/strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "dependencies": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" @@ -9739,9 +9755,9 @@ } }, "node_modules/ws": { - "version": "7.5.3", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.3.tgz", - "integrity": "sha512-kQ/dHIzuLrS6Je9+uv81ueZomEwH0qVYstcAQ4/Z93K8zeko9gtAbttJWzoC5ukqXY1PpoouV3+VSOqEAFt5wg==", + "version": "7.5.5", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.5.tgz", + "integrity": "sha512-BAkMFcAzl8as1G/hArkxOxq3G7pjUqQ3gzYbLL0/5zNkph70e+lCoxBGnm6AW1+/aiNeV4fnKqZ8m4GZewmH2w==", "dev": true, "engines": { "node": ">=8.3.0" @@ -9837,9 +9853,9 @@ }, "dependencies": { "@babel/code-frame": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.14.5.tgz", - "integrity": "sha512-9pzDqyc6OLDaqe+zbACgFkb6fKMNG6CObKpnYXChRsvYGyEdc7CA2BaqeOM+vOtCS5ndmJicPJhKAwYRI6UfFw==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.15.8.tgz", + "integrity": "sha512-2IAnmn8zbvC/jKYhq5Ki9I+DwjlrtMPUCH/CpHvqI4dNnlwHwsxoIhlc8WcYY5LSYknXQtAlFYuHfqAFCvQ4Wg==", "dev": true, "requires": { "@babel/highlight": "^7.14.5" @@ -9852,20 +9868,20 @@ "dev": true }, "@babel/core": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.15.0.tgz", - "integrity": "sha512-tXtmTminrze5HEUPn/a0JtOzzfp0nk+UEXQ/tqIJo3WDGypl/2OFQEMll/zSFU8f/lfmfLXvTaORHF3cfXIQMw==", - "dev": true, - "requires": { - "@babel/code-frame": "^7.14.5", - "@babel/generator": "^7.15.0", - "@babel/helper-compilation-targets": "^7.15.0", - "@babel/helper-module-transforms": "^7.15.0", - "@babel/helpers": "^7.14.8", - "@babel/parser": "^7.15.0", - "@babel/template": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.15.8.tgz", + "integrity": "sha512-3UG9dsxvYBMYwRv+gS41WKHno4K60/9GPy1CJaH6xy3Elq8CTtvtjT5R5jmNhXfCYLX2mTw+7/aq5ak/gOE0og==", + "dev": true, + "requires": { + "@babel/code-frame": "^7.15.8", + "@babel/generator": "^7.15.8", + "@babel/helper-compilation-targets": "^7.15.4", + "@babel/helper-module-transforms": "^7.15.8", + "@babel/helpers": "^7.15.4", + "@babel/parser": "^7.15.8", + "@babel/template": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.6", "convert-source-map": "^1.7.0", "debug": "^4.1.0", "gensync": "^1.0.0-beta.2", @@ -9889,12 +9905,12 @@ } }, "@babel/generator": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.15.0.tgz", - "integrity": "sha512-eKl4XdMrbpYvuB505KTta4AV9g+wWzmVBW69tX0H2NwKVKd2YJbKgyK6M8j/rgLbmHOYJn6rUklV677nOyJrEQ==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.15.8.tgz", + "integrity": "sha512-ECmAKstXbp1cvpTTZciZCgfOt6iN64lR0d+euv3UZisU5awfRawOvg07Utn/qBGuH4bRIEZKrA/4LzZyXhZr8g==", "dev": true, "requires": { - "@babel/types": "^7.15.0", + "@babel/types": "^7.15.6", "jsesc": "^2.5.1", "source-map": "^0.5.0" }, @@ -9908,9 +9924,9 @@ } }, "@babel/helper-compilation-targets": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.15.0.tgz", - "integrity": "sha512-h+/9t0ncd4jfZ8wsdAsoIxSa61qhBYlycXiHWqJaQBCXAhDCMbPRSMTGnZIkkmt1u4ag+UQmuqcILwqKzZ4N2A==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.15.4.tgz", + "integrity": "sha512-rMWPCirulnPSe4d+gwdWXLfAXTTBj8M3guAf5xFQJ0nvFY7tfNAFnWdqaHegHlgDZOCT4qvhF3BYlSJag8yhqQ==", "dev": true, "requires": { "@babel/compat-data": "^7.15.0", @@ -9928,75 +9944,75 @@ } }, "@babel/helper-function-name": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.14.5.tgz", - "integrity": "sha512-Gjna0AsXWfFvrAuX+VKcN/aNNWonizBj39yGwUzVDVTlMYJMK2Wp6xdpy72mfArFq5uK+NOuexfzZlzI1z9+AQ==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.15.4.tgz", + "integrity": "sha512-Z91cOMM4DseLIGOnog+Z8OI6YseR9bua+HpvLAQ2XayUGU+neTtX+97caALaLdyu53I/fjhbeCnWnRH1O3jFOw==", "dev": true, "requires": { - "@babel/helper-get-function-arity": "^7.14.5", - "@babel/template": "^7.14.5", - "@babel/types": "^7.14.5" + "@babel/helper-get-function-arity": "^7.15.4", + "@babel/template": "^7.15.4", + "@babel/types": "^7.15.4" } }, "@babel/helper-get-function-arity": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.14.5.tgz", - "integrity": "sha512-I1Db4Shst5lewOM4V+ZKJzQ0JGGaZ6VY1jYvMghRjqs6DWgxLCIyFt30GlnKkfUeFLpJt2vzbMVEXVSXlIFYUg==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.15.4.tgz", + "integrity": "sha512-1/AlxSF92CmGZzHnC515hm4SirTxtpDnLEJ0UyEMgTMZN+6bxXKg04dKhiRx5Enel+SUA1G1t5Ed/yQia0efrA==", "dev": true, "requires": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" } }, "@babel/helper-hoist-variables": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.14.5.tgz", - "integrity": "sha512-R1PXiz31Uc0Vxy4OEOm07x0oSjKAdPPCh3tPivn/Eo8cvz6gveAeuyUUPB21Hoiif0uoPQSSdhIPS3352nvdyQ==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.15.4.tgz", + "integrity": "sha512-VTy085egb3jUGVK9ycIxQiPbquesq0HUQ+tPO0uv5mPEBZipk+5FkRKiWq5apuyTE9FUrjENB0rCf8y+n+UuhA==", "dev": true, "requires": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" } }, "@babel/helper-member-expression-to-functions": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.15.0.tgz", - "integrity": "sha512-Jq8H8U2kYiafuj2xMTPQwkTBnEEdGKpT35lJEQsRRjnG0LW3neucsaMWLgKcwu3OHKNeYugfw+Z20BXBSEs2Lg==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.15.4.tgz", + "integrity": "sha512-cokOMkxC/BTyNP1AlY25HuBWM32iCEsLPI4BHDpJCHHm1FU2E7dKWWIXJgQgSFiu4lp8q3bL1BIKwqkSUviqtA==", "dev": true, "requires": { - "@babel/types": "^7.15.0" + "@babel/types": "^7.15.4" } }, "@babel/helper-module-imports": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.14.5.tgz", - "integrity": "sha512-SwrNHu5QWS84XlHwGYPDtCxcA0hrSlL2yhWYLgeOc0w7ccOl2qv4s/nARI0aYZW+bSwAL5CukeXA47B/1NKcnQ==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.15.4.tgz", + "integrity": "sha512-jeAHZbzUwdW/xHgHQ3QmWR4Jg6j15q4w/gCfwZvtqOxoo5DKtLHk8Bsf4c5RZRC7NmLEs+ohkdq8jFefuvIxAA==", "dev": true, "requires": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" } }, "@babel/helper-module-transforms": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.15.0.tgz", - "integrity": "sha512-RkGiW5Rer7fpXv9m1B3iHIFDZdItnO2/BLfWVW/9q7+KqQSDY5kUfQEbzdXM1MVhJGcugKV7kRrNVzNxmk7NBg==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.15.8.tgz", + "integrity": "sha512-DfAfA6PfpG8t4S6npwzLvTUpp0sS7JrcuaMiy1Y5645laRJIp/LiLGIBbQKaXSInK8tiGNI7FL7L8UvB8gdUZg==", "dev": true, "requires": { - "@babel/helper-module-imports": "^7.14.5", - "@babel/helper-replace-supers": "^7.15.0", - "@babel/helper-simple-access": "^7.14.8", - "@babel/helper-split-export-declaration": "^7.14.5", - "@babel/helper-validator-identifier": "^7.14.9", - "@babel/template": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0" + "@babel/helper-module-imports": "^7.15.4", + "@babel/helper-replace-supers": "^7.15.4", + "@babel/helper-simple-access": "^7.15.4", + "@babel/helper-split-export-declaration": "^7.15.4", + "@babel/helper-validator-identifier": "^7.15.7", + "@babel/template": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.6" } }, "@babel/helper-optimise-call-expression": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.14.5.tgz", - "integrity": "sha512-IqiLIrODUOdnPU9/F8ib1Fx2ohlgDhxnIDU7OEVi+kAbEZcyiF7BLU8W6PfvPi9LzztjS7kcbzbmL7oG8kD6VA==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.15.4.tgz", + "integrity": "sha512-E/z9rfbAOt1vDW1DR7k4SzhzotVV5+qMciWV6LaG1g4jeFrkDlJedjtV4h0i4Q/ITnUu+Pk08M7fczsB9GXBDw==", "dev": true, "requires": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" } }, "@babel/helper-plugin-utils": { @@ -10006,39 +10022,39 @@ "dev": true }, "@babel/helper-replace-supers": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.15.0.tgz", - "integrity": "sha512-6O+eWrhx+HEra/uJnifCwhwMd6Bp5+ZfZeJwbqUTuqkhIT6YcRhiZCOOFChRypOIe0cV46kFrRBlm+t5vHCEaA==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.15.4.tgz", + "integrity": "sha512-/ztT6khaXF37MS47fufrKvIsiQkx1LBRvSJNzRqmbyeZnTwU9qBxXYLaaT/6KaxfKhjs2Wy8kG8ZdsFUuWBjzw==", "dev": true, "requires": { - "@babel/helper-member-expression-to-functions": "^7.15.0", - "@babel/helper-optimise-call-expression": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0" + "@babel/helper-member-expression-to-functions": "^7.15.4", + "@babel/helper-optimise-call-expression": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.4" } }, "@babel/helper-simple-access": { - "version": "7.14.8", - "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.14.8.tgz", - "integrity": "sha512-TrFN4RHh9gnWEU+s7JloIho2T76GPwRHhdzOWLqTrMnlas8T9O7ec+oEDNsRXndOmru9ymH9DFrEOxpzPoSbdg==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.15.4.tgz", + "integrity": "sha512-UzazrDoIVOZZcTeHHEPYrr1MvTR/K+wgLg6MY6e1CJyaRhbibftF6fR2KU2sFRtI/nERUZR9fBd6aKgBlIBaPg==", "dev": true, "requires": { - "@babel/types": "^7.14.8" + "@babel/types": "^7.15.4" } }, "@babel/helper-split-export-declaration": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.14.5.tgz", - "integrity": "sha512-hprxVPu6e5Kdp2puZUmvOGjaLv9TCe58E/Fl6hRq4YiVQxIcNvuq6uTM2r1mT/oPskuS9CgR+I94sqAYv0NGKA==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.15.4.tgz", + "integrity": "sha512-HsFqhLDZ08DxCpBdEVtKmywj6PQbwnF6HHybur0MAnkAKnlS6uHkwnmRIkElB2Owpfb4xL4NwDmDLFubueDXsw==", "dev": true, "requires": { - "@babel/types": "^7.14.5" + "@babel/types": "^7.15.4" } }, "@babel/helper-validator-identifier": { - "version": "7.14.9", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.14.9.tgz", - "integrity": "sha512-pQYxPY0UP6IHISRitNe8bsijHex4TWZXi2HwKVsjPiltzlhse2znVcm9Ace510VT1kxIHjGJCZZQBX2gJDbo0g==", + "version": "7.15.7", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.15.7.tgz", + "integrity": "sha512-K4JvCtQqad9OY2+yTU8w+E82ywk/fe+ELNlt1G8z3bVGlZfn/hOcQQsUhGhW/N+tb3fxK800wLtKOE/aM0m72w==", "dev": true }, "@babel/helper-validator-option": { @@ -10048,14 +10064,14 @@ "dev": true }, "@babel/helpers": { - "version": "7.15.3", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.15.3.tgz", - "integrity": "sha512-HwJiz52XaS96lX+28Tnbu31VeFSQJGOeKHJeaEPQlTl7PnlhFElWPj8tUXtqFIzeN86XxXoBr+WFAyK2PPVz6g==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.15.4.tgz", + "integrity": "sha512-V45u6dqEJ3w2rlryYYXf6i9rQ5YMNu4FLS6ngs8ikblhu2VdR1AqAd6aJjBzmf2Qzh6KOLqKHxEN9+TFbAkAVQ==", "dev": true, "requires": { - "@babel/template": "^7.14.5", - "@babel/traverse": "^7.15.0", - "@babel/types": "^7.15.0" + "@babel/template": "^7.15.4", + "@babel/traverse": "^7.15.4", + "@babel/types": "^7.15.4" } }, "@babel/highlight": { @@ -10070,9 +10086,9 @@ } }, "@babel/parser": { - "version": "7.15.3", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.15.3.tgz", - "integrity": "sha512-O0L6v/HvqbdJawj0iBEfVQMc3/6WP+AeOsovsIgBFyJaG+W2w7eqvZB7puddATmWuARlm1SX7DwxJ/JJUnDpEA==", + "version": "7.15.8", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.15.8.tgz", + "integrity": "sha512-BRYa3wcQnjS/nqI8Ac94pYYpJfojHVvVXJ97+IDCImX4Jc8W8Xv1+47enbruk+q1etOpsQNwnfFcNGw+gtPGxA==", "dev": true }, "@babel/plugin-syntax-async-generators": { @@ -10175,29 +10191,29 @@ } }, "@babel/template": { - "version": "7.14.5", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.14.5.tgz", - "integrity": "sha512-6Z3Po85sfxRGachLULUhOmvAaOo7xCvqGQtxINai2mEGPFm6pQ4z5QInFnUrRpfoSV60BnjyF5F3c+15fxFV1g==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.15.4.tgz", + "integrity": "sha512-UgBAfEa1oGuYgDIPM2G+aHa4Nlo9Lh6mGD2bDBGMTbYnc38vulXPuC1MGjYILIEmlwl6Rd+BPR9ee3gm20CBtg==", "dev": true, "requires": { "@babel/code-frame": "^7.14.5", - "@babel/parser": "^7.14.5", - "@babel/types": "^7.14.5" + "@babel/parser": "^7.15.4", + "@babel/types": "^7.15.4" } }, "@babel/traverse": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.15.0.tgz", - "integrity": "sha512-392d8BN0C9eVxVWd8H6x9WfipgVH5IaIoLp23334Sc1vbKKWINnvwRpb4us0xtPaCumlwbTtIYNA0Dv/32sVFw==", + "version": "7.15.4", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.15.4.tgz", + "integrity": "sha512-W6lQD8l4rUbQR/vYgSuCAE75ADyyQvOpFVsvPPdkhf6lATXAsQIG9YdtOcu8BB1dZ0LKu+Zo3c1wEcbKeuhdlA==", "dev": true, "requires": { "@babel/code-frame": "^7.14.5", - "@babel/generator": "^7.15.0", - "@babel/helper-function-name": "^7.14.5", - "@babel/helper-hoist-variables": "^7.14.5", - "@babel/helper-split-export-declaration": "^7.14.5", - "@babel/parser": "^7.15.0", - "@babel/types": "^7.15.0", + "@babel/generator": "^7.15.4", + "@babel/helper-function-name": "^7.15.4", + "@babel/helper-hoist-variables": "^7.15.4", + "@babel/helper-split-export-declaration": "^7.15.4", + "@babel/parser": "^7.15.4", + "@babel/types": "^7.15.4", "debug": "^4.1.0", "globals": "^11.1.0" }, @@ -10211,9 +10227,9 @@ } }, "@babel/types": { - "version": "7.15.0", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.15.0.tgz", - "integrity": "sha512-OBvfqnllOIdX4ojTHpwZbpvz4j3EWyjkZEdmjH0/cgsd6QOdSgU8rLSk6ard/pcW7rlmjdVSX/AWOaORR1uNOQ==", + "version": "7.15.6", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.15.6.tgz", + "integrity": "sha512-BPU+7QhqNjmWyDO0/vitH/CuhpV8ZmK1wpKva8nuyNF5MJfuRNWMc+hc14+u9xT93kvykMdncrJT19h74uB1Ig==", "dev": true, "requires": { "@babel/helper-validator-identifier": "^7.14.9", @@ -10413,12 +10429,12 @@ } }, "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } }, "supports-color": { @@ -10760,9 +10776,9 @@ } }, "@snyk/dep-graph": { - "version": "1.28.1", - "resolved": "https://registry.npmjs.org/@snyk/dep-graph/-/dep-graph-1.28.1.tgz", - "integrity": "sha512-ti5fPYivhBGCJ7rZGznMX2UJE1M5lR811WvVyBWTRJwLYVFYkhxRXKfgZUXEB0tq8vpo3V7tm3syrBd5TLPIMA==", + "version": "1.29.0", + "resolved": "https://registry.npmjs.org/@snyk/dep-graph/-/dep-graph-1.29.0.tgz", + "integrity": "sha512-pk3QSRyCFVaZ9qTdPuQCmDsLL9w5X+28KiwabYlTndSixg0Sj4fGygxziGj7xf/y/15WvwWwL4knnw96Zccr9w==", "requires": { "event-loop-spinner": "^2.1.0", "lodash.clone": "^4.5.0", @@ -10786,9 +10802,9 @@ } }, "@types/babel__core": { - "version": "7.1.15", - "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.1.15.tgz", - "integrity": "sha512-bxlMKPDbY8x5h6HBwVzEOk2C8fb6SLfYQ5Jw3uBYuYF1lfWk/kbLd81la82vrIkBb0l+JdmrZaDikPrNxpS/Ew==", + "version": "7.1.16", + "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.1.16.tgz", + "integrity": "sha512-EAEHtisTMM+KaKwfWdC3oyllIqswlznXCIVCt7/oRNrh+DhgT4UEBNC/jlADNjvw7UnfbcdkGQcPVZ1xYiLcrQ==", "dev": true, "requires": { "@babel/parser": "^7.1.0", @@ -10896,9 +10912,9 @@ "dev": true }, "@types/lodash": { - "version": "4.14.172", - "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.172.tgz", - "integrity": "sha512-/BHF5HAx3em7/KkzVKm3LrsD6HZAXuXO1AJZQ3cRRBZj4oHZDviWPYu0aEplAqDFNHZPW6d3G7KN+ONcCCC7pw==" + "version": "4.14.175", + "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.175.tgz", + "integrity": "sha512-XmdEOrKQ8a1Y/yxQFOMbC47G/V2VDO1GvMRnl4O75M4GW/abC5tnfzadQYkqEveqRM1dEJGFFegfPNA2vvx2iw==" }, "@types/ms": { "version": "0.7.31", @@ -10906,9 +10922,9 @@ "integrity": "sha512-iiUgKzV9AuaEkZqkOLDIvlQiL6ltuZd9tGcW3gwpnX8JbuiuhFlEGmmFXEXkN50Cvq7Os88IY2v0dkDqXYWVgA==" }, "@types/node": { - "version": "12.20.20", - "resolved": "https://registry.npmjs.org/@types/node/-/node-12.20.20.tgz", - "integrity": "sha512-kqmxiJg4AT7rsSPIhO6eoBIx9mNwwpeH42yjtgQh6X2ANSpLpvToMXv+LMFdfxpwG1FZXZ41OGZMiUAtbBLEvg==", + "version": "12.20.28", + "resolved": "https://registry.npmjs.org/@types/node/-/node-12.20.28.tgz", + "integrity": "sha512-cBw8gzxUPYX+/5lugXIPksioBSbE42k0fZ39p+4yRzfYjN6++eq9kAPdlY9qm+MXyfbk9EmvCYAYRn380sF46w==", "dev": true }, "@types/normalize-package-data": { @@ -10959,6 +10975,17 @@ "functional-red-black-tree": "^1.0.1", "regexpp": "^3.0.0", "tsutils": "^3.17.1" + }, + "dependencies": { + "tsutils": { + "version": "3.21.0", + "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", + "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", + "dev": true, + "requires": { + "tslib": "^1.8.1" + } + } } }, "@typescript-eslint/experimental-utils": { @@ -10998,6 +11025,17 @@ "lodash": "^4.17.15", "semver": "^7.3.2", "tsutils": "^3.17.1" + }, + "dependencies": { + "tsutils": { + "version": "3.21.0", + "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", + "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", + "dev": true, + "requires": { + "tslib": "^1.8.1" + } + } } }, "abab": { @@ -11071,9 +11109,9 @@ } }, "ansi-regex": { - "version": "5.0.0", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz", - "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==" + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==" }, "ansi-styles": { "version": "3.2.1", @@ -11201,11 +11239,11 @@ "dev": true }, "axios": { - "version": "0.21.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz", - "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==", + "version": "0.21.4", + "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz", + "integrity": "sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==", "requires": { - "follow-redirects": "^1.10.0" + "follow-redirects": "^1.14.0" } }, "babel-jest": { @@ -11412,16 +11450,16 @@ } }, "browserslist": { - "version": "4.16.8", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.16.8.tgz", - "integrity": "sha512-sc2m9ohR/49sWEbPj14ZSSZqp+kbi16aLao42Hmn3Z8FpjuMaq2xCA2l4zl9ITfyzvnvyE0hcg62YkIGKxgaNQ==", + "version": "4.17.3", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.17.3.tgz", + "integrity": "sha512-59IqHJV5VGdcJZ+GZ2hU5n4Kv3YiASzW6Xk5g9tf5a/MAzGeFwgGWU39fVzNIOVcgB3+Gp+kiQu0HEfTVU/3VQ==", "dev": true, "requires": { - "caniuse-lite": "^1.0.30001251", - "colorette": "^1.3.0", - "electron-to-chromium": "^1.3.811", + "caniuse-lite": "^1.0.30001264", + "electron-to-chromium": "^1.3.857", "escalade": "^3.1.1", - "node-releases": "^1.1.75" + "node-releases": "^1.1.77", + "picocolors": "^0.2.1" } }, "bs-logger": { @@ -11477,9 +11515,9 @@ "dev": true }, "caniuse-lite": { - "version": "1.0.30001251", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001251.tgz", - "integrity": "sha512-HOe1r+9VkU4TFmnU70z+r7OLmtR+/chB1rdcJUeQlAinjEeb0cKL20tlAtOagNZhbrtLnCvV19B4FmF1rgzl6A==", + "version": "1.0.30001265", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001265.tgz", + "integrity": "sha512-YzBnspggWV5hep1m9Z6sZVLOt7vrju8xWooFAgN6BA5qvy98qPAPb7vNUzypFaoh2pb3vlfzbDO8tB57UPGbtw==", "dev": true }, "capture-exit": { @@ -11627,12 +11665,12 @@ }, "dependencies": { "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } } } @@ -11679,12 +11717,6 @@ "integrity": "sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=", "dev": true }, - "colorette": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/colorette/-/colorette-1.3.0.tgz", - "integrity": "sha512-ecORCqbSFP7Wm8Y6lyqMJjexBQqXSF7SSeaTyGGphogUjBlFP9m9o08wy86HL2uB7fMTxtOUzLMk7ogKcxMg1w==", - "dev": true - }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", @@ -11816,9 +11848,9 @@ "dev": true }, "deep-is": { - "version": "0.1.3", - "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz", - "integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=", + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz", + "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==", "dev": true }, "deepmerge": { @@ -11904,9 +11936,9 @@ } }, "electron-to-chromium": { - "version": "1.3.816", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.816.tgz", - "integrity": "sha512-/AvJPIJldO0NkwkfpUD7u1e4YEGRFBQpFuvl9oGCcVgWOObsZB1loxVGeVUJB9kmvfsBUUChPYdgRzx6+AKNyg==", + "version": "1.3.861", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.3.861.tgz", + "integrity": "sha512-GZyflmpMnZRdZ1e2yAyvuFwz1MPSVQelwHX4TJZyXypB8NcxdPvPNwy5lOTxnlkrK13EiQzyTPugRSnj6cBgKg==", "dev": true }, "emoji-regex": { @@ -12534,9 +12566,9 @@ "dev": true }, "follow-redirects": { - "version": "1.14.2", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.2.tgz", - "integrity": "sha512-yLR6WaE2lbF0x4K2qE2p9PEXKLDjUjnR/xmjS3wHAYxtlsI9MLLBJUZirAHKzUZDGLxje7w/cXR49WOUo4rbsA==" + "version": "1.14.4", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.4.tgz", + "integrity": "sha512-zwGkiSXC1MUJG/qmeIFH2HBJx9u0V46QGUe3YR1fXG8bXQxq7fLj0RjLZQ5nubr9qNJUZrH+xUcwXEoXNpfS+g==" }, "for-in": { "version": "1.0.2", @@ -12649,9 +12681,9 @@ } }, "glob": { - "version": "7.1.7", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.7.tgz", - "integrity": "sha512-OvD9ENzPLbegENnYP5UUfJIirTg4+XwMWGaQfQTY0JenxNvvIKP3U3/tAQSPIu/lHxXYSZmpXlUHeqAIdKzBLQ==", + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.0.tgz", + "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==", "dev": true, "requires": { "fs.realpath": "^1.0.0", @@ -12839,9 +12871,9 @@ } }, "import-local": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/import-local/-/import-local-3.0.2.tgz", - "integrity": "sha512-vjL3+w0oulAVZ0hBHnxa/Nm5TAurf9YLQJDhqRZyqb+VKGOB6LU8t9H1Nr5CIo16vh9XfJTOoHwU0B71S557gA==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/import-local/-/import-local-3.0.3.tgz", + "integrity": "sha512-bE9iaUY3CXH8Cwfan/abDKAxe1KGT9kyGsBPqf6DMK/z0a2OzAsrukeYNgIH6cH5Xr452jb1TUL8rSfCLjZ9uA==", "dev": true, "requires": { "pkg-dir": "^4.2.0", @@ -12936,12 +12968,12 @@ "dev": true }, "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } }, "supports-color": { @@ -12997,9 +13029,9 @@ } }, "is-core-module": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.6.0.tgz", - "integrity": "sha512-wShG8vs60jKfPWpF2KZRaAtvt3a20OAn7+IJ6hLPECpSABLcKtFKTTI4ZtH5QcBruBHlq+WsdHWyz0BCZW7svQ==", + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.7.0.tgz", + "integrity": "sha512-ByY+tjCciCr+9nLryBYcSD50EOGWt95c7tIsKTG1J2ixKKXPvF7Ej3AVd+UfDydAJom3biBGDBALaO79ktwgEQ==", "dev": true, "requires": { "has": "^1.0.3" @@ -13059,9 +13091,9 @@ "dev": true }, "is-glob": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.1.tgz", - "integrity": "sha512-5G0tKtBTFImOqDnLB2hG6Bp2qcKEFduo4tZu9MT/H6NQv/ghhy30o55ufafxJ/LdH79LLs2Kfrn85TLKyA7BUg==", + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", "dev": true, "requires": { "is-extglob": "^2.1.1" @@ -13225,9 +13257,9 @@ } }, "istanbul-reports": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.0.2.tgz", - "integrity": "sha512-9tZvz7AiR3PEDNGiV9vIouQ/EAcqMXFmkcA1CDFTwOB98OZVDL0PH9glHotf5Ugp6GCOTypfzGWI/OqjWNCRUw==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.0.3.tgz", + "integrity": "sha512-0i77ZFLsb9U3DHi22WzmIngVzfoyxxbQcZRqlF3KoKmCJGq9nhFHoGi8FqBztN2rE8w6hURnZghetn0xpkVb6A==", "dev": true, "requires": { "html-escaper": "^2.0.0", @@ -14789,18 +14821,18 @@ } }, "mime-db": { - "version": "1.49.0", - "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.49.0.tgz", - "integrity": "sha512-CIc8j9URtOVApSFCQIF+VBkX1RwXp/oMMOrqdyXSBXq5RWNEsRfyj1kiRnQgmNXmHxPoFIxOroKA3zcU9P+nAA==", + "version": "1.50.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.50.0.tgz", + "integrity": "sha512-9tMZCDlYHqeERXEHO9f/hKfNXhre5dK2eE/krIvUjZbS2KPcqGDfNShIWS1uW9XOTKQKqK6qbeOci18rbfW77A==", "dev": true }, "mime-types": { - "version": "2.1.32", - "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.32.tgz", - "integrity": "sha512-hJGaVS4G4c9TSMYh2n6SQAGrC4RnfU+daP8G7cSCmaqNjiOoUY0VHCMS42pxnQmVF1GWwFhbHWn3RIxCqTmZ9A==", + "version": "2.1.33", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.33.tgz", + "integrity": "sha512-plLElXp7pRDd0bNZHw+nMd52vRYjLwQjygaNg7ddJ2uJtTlmnTCjWuPKxVu6//AdaRuME84SvLW91sIkBqGT0g==", "dev": true, "requires": { - "mime-db": "1.49.0" + "mime-db": "1.50.0" } }, "mimic-fn": { @@ -14972,9 +15004,9 @@ "dev": true }, "nock": { - "version": "13.1.2", - "resolved": "https://registry.npmjs.org/nock/-/nock-13.1.2.tgz", - "integrity": "sha512-BDjokoeGZnBghmvwCcDJ1yM5TDRMRAJfGi1xIzX5rKTlifbyx1oRpAVl3aNhEA3kGbUSEPD7gBLmwVdnQibrIA==", + "version": "13.1.3", + "resolved": "https://registry.npmjs.org/nock/-/nock-13.1.3.tgz", + "integrity": "sha512-YKj0rKQWMGiiIO+Y65Ut8OEgYM3PplLU2+GAhnPmqZdBd6z5IskgdBqWmjzA6lH3RF0S2a3wiAlrMOF5Iv2Jeg==", "dev": true, "requires": { "debug": "^4.1.0", @@ -15025,9 +15057,9 @@ } }, "node-releases": { - "version": "1.1.75", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.75.tgz", - "integrity": "sha512-Qe5OUajvqrqDSy6wrWFmMwfJ0jVgwiw4T3KqmbTcZ62qW0gQkheXYhcFM1+lOVcGUoRxcEcfyvFMAnDgaF1VWw==", + "version": "1.1.77", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-1.1.77.tgz", + "integrity": "sha512-rB1DUFUNAN4Gn9keO2K1efO35IDK7yKHCdCaIMvFO7yUYmmZYeDjnGKle26G4rwj+LKRQpjyUUvMkPglwGCYNQ==", "dev": true }, "normalize-package-data": { @@ -15335,6 +15367,12 @@ "integrity": "sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=", "dev": true }, + "picocolors": { + "version": "0.2.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-0.2.1.tgz", + "integrity": "sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA==", + "dev": true + }, "picomatch": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.0.tgz", @@ -16022,9 +16060,9 @@ "optional": true }, "signal-exit": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.3.tgz", - "integrity": "sha512-VUJ49FC8U1OxwZLxIbTTrDvLnf/6TDgxZcK8wxR8zs13xpx7xbG60ndBlhNrFi2EMuFRoeDoJO7wthSLq42EjA==" + "version": "3.0.5", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.5.tgz", + "integrity": "sha512-KWcOiKeQj6ZyXx7zq4YxSMgHRlod4czeBQZrPb8OKcohcqAXShm7E20kEMle9WBt26hFcAf0qLOcp5zmY7kOqQ==" }, "sisteransi": { "version": "1.0.5", @@ -16220,14 +16258,14 @@ } }, "snyk": { - "version": "1.687.0", - "resolved": "https://registry.npmjs.org/snyk/-/snyk-1.687.0.tgz", - "integrity": "sha512-eFiCgTGAkAeeUtcSxD3+fBYjhF7JvYZ4KmbbXPO6UnWUfThm082kf2Aw9eS5RlD1hXO8P41d8DeCYzJgEoid9w==" + "version": "1.733.0", + "resolved": "https://registry.npmjs.org/snyk/-/snyk-1.733.0.tgz", + "integrity": "sha512-Mi/wk9tw8ma4P2+2QwgzGDHcIG0Tfj0Wn7cliuUqd7CM8bg+Oryq3g4NcNK6mJZz0VaISF8MCIcIzbqV8v0JYg==" }, "snyk-api-ts-client": { - "version": "1.7.2", - "resolved": "https://registry.npmjs.org/snyk-api-ts-client/-/snyk-api-ts-client-1.7.2.tgz", - "integrity": "sha512-7IWrF1500lQuf4M1SeC4eLuVkZBtB7hTi2XfadYIp09P2AqEGajlxLLGZjmz5RHdLB4fH6zVWOefeApvW9A3ew==", + "version": "1.8.0", + "resolved": "https://registry.npmjs.org/snyk-api-ts-client/-/snyk-api-ts-client-1.8.0.tgz", + "integrity": "sha512-BiZpl8A7q34BHmizUIr4R2a+Y9Iq8i4pxNkfgSJm93YD926KRA0Xb2uRGhmJ+Pw8duYX/EZvOwlw2q6qJb+cGA==", "requires": { "@snyk/configstore": "^3.2.0-rc1", "@snyk/dep-graph": "^1.23.0", @@ -16247,9 +16285,9 @@ }, "dependencies": { "@types/node": { - "version": "14.17.11", - "resolved": "https://registry.npmjs.org/@types/node/-/node-14.17.11.tgz", - "integrity": "sha512-n2OQ+0Bz6WEsUjrvcHD1xZ8K+Kgo4cn9/w94s1bJS690QMUWfJPW/m7CCb7gPkA1fcYwL2UpjXP/rq/Eo41m6w==" + "version": "14.17.21", + "resolved": "https://registry.npmjs.org/@types/node/-/node-14.17.21.tgz", + "integrity": "sha512-zv8ukKci1mrILYiQOwGSV4FpkZhyxQtuFWGya2GujWg+zVAeRQ4qbaMmWp9vb9889CFA8JECH7lkwCL6Ygg8kA==" }, "async": { "version": "3.2.1", @@ -16280,9 +16318,9 @@ } }, "snyk-delta": { - "version": "1.4.10", - "resolved": "https://registry.npmjs.org/snyk-delta/-/snyk-delta-1.4.10.tgz", - "integrity": "sha512-hNefsgbAGcIAFI/8g5kxykCypMSmtQzuxwgcapWjAGsiSXIYMo/WBSm250PBTwivlHpIwem/JeI4rqL1cBCDrw==", + "version": "1.5.4", + "resolved": "https://registry.npmjs.org/snyk-delta/-/snyk-delta-1.5.4.tgz", + "integrity": "sha512-BxlTjuRUDsPFbressaDhRxttPqSMsowHsOYUnn15etA4KxY6KTheg1kW57ndcgHXkm6vhfrA+SQe46eCqyELhQ==", "requires": { "@snyk/configstore": "^3.2.0-rc1", "@snyk/dep-graph": "^1.18.1", @@ -16293,8 +16331,8 @@ "debug": "^4.1.1", "is-uuid": "^1.0.2", "lodash": "^4.17.15", - "snyk": "^1.316.1", - "snyk-api-ts-client": "^1.6.0", + "snyk": "^1.667.0", + "snyk-api-ts-client": "^1.8.0", "source-map-support": "^0.5.16", "terminal-link": "^2.1.1", "tslib": "^1.10.0", @@ -16347,11 +16385,11 @@ "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==" }, "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } }, "supports-color": { @@ -16399,18 +16437,18 @@ } }, "snyk-request-manager": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/snyk-request-manager/-/snyk-request-manager-1.4.1.tgz", - "integrity": "sha512-WCnu3SUD2U8kUZ1R/amKm58LWE2at+jsoiwOLJgCQSVPvrVkioqtArEhe+tQf1MVq6fcwOZ/WgYcDQ4MbAWWJw==", + "version": "1.4.2", + "resolved": "https://registry.npmjs.org/snyk-request-manager/-/snyk-request-manager-1.4.2.tgz", + "integrity": "sha512-vCVQ4tkbuAQu5a0H1ArfkvOF6cQwwEOYvMJzErsu9rpj+TnRXtp2+rGq2hOwm61MBHA5LSVAdlJPok13xh+/1A==", "requires": { "@snyk/configstore": "^3.2.0-rc1", + "@types/debug": "^4.1.7", "@types/uuid": "^7.0.3", "axios": "^0.21.1", "chalk": "^4.0.0", "debug": "^4.1.1", "leaky-bucket-queue": "0.0.2", "lodash": "4.17.21", - "snyk": "^1.323.2", "snyk-config": "^4.0.0", "source-map-support": "^0.5.16", "tslib": "^1.10.0", @@ -16502,9 +16540,9 @@ } }, "source-map-support": { - "version": "0.5.19", - "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.19.tgz", - "integrity": "sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==", + "version": "0.5.20", + "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.20.tgz", + "integrity": "sha512-n1lZZ8Ve4ksRqizaBQgxXDgKwttHDhyfQjA6YZZn8+AroHbsIz+JjwxQDxbp+7y5OYCI8t1Yk7etjD9CRd2hIw==", "requires": { "buffer-from": "^1.0.0", "source-map": "^0.6.0" @@ -16716,21 +16754,21 @@ } }, "string-width": { - "version": "4.2.2", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.2.tgz", - "integrity": "sha512-XBJbT3N4JhVumXE0eoLU9DCjcaF92KLNqTmFCnG1pf8duUxFGwtP6AD6nkjw9a3IdiRtL3E2w3JDiE/xi3vOeA==", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.0" + "strip-ansi": "^6.0.1" }, "dependencies": { "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } } } @@ -16900,9 +16938,9 @@ } }, "tmpl": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz", - "integrity": "sha1-I2QN17QtAEM5ERQIIOXPRA5SHdE=", + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/tmpl/-/tmpl-1.0.5.tgz", + "integrity": "sha512-3f0uOEAQwIqGuWW2MVzYg8fV/QNnc/IpuJNG837rLuczAaLVHslWHZQj4IGiEl5Hs3kkbhwL9Ab7Hrsmuj+Smw==", "dev": true }, "to-fast-properties": { @@ -17057,12 +17095,12 @@ "dev": true }, "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } }, "which": { @@ -17081,15 +17119,6 @@ "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==" }, - "tsutils": { - "version": "3.21.0", - "resolved": "https://registry.npmjs.org/tsutils/-/tsutils-3.21.0.tgz", - "integrity": "sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==", - "dev": true, - "requires": { - "tslib": "^1.8.1" - } - }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", @@ -17409,12 +17438,12 @@ "dev": true }, "strip-ansi": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz", - "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==", + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": { - "ansi-regex": "^5.0.0" + "ansi-regex": "^5.0.1" } } } @@ -17445,9 +17474,9 @@ } }, "ws": { - "version": "7.5.3", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.3.tgz", - "integrity": "sha512-kQ/dHIzuLrS6Je9+uv81ueZomEwH0qVYstcAQ4/Z93K8zeko9gtAbttJWzoC5ukqXY1PpoouV3+VSOqEAFt5wg==", + "version": "7.5.5", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.5.tgz", + "integrity": "sha512-BAkMFcAzl8as1G/hArkxOxq3G7pjUqQ3gzYbLL0/5zNkph70e+lCoxBGnm6AW1+/aiNeV4fnKqZ8m4GZewmH2w==", "dev": true, "requires": {} }, diff --git a/package.json b/package.json index 1db4ce6..f7028f4 100644 --- a/package.json +++ b/package.json @@ -36,11 +36,11 @@ "homepage": "https://github.com/snyk-tech-services/snyk-prevent-gh-commit-status#readme", "dependencies": { "@snyk/configstore": "^3.2.0-rc1", - "axios": "^0.21.1", + "axios": "^0.21.3", "debug": "^4.1.1", "lodash": "^4.17.21", "snyk-config": "^3.0.0", - "snyk-delta": "^1.4.9", + "snyk-delta": "^1.5.4", "source-map-support": "^0.5.16", "tslib": "^1.10.0" }, diff --git a/test/fixtures/SNYK-JS-ACORN-559469-issue-paths.json b/test/fixtures/SNYK-JS-ACORN-559469-issue-paths.json new file mode 100644 index 0000000..27d480d --- /dev/null +++ b/test/fixtures/SNYK-JS-ACORN-559469-issue-paths.json @@ -0,0 +1,17 @@ +{ + "snapshotId": "5f37beeb-031a-45ec-8319-f32cd0cb3854", + "paths": [ + [ + { + "name": "@snyk/nodejs-runtime-agent", + "version": "1.14.0", + "fixVersion": "1.14.0" + }, + { "name": "acorn", "version": "5.7.3" } + ] + ], + "total": 1, + "links": { + "last": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/issue/SNYK-JS-ACORN-559469/paths?page=1&snapshotId=5f37beeb-031a-45ec-8319-f32cd0cb3854" + } +} diff --git a/test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page1.json b/test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page1.json new file mode 100644 index 0000000..065af5a --- /dev/null +++ b/test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page1.json @@ -0,0 +1,20 @@ +{ + "snapshotId": "5f37beeb-031a-45ec-8319-f32cd0cb3854", + "paths": [ + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ] + ], + "total": 2, + "links": { + "last": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/issue/SNYK-JS-DOTPROP-543489/paths?page=2&perPage=1&snapshotId=5f37beeb-031a-45ec-8319-f32cd0cb3854" + } +} diff --git a/test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page2.json b/test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page2.json new file mode 100644 index 0000000..00760dc --- /dev/null +++ b/test/fixtures/SNYK-JS-DOTPROP-543489-issue-paths-page2.json @@ -0,0 +1,610 @@ +{ + "snapshotId": "5f37beeb-031a-45ec-8319-f32cd0cb3854", + "paths": [ + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ], + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.228.3" }, + { "name": "update-notifier", "version": "2.5.0" }, + { "name": "configstore", "version": "3.1.2" }, + { "name": "dot-prop", "version": "4.2.0" } + ] + ], + "total": 102, + "links": { + "next": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/issue/SNYK-JS-DOTPROP-543489/paths?page=1&perPage=1&snapshotId=5f37beeb-031a-45ec-8319-f32cd0cb3854", + "last": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/issue/SNYK-JS-DOTPROP-543489/paths?page=2&perPage=1&snapshotId=5f37beeb-031a-45ec-8319-f32cd0cb3854" + } +} diff --git a/test/fixtures/SNYK-JS-PACRESOLVER-1564857-issue-paths.json b/test/fixtures/SNYK-JS-PACRESOLVER-1564857-issue-paths.json new file mode 100644 index 0000000..9a28e6d --- /dev/null +++ b/test/fixtures/SNYK-JS-PACRESOLVER-1564857-issue-paths.json @@ -0,0 +1,15 @@ +{ + "snapshotId": "5f37beeb-031a-45ec-8319-f32cd0cb3854", + "paths": [ + [ + { "name": "snyk", "version": "1.228.3", "fixVersion": "1.230.7" }, + { "name": "proxy-agent", "version": "3.1.0" }, + { "name": "pac-proxy-agent", "version": "3.0.0" }, + { "name": "pac-resolver", "version": "3.0.0" } + ] + ], + "total": 1, + "links": { + "last": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/issue/SNYK-JS-PACRESOLVER-1564857/paths?page=1&snapshotId=5f37beeb-031a-45ec-8319-f32cd0cb3854" + } +} diff --git a/test/fixtures/api-response/test-goof-aggregated-one-license.json b/test/fixtures/api-response/test-goof-aggregated-one-license.json new file mode 100644 index 0000000..43bab88 --- /dev/null +++ b/test/fixtures/api-response/test-goof-aggregated-one-license.json @@ -0,0 +1,38 @@ +{ + "issues": [ + { + "id": "snyk:lic:npm:goof:GPL-2.0", + "issueType": "license", + "pkgName": "goof", + "pkgVersions": ["0.0.3"], + "priorityScore": 500, + "priority": { + "score": 500, + "factors": [{ "name": "severity", "description": "High severity" }] + }, + "issueData": { + "id": "snyk:lic:npm:goof:GPL-2.0", + "title": "GPL-2.0 license", + "severity": "high", + "url": "https://snyk.io/vuln/snyk:lic:npm:goof:GPL-2.0", + "exploitMaturity": "no-data", + "semver": { "vulnerable": [">=0"] }, + "publicationTime": "2021-07-02T00:14:22.812Z", + "language": "js", + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": false, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "" + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/snyk:lic:npm:goof:GPL-2.0/paths" + } + } + ] +} diff --git a/test/fixtures/api-response/test-goof-aggregated-one-vuln-one-license.json b/test/fixtures/api-response/test-goof-aggregated-one-vuln-one-license.json new file mode 100644 index 0000000..da9e4cd --- /dev/null +++ b/test/fixtures/api-response/test-goof-aggregated-one-vuln-one-license.json @@ -0,0 +1,86 @@ +{ + "issues": [ + { + "id": "SNYK-JS-ACORN-559469", + "issueType": "vuln", + "pkgName": "acorn", + "pkgVersions": ["5.7.3"], + "priorityScore": 375, + "priority": { + "score": 375, + "factors": [{ "name": "cvssScore", "description": "CVSS 7.5" }] + }, + "issueData": { + "id": "SNYK-JS-ACORN-559469", + "title": "Regular Expression Denial of Service (ReDoS)", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "NSP": ["1488"], + "GHSA": ["GHSA-6chw-6frg-f759"] + }, + "credit": ["Peter van der Zee"], + "exploitMaturity": "no-known-exploit", + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] + }, + "publicationTime": "2020-03-07T00:19:23Z", + "disclosureTime": "2020-03-02T19:21:25Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssScore": 7.5, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-ACORN-559469/paths" + } + }, + { + "id": "snyk:lic:npm:goof:GPL-2.0", + "issueType": "license", + "pkgName": "goof", + "pkgVersions": ["0.0.3"], + "priorityScore": 500, + "priority": { + "score": 500, + "factors": [{ "name": "severity", "description": "High severity" }] + }, + "issueData": { + "id": "snyk:lic:npm:goof:GPL-2.0", + "title": "GPL-2.0 license", + "severity": "high", + "url": "https://snyk.io/vuln/snyk:lic:npm:goof:GPL-2.0", + "exploitMaturity": "no-data", + "semver": { "vulnerable": [">=0"] }, + "publicationTime": "2021-07-02T00:14:22.812Z", + "language": "js", + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": false, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "" + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/snyk:lic:npm:goof:GPL-2.0/paths" + } + } + ] +} diff --git a/test/fixtures/api-response/test-goof-aggregated-one-vuln.json b/test/fixtures/api-response/test-goof-aggregated-one-vuln.json new file mode 100644 index 0000000..ab2d585 --- /dev/null +++ b/test/fixtures/api-response/test-goof-aggregated-one-vuln.json @@ -0,0 +1,52 @@ +{ + "issues": [ + { + "id": "SNYK-JS-ACORN-559469", + "issueType": "vuln", + "pkgName": "acorn", + "pkgVersions": ["5.7.3"], + "priorityScore": 375, + "priority": { + "score": 375, + "factors": [{ "name": "cvssScore", "description": "CVSS 7.5" }] + }, + "issueData": { + "id": "SNYK-JS-ACORN-559469", + "title": "Regular Expression Denial of Service (ReDoS)", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "NSP": ["1488"], + "GHSA": ["GHSA-6chw-6frg-f759"] + }, + "credit": ["Peter van der Zee"], + "exploitMaturity": "no-known-exploit", + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] + }, + "publicationTime": "2020-03-07T00:19:23Z", + "disclosureTime": "2020-03-02T19:21:25Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssScore": 7.5, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-ACORN-559469/paths" + } + } + ] +} diff --git a/test/fixtures/api-test-goof-aggregated.json b/test/fixtures/api-test-goof-aggregated.json new file mode 100644 index 0000000..7ed130d --- /dev/null +++ b/test/fixtures/api-test-goof-aggregated.json @@ -0,0 +1,1278 @@ +{ + "issues": [ + { + "id": "SNYK-JS-PACRESOLVER-1564857", + "issueType": "vuln", + "pkgName": "pac-resolver", + "pkgVersions": ["3.0.0"], + "priorityScore": 798, + "priority": { + "score": 798, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFresh", "description": "Recently disclosed" }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 8.1" } + ] + }, + "issueData": { + "id": "SNYK-JS-PACRESOLVER-1564857", + "title": "Remote Code Execution (RCE)", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857", + "identifiers": { "CVE": ["CVE-2021-23406"], "CWE": ["CWE-94"] }, + "credit": ["Tim Perry"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<5.0.0"] }, + "publicationTime": "2021-08-22T13:26:31.060241Z", + "disclosureTime": "2021-05-30T13:37:37Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "cvssScore": 8.1, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["5.0.0"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-PACRESOLVER-1564857/paths" + } + }, + { + "id": "SNYK-JS-NETMASK-1089716", + "issueType": "vuln", + "pkgName": "netmask", + "pkgVersions": ["1.0.6"], + "priorityScore": 706, + "priority": { + "score": 706, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 7.7" } + ] + }, + "issueData": { + "id": "SNYK-JS-NETMASK-1089716", + "title": "Server-side Request Forgery (SSRF)", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-NETMASK-1089716", + "identifiers": { + "CVE": ["CVE-2021-28918", "CVE-2021-29418"], + "CWE": ["CWE-20", "CWE-918"], + "GHSA": ["GHSA-pch5-whg9-qr2r"] + }, + "credit": ["Unknown"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<2.0.1"] }, + "publicationTime": "2021-03-30T14:57:04Z", + "disclosureTime": "2021-03-29T21:32:05Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L/E:P", + "cvssScore": 7.7, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["2.0.1"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-NETMASK-1089716/paths" + } + }, + { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-595969", + "issueType": "vuln", + "pkgName": "express-fileupload", + "pkgVersions": ["0.0.5"], + "priorityScore": 696, + "priority": { + "score": 696, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 7.5" } + ] + }, + "issueData": { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-595969", + "title": "Prototype Pollution", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969", + "identifiers": { + "CVE": ["CVE-2020-7699"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-9wcg-jrwf-8gg7"] + }, + "credit": ["po6ix"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<1.1.10"] }, + "publicationTime": "2020-07-30T15:28:18Z", + "disclosureTime": "2020-07-29T15:08:59Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", + "cvssScore": 7.5, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["1.1.10"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-EXPRESSFILEUPLOAD-595969/paths" + } + }, + { + "id": "SNYK-JS-TREEKILL-536781", + "issueType": "vuln", + "pkgName": "tree-kill", + "pkgVersions": ["1.2.1"], + "priorityScore": 671, + "priority": { + "score": 671, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 7" } + ] + }, + "issueData": { + "id": "SNYK-JS-TREEKILL-536781", + "title": "Command Injection", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-TREEKILL-536781", + "identifiers": { + "CVE": ["CVE-2019-15598", "CVE-2019-15599"], + "CWE": ["CWE-78"], + "NSP": ["1432", "1433"] + }, + "credit": ["mik317"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<1.2.2"] }, + "publicationTime": "2019-12-05T10:51:40Z", + "disclosureTime": "2019-12-04T19:54:11Z", + "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "cvssScore": 7, + "language": "js", + "patches": [ + { + "id": "patch:SNYK-JS-TREEKILL-536781:0", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/tree-kill/20191210/tree-kill_0_0_20191210_e5d66d1fbd4b392294512d4644ac22bdc888573c.patch" + ], + "version": ">=1.0.0", + "comments": [], + "modificationTime": "2019-12-11T11:57:51.268946Z" + } + ], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": true, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["1.2.2"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-TREEKILL-536781/paths" + } + }, + { + "id": "SNYK-JS-LODASH-567746", + "issueType": "vuln", + "pkgName": "lodash", + "pkgVersions": ["4.17.15"], + "priorityScore": 636, + "priority": { + "score": 636, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 6.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-LODASH-567746", + "title": "Prototype Pollution", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-567746", + "identifiers": { + "CVE": ["CVE-2020-8203"], + "CWE": ["CWE-400"], + "NSP": ["1523"], + "GHSA": ["GHSA-p6mc-m468-83gw"] + }, + "credit": ["posix"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<4.17.16"] }, + "publicationTime": "2020-04-28T14:59:14Z", + "disclosureTime": "2020-04-27T22:14:18Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C", + "cvssScore": 6.3, + "language": "js", + "patches": [ + { + "id": "patch:SNYK-JS-LODASH-567746:0", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/lodash/20200430/lodash_0_0_20200430_6baae67d501e4c45021280876d42efe351e77551.patch" + ], + "version": ">=4.14.2", + "comments": [], + "modificationTime": "2020-04-30T14:28:46.729327Z" + } + ], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": true, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["4.17.16"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-LODASH-567746/paths" + } + }, + { + "id": "SNYK-JS-HTTPSPROXYAGENT-469131", + "issueType": "vuln", + "pkgName": "https-proxy-agent", + "pkgVersions": ["2.2.2"], + "priorityScore": 626, + "priority": { + "score": 626, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 6.1" } + ] + }, + "issueData": { + "id": "SNYK-JS-HTTPSPROXYAGENT-469131", + "title": "Man-in-the-Middle (MitM)", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131", + "identifiers": { "CVE": [], "CWE": ["CWE-300"], "NSP": ["1184"] }, + "credit": ["Kris Adler"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<2.2.3"] }, + "publicationTime": "2019-10-02T08:08:11Z", + "disclosureTime": "2019-09-25T08:21:57Z", + "CVSSv3": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", + "cvssScore": 6.1, + "language": "js", + "patches": [ + { + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" + ], + "version": "=2.2.1", + "comments": [], + "modificationTime": "2019-12-03T11:40:45.721480Z" + }, + { + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" + ], + "version": "=2.2.2", + "comments": [], + "modificationTime": "2019-12-03T11:40:45.723464Z" + } + ], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": true, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["2.2.3"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-HTTPSPROXYAGENT-469131/paths" + } + }, + { + "id": "SNYK-JS-UNDERSCORE-1080984", + "issueType": "vuln", + "pkgName": "underscore", + "pkgVersions": ["1.9.1"], + "priorityScore": 596, + "priority": { + "score": 596, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 5.5" } + ] + }, + "issueData": { + "id": "SNYK-JS-UNDERSCORE-1080984", + "title": "Arbitrary Code Injection", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", + "identifiers": { + "CVE": ["CVE-2021-23358"], + "CWE": ["CWE-94"], + "GHSA": ["GHSA-cf4h-3jhx-xvhq"] + }, + "credit": ["Alessio Della Libera (@d3lla)"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": [">=1.13.0-0 <1.13.0-2", ">=1.3.2 <1.12.1"] }, + "publicationTime": "2021-03-29T14:54:59Z", + "disclosureTime": "2021-03-02T19:51:03Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L/E:P/RL:O/RC:C", + "cvssScore": 5.5, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["1.13.0-2", "1.12.1"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-UNDERSCORE-1080984/paths" + } + }, + { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", + "issueType": "vuln", + "pkgName": "express-fileupload", + "pkgVersions": ["0.0.5"], + "priorityScore": 589, + "priority": { + "score": 589, + "factors": [ + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 7.5" } + ] + }, + "issueData": { + "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", + "title": "Denial of Service (DoS)", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-473997", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "NSP": ["1216"], + "GHSA": ["GHSA-q3w9-g74q-vp5f"] + }, + "credit": ["Roman Burunkov"], + "exploitMaturity": "no-known-exploit", + "semver": { "vulnerable": ["<1.1.6-alpha.6"] }, + "publicationTime": "2019-10-22T15:08:40Z", + "disclosureTime": "2019-10-18T11:17:09Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssScore": 7.5, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["1.1.6-alpha.6"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-EXPRESSFILEUPLOAD-473997/paths" + } + }, + { + "id": "SNYK-JS-EJS-1049328", + "issueType": "vuln", + "pkgName": "ejs", + "pkgVersions": ["2.5.5", "0.8.8"], + "priorityScore": 526, + "priority": { + "score": 526, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "isFixable", "description": "Has a fix available" }, + { "name": "cvssScore", "description": "CVSS 4.1" } + ] + }, + "issueData": { + "id": "SNYK-JS-EJS-1049328", + "title": "Arbitrary Code Injection", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-EJS-1049328", + "identifiers": { "CVE": [], "CWE": ["CWE-94"] }, + "credit": ["fangzequn"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<3.1.6"] }, + "publicationTime": "2021-01-20T16:41:56Z", + "disclosureTime": "2020-12-09T11:56:29Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C", + "cvssScore": 4.1, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": true, + "nearestFixedInVersion": "", + "fixedIn": ["3.1.6"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-EJS-1049328/paths" + } + }, + { + "id": "snyk:lic:npm:goof:GPL-2.0", + "issueType": "license", + "pkgName": "goof", + "pkgVersions": ["0.0.3"], + "priorityScore": 500, + "priority": { + "score": 500, + "factors": [{ "name": "severity", "description": "High severity" }] + }, + "issueData": { + "id": "snyk:lic:npm:goof:GPL-2.0", + "title": "GPL-2.0 license", + "severity": "high", + "url": "https://snyk.io/vuln/snyk:lic:npm:goof:GPL-2.0", + "exploitMaturity": "no-data", + "semver": { "vulnerable": [">=0"] }, + "publicationTime": "2021-07-02T00:14:22.812Z", + "language": "js", + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": false, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "" + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/snyk:lic:npm:goof:GPL-2.0/paths" + } + }, + { + "id": "SNYK-JS-BL-608877", + "issueType": "vuln", + "pkgName": "bl", + "pkgVersions": ["1.2.2"], + "priorityScore": 492, + "priority": { + "score": 492, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 7.7" } + ] + }, + "issueData": { + "id": "SNYK-JS-BL-608877", + "title": "Remote Memory Exposure", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-BL-608877", + "identifiers": { + "CVE": ["CVE-2020-8244"], + "CWE": ["CWE-9"], + "NSP": ["1555"], + "GHSA": ["GHSA-pp7h-53gx-mx7r"] + }, + "credit": ["chalker"], + "exploitMaturity": "proof-of-concept", + "semver": { + "vulnerable": [ + ">=2.2.0 <2.2.1", + ">=3.0.0 <3.0.1", + ">=4.0.0 <4.0.3", + "<1.2.3" + ] + }, + "publicationTime": "2020-08-28T12:18:48Z", + "disclosureTime": "2020-08-27T15:16:42Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/E:P", + "cvssScore": 7.7, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["2.2.1", "3.0.1", "4.0.3", "1.2.3"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-BL-608877/paths" + } + }, + { + "id": "SNYK-JS-LODASH-590103", + "issueType": "vuln", + "pkgName": "lodash", + "pkgVersions": ["4.17.15"], + "priorityScore": 490, + "priority": { + "score": 490, + "factors": [{ "name": "cvssScore", "description": "CVSS 9.8" }] + }, + "issueData": { + "id": "SNYK-JS-LODASH-590103", + "title": "Prototype Pollution", + "severity": "critical", + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-590103", + "identifiers": { "CVE": [], "CWE": ["CWE-400"] }, + "credit": ["reeser"], + "exploitMaturity": "no-known-exploit", + "semver": { "vulnerable": ["<4.17.20"] }, + "publicationTime": "2020-08-16T13:09:06Z", + "disclosureTime": "2020-07-24T12:00:52Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssScore": 9.8, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["4.17.20"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-LODASH-590103/paths" + } + }, + { + "id": "SNYK-JS-Y18N-1021887", + "issueType": "vuln", + "pkgName": "y18n", + "pkgVersions": ["3.2.1"], + "priorityScore": 472, + "priority": { + "score": 472, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 7.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-Y18N-1021887", + "title": "Prototype Pollution", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "identifiers": { + "CVE": ["CVE-2020-7774"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-c4w7-xm78-47vh"] + }, + "credit": ["po6ix"], + "exploitMaturity": "proof-of-concept", + "semver": { + "vulnerable": ["<3.2.2", ">=4.0.0 <4.0.1", ">=5.0.0 <5.0.5"] + }, + "publicationTime": "2020-11-10T15:27:28Z", + "disclosureTime": "2020-10-25T14:24:22Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", + "cvssScore": 7.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["3.2.2", "4.0.1", "5.0.5"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-Y18N-1021887/paths" + } + }, + { + "id": "SNYK-JS-LODASH-608086", + "issueType": "vuln", + "pkgName": "lodash", + "pkgVersions": ["4.17.15"], + "priorityScore": 472, + "priority": { + "score": 472, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 7.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-LODASH-608086", + "title": "Prototype Pollution", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-608086", + "identifiers": { "CVE": [], "CWE": ["CWE-400"] }, + "credit": ["awarau"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<4.17.17"] }, + "publicationTime": "2020-08-21T12:53:03Z", + "disclosureTime": "2020-08-21T10:34:29Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "cvssScore": 7.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["4.17.17"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-LODASH-608086/paths" + } + }, + { + "id": "SNYK-JS-INI-1048974", + "issueType": "vuln", + "pkgName": "ini", + "pkgVersions": ["1.3.5"], + "priorityScore": 472, + "priority": { + "score": 472, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 7.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-INI-1048974", + "title": "Prototype Pollution", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974", + "identifiers": { + "CVE": ["CVE-2020-7788"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-qqgx-2p2h-9c37"] + }, + "credit": [ + "Eugene Lim", + "Government Technology Agency Cyber Security Group" + ], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<1.3.6"] }, + "publicationTime": "2020-12-10T18:08:38Z", + "disclosureTime": "2020-12-08T13:02:04Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", + "cvssScore": 7.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["1.3.6"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-INI-1048974/paths" + } + }, + { + "id": "SNYK-JS-LODASH-1040724", + "issueType": "vuln", + "pkgName": "lodash", + "pkgVersions": ["4.17.15"], + "priorityScore": 467, + "priority": { + "score": 467, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 7.2" } + ] + }, + "issueData": { + "id": "SNYK-JS-LODASH-1040724", + "title": "Command Injection", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "identifiers": { + "CVE": ["CVE-2021-23337"], + "CWE": ["CWE-78"], + "GHSA": ["GHSA-35jh-r3h4-6jhm"] + }, + "credit": ["Marc Hassan"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<4.17.21"] }, + "publicationTime": "2021-02-15T11:50:50Z", + "disclosureTime": "2020-11-17T13:02:10Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "cvssScore": 7.2, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["4.17.21"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-LODASH-1040724/paths" + } + }, + { + "id": "SNYK-JS-DOTPROP-543489", + "issueType": "vuln", + "pkgName": "dot-prop", + "pkgVersions": ["4.2.0"], + "priorityScore": 422, + "priority": { + "score": 422, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 6.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-DOTPROP-543489", + "title": "Prototype Pollution", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": ["CVE-2020-8116"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-ff7x-qrg7-qggm"] + }, + "credit": ["aaron_costello"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": [">1.0.1 <4.2.1", ">=5.0.0 <5.1.1"] }, + "publicationTime": "2020-01-28T16:23:39Z", + "disclosureTime": "2020-01-28T10:17:51Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "cvssScore": 6.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["4.2.1", "5.1.1"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-DOTPROP-543489/paths" + } + }, + { + "id": "npm:ejs:20161128", + "issueType": "vuln", + "pkgName": "ejs", + "pkgVersions": ["0.8.8"], + "priorityScore": 405, + "priority": { + "score": 405, + "factors": [{ "name": "cvssScore", "description": "CVSS 8.1" }] + }, + "issueData": { + "id": "npm:ejs:20161128", + "title": "Arbitrary Code Execution", + "severity": "high", + "url": "https://snyk.io/vuln/npm:ejs:20161128", + "identifiers": { + "CVE": ["CVE-2017-1000228"], + "CWE": ["CWE-94"], + "ALTERNATIVE": ["SNYK-JS-EJS-10218"] + }, + "credit": ["Snyk Security Research Team"], + "exploitMaturity": "no-known-exploit", + "semver": { "vulnerable": ["<2.5.3"] }, + "publicationTime": "2016-11-28T18:44:12Z", + "disclosureTime": "2016-11-27T22:00:00Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssScore": 8.1, + "language": "js", + "patches": [ + { + "id": "patch:npm:ejs:20161128:0", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4", + "comments": [], + "modificationTime": "2019-12-03T11:40:45.851976Z" + } + ], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": false, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["2.5.3"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/npm:ejs:20161128/paths" + } + }, + { + "id": "SNYK-JS-MINIMIST-559764", + "issueType": "vuln", + "pkgName": "minimist", + "pkgVersions": ["0.0.8", "1.2.0"], + "priorityScore": 387, + "priority": { + "score": 387, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 5.6" } + ] + }, + "issueData": { + "id": "SNYK-JS-MINIMIST-559764", + "title": "Prototype Pollution", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": ["CVE-2020-7598"], + "CWE": ["CWE-400"], + "NSP": ["1179"], + "GHSA": ["GHSA-vh95-rmgr-6w4m"] + }, + "credit": ["Snyk Security Team"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] }, + "publicationTime": "2020-03-11T08:22:19Z", + "disclosureTime": "2020-03-10T08:22:24Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "cvssScore": 5.6, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["0.2.1", "1.2.3"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-MINIMIST-559764/paths" + } + }, + { + "id": "SNYK-JS-ACORN-559469", + "issueType": "vuln", + "pkgName": "acorn", + "pkgVersions": ["5.7.3"], + "priorityScore": 375, + "priority": { + "score": 375, + "factors": [{ "name": "cvssScore", "description": "CVSS 7.5" }] + }, + "issueData": { + "id": "SNYK-JS-ACORN-559469", + "title": "Regular Expression Denial of Service (ReDoS)", + "severity": "high", + "url": "https://snyk.io/vuln/SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "NSP": ["1488"], + "GHSA": ["GHSA-6chw-6frg-f759"] + }, + "credit": ["Peter van der Zee"], + "exploitMaturity": "no-known-exploit", + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] + }, + "publicationTime": "2020-03-07T00:19:23Z", + "disclosureTime": "2020-03-02T19:21:25Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssScore": 7.5, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-ACORN-559469/paths" + } + }, + { + "id": "SNYK-JS-LODASH-1018905", + "issueType": "vuln", + "pkgName": "lodash", + "pkgVersions": ["4.17.15"], + "priorityScore": 372, + "priority": { + "score": 372, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 5.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-LODASH-1018905", + "title": "Regular Expression Denial of Service (ReDoS)", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "identifiers": { "CVE": ["CVE-2020-28500"], "CWE": ["CWE-400"] }, + "credit": ["Liyuan Chen"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<4.17.21"] }, + "publicationTime": "2021-02-15T11:50:49Z", + "disclosureTime": "2020-10-16T16:47:34Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P", + "cvssScore": 5.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["4.17.21"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-LODASH-1018905/paths" + } + }, + { + "id": "SNYK-JS-JSZIP-1251497", + "issueType": "vuln", + "pkgName": "jszip", + "pkgVersions": ["3.2.2"], + "priorityScore": 372, + "priority": { + "score": 372, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 5.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-JSZIP-1251497", + "title": "Denial of Service (DoS)", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-JSZIP-1251497", + "identifiers": { "CVE": ["CVE-2021-23413"], "CWE": ["CWE-400"] }, + "credit": ["Dave Holoway"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": ["<3.7.0"] }, + "publicationTime": "2021-07-25T14:10:32Z", + "disclosureTime": "2021-04-18T13:04:52Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P", + "cvssScore": 5.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["3.7.0"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-JSZIP-1251497/paths" + } + }, + { + "id": "SNYK-JS-HOSTEDGITINFO-1088355", + "issueType": "vuln", + "pkgName": "hosted-git-info", + "pkgVersions": ["2.8.4"], + "priorityScore": 372, + "priority": { + "score": 372, + "factors": [ + { + "name": "exploitMaturity", + "description": "Proof of Concept exploit" + }, + { "name": "cvssScore", "description": "CVSS 5.3" } + ] + }, + "issueData": { + "id": "SNYK-JS-HOSTEDGITINFO-1088355", + "title": "Regular Expression Denial of Service (ReDoS)", + "severity": "medium", + "url": "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355", + "identifiers": { + "CVE": ["CVE-2021-23362"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-43f8-2h32-f4cj"] + }, + "credit": ["Yeting Li"], + "exploitMaturity": "proof-of-concept", + "semver": { "vulnerable": [">=3.0.0 <3.0.8", "<2.8.9"] }, + "publicationTime": "2021-03-23T17:13:24Z", + "disclosureTime": "2020-11-28T00:00:00Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", + "cvssScore": 5.3, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": true, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["3.0.8", "2.8.9"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/SNYK-JS-HOSTEDGITINFO-1088355/paths" + } + }, + { + "id": "npm:ejs:20161130-1", + "issueType": "vuln", + "pkgName": "ejs", + "pkgVersions": ["0.8.8"], + "priorityScore": 295, + "priority": { + "score": 295, + "factors": [{ "name": "cvssScore", "description": "CVSS 5.9" }] + }, + "issueData": { + "id": "npm:ejs:20161130-1", + "title": "Denial of Service (DoS)", + "severity": "medium", + "url": "https://snyk.io/vuln/npm:ejs:20161130-1", + "identifiers": { + "CVE": ["CVE-2017-1000189"], + "CWE": ["CWE-400"], + "ALTERNATIVE": ["SNYK-JS-EJS-10226"] + }, + "credit": ["Snyk Security Research Team"], + "exploitMaturity": "no-known-exploit", + "semver": { "vulnerable": ["<2.5.5"] }, + "publicationTime": "2016-12-06T15:00:00Z", + "disclosureTime": "2016-11-27T22:00:00Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssScore": 5.9, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": false, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["2.5.5"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/npm:ejs:20161130-1/paths" + } + }, + { + "id": "npm:ejs:20161130", + "issueType": "vuln", + "pkgName": "ejs", + "pkgVersions": ["0.8.8"], + "priorityScore": 295, + "priority": { + "score": 295, + "factors": [{ "name": "cvssScore", "description": "CVSS 5.9" }] + }, + "issueData": { + "id": "npm:ejs:20161130", + "title": "Cross-site Scripting (XSS)", + "severity": "medium", + "url": "https://snyk.io/vuln/npm:ejs:20161130", + "identifiers": { + "CVE": ["CVE-2017-1000188"], + "CWE": ["CWE-79"], + "ALTERNATIVE": ["SNYK-JS-EJS-10225"] + }, + "credit": ["Snyk Security Research Team"], + "exploitMaturity": "no-known-exploit", + "semver": { "vulnerable": ["<2.5.5"] }, + "publicationTime": "2016-12-06T15:00:00Z", + "disclosureTime": "2016-11-27T22:00:00Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "cvssScore": 5.9, + "language": "js", + "patches": [], + "nearestFixedInVersion": "" + }, + "isPatched": false, + "isIgnored": false, + "fixInfo": { + "isUpgradable": false, + "isPinnable": false, + "isPatchable": false, + "isPartiallyFixable": false, + "nearestFixedInVersion": "", + "fixedIn": ["2.5.5"] + }, + "links": { + "paths": "https://app.snyk.io/api/v1/org/f6999a85-c519-4ee7-ae55-3269b9bfa4b6/project/9d64b8a9-883e-42f9-abd3-66b274b66a4c/history/1c2130c4-82a5-4130-9632-fcbf204a8267/issue/npm:ejs:20161130/paths" + } + } + ] +} diff --git a/test/fixtures/apitest-gomod-aggregated.json b/test/fixtures/apitest-gomod-aggregated.json new file mode 100644 index 0000000..b6793db --- /dev/null +++ b/test/fixtures/apitest-gomod-aggregated.json @@ -0,0 +1,4 @@ +{ + "issues": [ + ] + } \ No newline at end of file diff --git a/test/fixtures/goof-depgraph-from-api.json b/test/fixtures/goof-depgraph-from-api.json new file mode 100644 index 0000000..b51ec46 --- /dev/null +++ b/test/fixtures/goof-depgraph-from-api.json @@ -0,0 +1,9268 @@ +{ + "depGraph": { + "schemaVersion": "1.2.0", + "pkgManager": { + "name": "npm" + }, + "pkgs": [ + { + "id": "goof@0.0.3", + "info": { + "name": "goof", + "version": "0.0.3" + } + }, + { + "id": "acorn@5.7.3", + "info": { + "name": "acorn", + "version": "5.7.3" + } + }, + { + "id": "ms@2.1.1", + "info": { + "name": "ms", + "version": "2.1.1" + } + }, + { + "id": "debug@4.1.0", + "info": { + "name": "debug", + "version": "4.1.0" + } + }, + { + "id": "ms@2.0.0", + "info": { + "name": "ms", + "version": "2.0.0" + } + }, + { + "id": "debug@2.6.9", + "info": { + "name": "debug", + "version": "2.6.9" + } + }, + { + "id": "safer-buffer@2.1.2", + "info": { + "name": "safer-buffer", + "version": "2.1.2" + } + }, + { + "id": "iconv-lite@0.4.24", + "info": { + "name": "iconv-lite", + "version": "0.4.24" + } + }, + { + "id": "sax@1.2.4", + "info": { + "name": "sax", + "version": "1.2.4" + } + }, + { + "id": "needle@2.2.4", + "info": { + "name": "needle", + "version": "2.2.4" + } + }, + { + "id": "semver@5.6.0", + "info": { + "name": "semver", + "version": "5.6.0" + } + }, + { + "id": "@snyk/nodejs-runtime-agent@1.14.0", + "info": { + "name": "@snyk/nodejs-runtime-agent", + "version": "1.14.0" + } + }, + { + "id": "sprintf-js@1.0.3", + "info": { + "name": "sprintf-js", + "version": "1.0.3" + } + }, + { + "id": "argparse@1.0.10", + "info": { + "name": "argparse", + "version": "1.0.10" + } + }, + { + "id": "esprima@4.0.1", + "info": { + "name": "esprima", + "version": "4.0.1" + } + }, + { + "id": "js-yaml@3.13.1", + "info": { + "name": "js-yaml", + "version": "3.13.1" + } + }, + { + "id": "ports@1.1.0", + "info": { + "name": "ports", + "version": "1.1.0" + } + }, + { + "id": "underscore@1.9.1", + "info": { + "name": "underscore", + "version": "1.9.1" + } + }, + { + "id": "cfenv@1.2.1", + "info": { + "name": "cfenv", + "version": "1.2.1" + } + }, + { + "id": "bluebird@3.5.3", + "info": { + "name": "bluebird", + "version": "3.5.3" + } + }, + { + "id": "consolidate@0.14.5", + "info": { + "name": "consolidate", + "version": "0.14.5" + } + }, + { + "id": "cookie@0.1.2", + "info": { + "name": "cookie", + "version": "0.1.2" + } + }, + { + "id": "cookie-signature@1.0.5", + "info": { + "name": "cookie-signature", + "version": "1.0.5" + } + }, + { + "id": "cookie-parser@1.3.3", + "info": { + "name": "cookie-parser", + "version": "1.3.3" + } + }, + { + "id": "dustjs-helpers@1.5.0", + "info": { + "name": "dustjs-helpers", + "version": "1.5.0" + } + }, + { + "id": "ejs@2.5.5", + "info": { + "name": "ejs", + "version": "2.5.5" + } + }, + { + "id": "ejs@0.8.8", + "info": { + "name": "ejs", + "version": "0.8.8" + } + }, + { + "id": "ejs-locals@1.0.2", + "info": { + "name": "ejs-locals", + "version": "1.0.2" + } + }, + { + "id": "mime-db@1.40.0", + "info": { + "name": "mime-db", + "version": "1.40.0" + } + }, + { + "id": "mime-types@2.1.24", + "info": { + "name": "mime-types", + "version": "2.1.24" + } + }, + { + "id": "negotiator@0.6.2", + "info": { + "name": "negotiator", + "version": "0.6.2" + } + }, + { + "id": "accepts@1.3.7", + "info": { + "name": "accepts", + "version": "1.3.7" + } + }, + { + "id": "array-flatten@1.1.1", + "info": { + "name": "array-flatten", + "version": "1.1.1" + } + }, + { + "id": "bytes@3.0.0", + "info": { + "name": "bytes", + "version": "3.0.0" + } + }, + { + "id": "content-type@1.0.4", + "info": { + "name": "content-type", + "version": "1.0.4" + } + }, + { + "id": "depd@1.1.2", + "info": { + "name": "depd", + "version": "1.1.2" + } + }, + { + "id": "inherits@2.0.3", + "info": { + "name": "inherits", + "version": "2.0.3" + } + }, + { + "id": "setprototypeof@1.1.0", + "info": { + "name": "setprototypeof", + "version": "1.1.0" + } + }, + { + "id": "statuses@1.5.0", + "info": { + "name": "statuses", + "version": "1.5.0" + } + }, + { + "id": "http-errors@1.6.3", + "info": { + "name": "http-errors", + "version": "1.6.3" + } + }, + { + "id": "iconv-lite@0.4.19", + "info": { + "name": "iconv-lite", + "version": "0.4.19" + } + }, + { + "id": "ee-first@1.1.1", + "info": { + "name": "ee-first", + "version": "1.1.1" + } + }, + { + "id": "on-finished@2.3.0", + "info": { + "name": "on-finished", + "version": "2.3.0" + } + }, + { + "id": "qs@6.5.1", + "info": { + "name": "qs", + "version": "6.5.1" + } + }, + { + "id": "depd@1.1.1", + "info": { + "name": "depd", + "version": "1.1.1" + } + }, + { + "id": "setprototypeof@1.0.3", + "info": { + "name": "setprototypeof", + "version": "1.0.3" + } + }, + { + "id": "statuses@1.3.1", + "info": { + "name": "statuses", + "version": "1.3.1" + } + }, + { + "id": "http-errors@1.6.2", + "info": { + "name": "http-errors", + "version": "1.6.2" + } + }, + { + "id": "unpipe@1.0.0", + "info": { + "name": "unpipe", + "version": "1.0.0" + } + }, + { + "id": "raw-body@2.3.2", + "info": { + "name": "raw-body", + "version": "2.3.2" + } + }, + { + "id": "media-typer@0.3.0", + "info": { + "name": "media-typer", + "version": "0.3.0" + } + }, + { + "id": "type-is@1.6.18", + "info": { + "name": "type-is", + "version": "1.6.18" + } + }, + { + "id": "body-parser@1.18.2", + "info": { + "name": "body-parser", + "version": "1.18.2" + } + }, + { + "id": "content-disposition@0.5.2", + "info": { + "name": "content-disposition", + "version": "0.5.2" + } + }, + { + "id": "cookie@0.3.1", + "info": { + "name": "cookie", + "version": "0.3.1" + } + }, + { + "id": "cookie-signature@1.0.6", + "info": { + "name": "cookie-signature", + "version": "1.0.6" + } + }, + { + "id": "encodeurl@1.0.2", + "info": { + "name": "encodeurl", + "version": "1.0.2" + } + }, + { + "id": "escape-html@1.0.3", + "info": { + "name": "escape-html", + "version": "1.0.3" + } + }, + { + "id": "etag@1.8.1", + "info": { + "name": "etag", + "version": "1.8.1" + } + }, + { + "id": "parseurl@1.3.2", + "info": { + "name": "parseurl", + "version": "1.3.2" + } + }, + { + "id": "finalhandler@1.1.0", + "info": { + "name": "finalhandler", + "version": "1.1.0" + } + }, + { + "id": "fresh@0.5.2", + "info": { + "name": "fresh", + "version": "0.5.2" + } + }, + { + "id": "merge-descriptors@1.0.1", + "info": { + "name": "merge-descriptors", + "version": "1.0.1" + } + }, + { + "id": "methods@1.1.2", + "info": { + "name": "methods", + "version": "1.1.2" + } + }, + { + "id": "path-to-regexp@0.1.7", + "info": { + "name": "path-to-regexp", + "version": "0.1.7" + } + }, + { + "id": "forwarded@0.1.2", + "info": { + "name": "forwarded", + "version": "0.1.2" + } + }, + { + "id": "ipaddr.js@1.9.0", + "info": { + "name": "ipaddr.js", + "version": "1.9.0" + } + }, + { + "id": "proxy-addr@2.0.5", + "info": { + "name": "proxy-addr", + "version": "2.0.5" + } + }, + { + "id": "range-parser@1.2.1", + "info": { + "name": "range-parser", + "version": "1.2.1" + } + }, + { + "id": "safe-buffer@5.1.1", + "info": { + "name": "safe-buffer", + "version": "5.1.1" + } + }, + { + "id": "destroy@1.0.4", + "info": { + "name": "destroy", + "version": "1.0.4" + } + }, + { + "id": "mime@1.4.1", + "info": { + "name": "mime", + "version": "1.4.1" + } + }, + { + "id": "send@0.16.0", + "info": { + "name": "send", + "version": "0.16.0" + } + }, + { + "id": "serve-static@1.13.0", + "info": { + "name": "serve-static", + "version": "1.13.0" + } + }, + { + "id": "utils-merge@1.0.1", + "info": { + "name": "utils-merge", + "version": "1.0.1" + } + }, + { + "id": "vary@1.1.2", + "info": { + "name": "vary", + "version": "1.1.2" + } + }, + { + "id": "express@4.16.0", + "info": { + "name": "express", + "version": "4.16.0" + } + }, + { + "id": "core-util-is@1.0.2", + "info": { + "name": "core-util-is", + "version": "1.0.2" + } + }, + { + "id": "isarray@0.0.1", + "info": { + "name": "isarray", + "version": "0.0.1" + } + }, + { + "id": "string_decoder@0.10.31", + "info": { + "name": "string_decoder", + "version": "0.10.31" + } + }, + { + "id": "readable-stream@1.1.14", + "info": { + "name": "readable-stream", + "version": "1.1.14" + } + }, + { + "id": "streamsearch@0.1.2", + "info": { + "name": "streamsearch", + "version": "0.1.2" + } + }, + { + "id": "dicer@0.2.5", + "info": { + "name": "dicer", + "version": "0.2.5" + } + }, + { + "id": "busboy@0.2.14", + "info": { + "name": "busboy", + "version": "0.2.14" + } + }, + { + "id": "connect-busboy@0.0.2", + "info": { + "name": "connect-busboy", + "version": "0.0.2" + } + }, + { + "id": "graceful-fs@4.1.15", + "info": { + "name": "graceful-fs", + "version": "4.1.15" + } + }, + { + "id": "jsonfile@2.4.0", + "info": { + "name": "jsonfile", + "version": "2.4.0" + } + }, + { + "id": "fs.realpath@1.0.0", + "info": { + "name": "fs.realpath", + "version": "1.0.0" + } + }, + { + "id": "wrappy@1.0.2", + "info": { + "name": "wrappy", + "version": "1.0.2" + } + }, + { + "id": "once@1.4.0", + "info": { + "name": "once", + "version": "1.4.0" + } + }, + { + "id": "inflight@1.0.6", + "info": { + "name": "inflight", + "version": "1.0.6" + } + }, + { + "id": "balanced-match@1.0.0", + "info": { + "name": "balanced-match", + "version": "1.0.0" + } + }, + { + "id": "concat-map@0.0.1", + "info": { + "name": "concat-map", + "version": "0.0.1" + } + }, + { + "id": "brace-expansion@1.1.11", + "info": { + "name": "brace-expansion", + "version": "1.1.11" + } + }, + { + "id": "minimatch@3.0.4", + "info": { + "name": "minimatch", + "version": "3.0.4" + } + }, + { + "id": "path-is-absolute@1.0.1", + "info": { + "name": "path-is-absolute", + "version": "1.0.1" + } + }, + { + "id": "glob@7.1.3", + "info": { + "name": "glob", + "version": "7.1.3" + } + }, + { + "id": "rimraf@2.6.2", + "info": { + "name": "rimraf", + "version": "2.6.2" + } + }, + { + "id": "fs-extra@0.22.1", + "info": { + "name": "fs-extra", + "version": "0.22.1" + } + }, + { + "id": "streamifier@0.1.1", + "info": { + "name": "streamifier", + "version": "0.1.1" + } + }, + { + "id": "express-fileupload@0.0.5", + "info": { + "name": "express-fileupload", + "version": "0.0.5" + } + }, + { + "id": "ms@0.6.2", + "info": { + "name": "ms", + "version": "0.6.2" + } + }, + { + "id": "humanize-ms@1.0.1", + "info": { + "name": "humanize-ms", + "version": "1.0.1" + } + }, + { + "id": "debug@3.1.0", + "info": { + "name": "debug", + "version": "3.1.0" + } + }, + { + "id": "method-override@3.0.0", + "info": { + "name": "method-override", + "version": "3.0.0" + } + }, + { + "id": "moment@2.19.3", + "info": { + "name": "moment", + "version": "2.19.3" + } + }, + { + "id": "safe-buffer@5.1.2", + "info": { + "name": "safe-buffer", + "version": "5.1.2" + } + }, + { + "id": "basic-auth@2.0.1", + "info": { + "name": "basic-auth", + "version": "2.0.1" + } + }, + { + "id": "on-headers@1.0.1", + "info": { + "name": "on-headers", + "version": "1.0.1" + } + }, + { + "id": "morgan@1.9.1", + "info": { + "name": "morgan", + "version": "1.9.1" + } + }, + { + "id": "ini@1.3.5", + "info": { + "name": "ini", + "version": "1.3.5" + } + }, + { + "id": "proto-list@1.2.4", + "info": { + "name": "proto-list", + "version": "1.2.4" + } + }, + { + "id": "config-chain@1.1.12", + "info": { + "name": "config-chain", + "version": "1.1.12" + } + }, + { + "id": "minimist@0.0.8", + "info": { + "name": "minimist", + "version": "0.0.8" + } + }, + { + "id": "mkdirp@0.5.1", + "info": { + "name": "mkdirp", + "version": "0.5.1" + } + }, + { + "id": "abbrev@1.1.1", + "info": { + "name": "abbrev", + "version": "1.1.1" + } + }, + { + "id": "nopt@3.0.6", + "info": { + "name": "nopt", + "version": "3.0.6" + } + }, + { + "id": "once@1.3.3", + "info": { + "name": "once", + "version": "1.3.3" + } + }, + { + "id": "os-homedir@1.0.2", + "info": { + "name": "os-homedir", + "version": "1.0.2" + } + }, + { + "id": "os-tmpdir@1.0.2", + "info": { + "name": "os-tmpdir", + "version": "1.0.2" + } + }, + { + "id": "osenv@0.1.5", + "info": { + "name": "osenv", + "version": "0.1.5" + } + }, + { + "id": "semver@4.3.6", + "info": { + "name": "semver", + "version": "4.3.6" + } + }, + { + "id": "uid-number@0.0.5", + "info": { + "name": "uid-number", + "version": "0.0.5" + } + }, + { + "id": "npmconf@2.1.3", + "info": { + "name": "npmconf", + "version": "2.1.3" + } + }, + { + "id": "optional@0.1.4", + "info": { + "name": "optional", + "version": "0.1.4" + } + }, + { + "id": "lodash@4.17.15", + "info": { + "name": "lodash", + "version": "4.17.15" + } + }, + { + "id": "graphlib@2.1.7", + "info": { + "name": "graphlib", + "version": "2.1.7" + } + }, + { + "id": "object-hash@1.3.1", + "info": { + "name": "object-hash", + "version": "1.3.1" + } + }, + { + "id": "semver@6.3.0", + "info": { + "name": "semver", + "version": "6.3.0" + } + }, + { + "id": "buffer-from@1.1.1", + "info": { + "name": "buffer-from", + "version": "1.1.1" + } + }, + { + "id": "source-map@0.6.1", + "info": { + "name": "source-map", + "version": "0.6.1" + } + }, + { + "id": "source-map-support@0.5.13", + "info": { + "name": "source-map-support", + "version": "0.5.13" + } + }, + { + "id": "tslib@1.10.0", + "info": { + "name": "tslib", + "version": "1.10.0" + } + }, + { + "id": "@snyk/dep-graph@1.12.0", + "info": { + "name": "@snyk/dep-graph", + "version": "1.12.0" + } + }, + { + "id": "@snyk/gemfile@1.2.0", + "info": { + "name": "@snyk/gemfile", + "version": "1.2.0" + } + }, + { + "id": "@types/events@3.0.0", + "info": { + "name": "@types/events", + "version": "3.0.0" + } + }, + { + "id": "@types/node@12.7.5", + "info": { + "name": "@types/node", + "version": "12.7.5" + } + }, + { + "id": "@types/agent-base@4.2.0", + "info": { + "name": "@types/agent-base", + "version": "4.2.0" + } + }, + { + "id": "@types/bunyan@1.8.6", + "info": { + "name": "@types/bunyan", + "version": "1.8.6" + } + }, + { + "id": "@types/restify@4.3.6", + "info": { + "name": "@types/restify", + "version": "4.3.6" + } + }, + { + "id": "ansi-escapes@3.2.0", + "info": { + "name": "ansi-escapes", + "version": "3.2.0" + } + }, + { + "id": "color-name@1.1.3", + "info": { + "name": "color-name", + "version": "1.1.3" + } + }, + { + "id": "color-convert@1.9.3", + "info": { + "name": "color-convert", + "version": "1.9.3" + } + }, + { + "id": "ansi-styles@3.2.1", + "info": { + "name": "ansi-styles", + "version": "3.2.1" + } + }, + { + "id": "escape-string-regexp@1.0.5", + "info": { + "name": "escape-string-regexp", + "version": "1.0.5" + } + }, + { + "id": "has-flag@3.0.0", + "info": { + "name": "has-flag", + "version": "3.0.0" + } + }, + { + "id": "supports-color@5.5.0", + "info": { + "name": "supports-color", + "version": "5.5.0" + } + }, + { + "id": "chalk@2.4.2", + "info": { + "name": "chalk", + "version": "2.4.2" + } + }, + { + "id": "is-obj@1.0.1", + "info": { + "name": "is-obj", + "version": "1.0.1" + } + }, + { + "id": "dot-prop@4.2.0", + "info": { + "name": "dot-prop", + "version": "4.2.0" + } + }, + { + "id": "pify@3.0.0", + "info": { + "name": "pify", + "version": "3.0.0" + } + }, + { + "id": "make-dir@1.3.0", + "info": { + "name": "make-dir", + "version": "1.3.0" + } + }, + { + "id": "crypto-random-string@1.0.0", + "info": { + "name": "crypto-random-string", + "version": "1.0.0" + } + }, + { + "id": "unique-string@1.0.0", + "info": { + "name": "unique-string", + "version": "1.0.0" + } + }, + { + "id": "imurmurhash@0.1.4", + "info": { + "name": "imurmurhash", + "version": "0.1.4" + } + }, + { + "id": "signal-exit@3.0.2", + "info": { + "name": "signal-exit", + "version": "3.0.2" + } + }, + { + "id": "write-file-atomic@2.4.3", + "info": { + "name": "write-file-atomic", + "version": "2.4.3" + } + }, + { + "id": "xdg-basedir@3.0.0", + "info": { + "name": "xdg-basedir", + "version": "3.0.0" + } + }, + { + "id": "configstore@3.1.2", + "info": { + "name": "configstore", + "version": "3.1.2" + } + }, + { + "id": "ms@2.1.2", + "info": { + "name": "ms", + "version": "2.1.2" + } + }, + { + "id": "debug@3.2.6", + "info": { + "name": "debug", + "version": "3.2.6" + } + }, + { + "id": "diff@4.0.1", + "info": { + "name": "diff", + "version": "4.0.1" + } + }, + { + "id": "protocols@1.4.7", + "info": { + "name": "protocols", + "version": "1.4.7" + } + }, + { + "id": "is-ssh@1.3.1", + "info": { + "name": "is-ssh", + "version": "1.3.1" + } + }, + { + "id": "normalize-url@3.3.0", + "info": { + "name": "normalize-url", + "version": "3.3.0" + } + }, + { + "id": "parse-path@4.0.1", + "info": { + "name": "parse-path", + "version": "4.0.1" + } + }, + { + "id": "parse-url@5.0.1", + "info": { + "name": "parse-url", + "version": "5.0.1" + } + }, + { + "id": "git-up@4.0.1", + "info": { + "name": "git-up", + "version": "4.0.1" + } + }, + { + "id": "git-url-parse@11.1.2", + "info": { + "name": "git-url-parse", + "version": "11.1.2" + } + }, + { + "id": "mimic-fn@1.2.0", + "info": { + "name": "mimic-fn", + "version": "1.2.0" + } + }, + { + "id": "onetime@2.0.1", + "info": { + "name": "onetime", + "version": "2.0.1" + } + }, + { + "id": "restore-cursor@2.0.0", + "info": { + "name": "restore-cursor", + "version": "2.0.0" + } + }, + { + "id": "cli-cursor@2.1.0", + "info": { + "name": "cli-cursor", + "version": "2.1.0" + } + }, + { + "id": "cli-width@2.2.0", + "info": { + "name": "cli-width", + "version": "2.2.0" + } + }, + { + "id": "chardet@0.7.0", + "info": { + "name": "chardet", + "version": "0.7.0" + } + }, + { + "id": "tmp@0.0.33", + "info": { + "name": "tmp", + "version": "0.0.33" + } + }, + { + "id": "external-editor@3.1.0", + "info": { + "name": "external-editor", + "version": "3.1.0" + } + }, + { + "id": "figures@2.0.0", + "info": { + "name": "figures", + "version": "2.0.0" + } + }, + { + "id": "mute-stream@0.0.7", + "info": { + "name": "mute-stream", + "version": "0.0.7" + } + }, + { + "id": "is-promise@2.1.0", + "info": { + "name": "is-promise", + "version": "2.1.0" + } + }, + { + "id": "run-async@2.3.0", + "info": { + "name": "run-async", + "version": "2.3.0" + } + }, + { + "id": "rxjs@6.5.3", + "info": { + "name": "rxjs", + "version": "6.5.3" + } + }, + { + "id": "is-fullwidth-code-point@2.0.0", + "info": { + "name": "is-fullwidth-code-point", + "version": "2.0.0" + } + }, + { + "id": "ansi-regex@3.0.0", + "info": { + "name": "ansi-regex", + "version": "3.0.0" + } + }, + { + "id": "strip-ansi@4.0.0", + "info": { + "name": "strip-ansi", + "version": "4.0.0" + } + }, + { + "id": "string-width@2.1.1", + "info": { + "name": "string-width", + "version": "2.1.1" + } + }, + { + "id": "ansi-regex@4.1.0", + "info": { + "name": "ansi-regex", + "version": "4.1.0" + } + }, + { + "id": "strip-ansi@5.2.0", + "info": { + "name": "strip-ansi", + "version": "5.2.0" + } + }, + { + "id": "through@2.3.8", + "info": { + "name": "through", + "version": "2.3.8" + } + }, + { + "id": "inquirer@6.5.2", + "info": { + "name": "inquirer", + "version": "6.5.2" + } + }, + { + "id": "is-wsl@1.1.0", + "info": { + "name": "is-wsl", + "version": "1.1.0" + } + }, + { + "id": "opn@5.5.0", + "info": { + "name": "opn", + "version": "5.5.0" + } + }, + { + "id": "macos-release@2.3.0", + "info": { + "name": "macos-release", + "version": "2.3.0" + } + }, + { + "id": "nice-try@1.0.5", + "info": { + "name": "nice-try", + "version": "1.0.5" + } + }, + { + "id": "path-key@2.0.1", + "info": { + "name": "path-key", + "version": "2.0.1" + } + }, + { + "id": "shebang-regex@1.0.0", + "info": { + "name": "shebang-regex", + "version": "1.0.0" + } + }, + { + "id": "shebang-command@1.2.0", + "info": { + "name": "shebang-command", + "version": "1.2.0" + } + }, + { + "id": "isexe@2.0.0", + "info": { + "name": "isexe", + "version": "2.0.0" + } + }, + { + "id": "which@1.3.1", + "info": { + "name": "which", + "version": "1.3.1" + } + }, + { + "id": "cross-spawn@6.0.5", + "info": { + "name": "cross-spawn", + "version": "6.0.5" + } + }, + { + "id": "end-of-stream@1.4.2", + "info": { + "name": "end-of-stream", + "version": "1.4.2" + } + }, + { + "id": "pump@3.0.0", + "info": { + "name": "pump", + "version": "3.0.0" + } + }, + { + "id": "get-stream@4.1.0", + "info": { + "name": "get-stream", + "version": "4.1.0" + } + }, + { + "id": "is-stream@1.1.0", + "info": { + "name": "is-stream", + "version": "1.1.0" + } + }, + { + "id": "npm-run-path@2.0.2", + "info": { + "name": "npm-run-path", + "version": "2.0.2" + } + }, + { + "id": "p-finally@1.0.0", + "info": { + "name": "p-finally", + "version": "1.0.0" + } + }, + { + "id": "strip-eof@1.0.0", + "info": { + "name": "strip-eof", + "version": "1.0.0" + } + }, + { + "id": "execa@1.0.0", + "info": { + "name": "execa", + "version": "1.0.0" + } + }, + { + "id": "windows-release@3.2.0", + "info": { + "name": "windows-release", + "version": "3.2.0" + } + }, + { + "id": "os-name@3.1.0", + "info": { + "name": "os-name", + "version": "3.1.0" + } + }, + { + "id": "es6-promise@4.2.8", + "info": { + "name": "es6-promise", + "version": "4.2.8" + } + }, + { + "id": "es6-promisify@5.0.0", + "info": { + "name": "es6-promisify", + "version": "5.0.0" + } + }, + { + "id": "agent-base@4.3.0", + "info": { + "name": "agent-base", + "version": "4.3.0" + } + }, + { + "id": "http-proxy-agent@2.1.0", + "info": { + "name": "http-proxy-agent", + "version": "2.1.0" + } + }, + { + "id": "https-proxy-agent@2.2.2", + "info": { + "name": "https-proxy-agent", + "version": "2.2.2" + } + }, + { + "id": "pseudomap@1.0.2", + "info": { + "name": "pseudomap", + "version": "1.0.2" + } + }, + { + "id": "yallist@2.1.2", + "info": { + "name": "yallist", + "version": "2.1.2" + } + }, + { + "id": "lru-cache@4.1.5", + "info": { + "name": "lru-cache", + "version": "4.1.5" + } + }, + { + "id": "@types/node@8.10.54", + "info": { + "name": "@types/node", + "version": "8.10.54" + } + }, + { + "id": "data-uri-to-buffer@2.0.1", + "info": { + "name": "data-uri-to-buffer", + "version": "2.0.1" + } + }, + { + "id": "extend@3.0.2", + "info": { + "name": "extend", + "version": "3.0.2" + } + }, + { + "id": "file-uri-to-path@1.0.0", + "info": { + "name": "file-uri-to-path", + "version": "1.0.0" + } + }, + { + "id": "xregexp@2.0.0", + "info": { + "name": "xregexp", + "version": "2.0.0" + } + }, + { + "id": "ftp@0.3.10", + "info": { + "name": "ftp", + "version": "0.3.10" + } + }, + { + "id": "safe-buffer@5.2.0", + "info": { + "name": "safe-buffer", + "version": "5.2.0" + } + }, + { + "id": "string_decoder@1.3.0", + "info": { + "name": "string_decoder", + "version": "1.3.0" + } + }, + { + "id": "util-deprecate@1.0.2", + "info": { + "name": "util-deprecate", + "version": "1.0.2" + } + }, + { + "id": "readable-stream@3.4.0", + "info": { + "name": "readable-stream", + "version": "3.4.0" + } + }, + { + "id": "get-uri@2.0.3", + "info": { + "name": "get-uri", + "version": "2.0.3" + } + }, + { + "id": "co@4.6.0", + "info": { + "name": "co", + "version": "4.6.0" + } + }, + { + "id": "ast-types@0.13.2", + "info": { + "name": "ast-types", + "version": "0.13.2" + } + }, + { + "id": "esprima@3.1.3", + "info": { + "name": "esprima", + "version": "3.1.3" + } + }, + { + "id": "estraverse@4.3.0", + "info": { + "name": "estraverse", + "version": "4.3.0" + } + }, + { + "id": "esutils@2.0.3", + "info": { + "name": "esutils", + "version": "2.0.3" + } + }, + { + "id": "deep-is@0.1.3", + "info": { + "name": "deep-is", + "version": "0.1.3" + } + }, + { + "id": "fast-levenshtein@2.0.6", + "info": { + "name": "fast-levenshtein", + "version": "2.0.6" + } + }, + { + "id": "prelude-ls@1.1.2", + "info": { + "name": "prelude-ls", + "version": "1.1.2" + } + }, + { + "id": "type-check@0.3.2", + "info": { + "name": "type-check", + "version": "0.3.2" + } + }, + { + "id": "levn@0.3.0", + "info": { + "name": "levn", + "version": "0.3.0" + } + }, + { + "id": "wordwrap@1.0.0", + "info": { + "name": "wordwrap", + "version": "1.0.0" + } + }, + { + "id": "optionator@0.8.2", + "info": { + "name": "optionator", + "version": "0.8.2" + } + }, + { + "id": "escodegen@1.12.0", + "info": { + "name": "escodegen", + "version": "1.12.0" + } + }, + { + "id": "degenerator@1.0.4", + "info": { + "name": "degenerator", + "version": "1.0.4" + } + }, + { + "id": "ip@1.1.5", + "info": { + "name": "ip", + "version": "1.1.5" + } + }, + { + "id": "netmask@1.0.6", + "info": { + "name": "netmask", + "version": "1.0.6" + } + }, + { + "id": "thunkify@2.1.2", + "info": { + "name": "thunkify", + "version": "2.1.2" + } + }, + { + "id": "pac-resolver@3.0.0", + "info": { + "name": "pac-resolver", + "version": "3.0.0" + } + }, + { + "id": "bytes@3.1.0", + "info": { + "name": "bytes", + "version": "3.1.0" + } + }, + { + "id": "inherits@2.0.4", + "info": { + "name": "inherits", + "version": "2.0.4" + } + }, + { + "id": "setprototypeof@1.1.1", + "info": { + "name": "setprototypeof", + "version": "1.1.1" + } + }, + { + "id": "toidentifier@1.0.0", + "info": { + "name": "toidentifier", + "version": "1.0.0" + } + }, + { + "id": "http-errors@1.7.3", + "info": { + "name": "http-errors", + "version": "1.7.3" + } + }, + { + "id": "raw-body@2.4.1", + "info": { + "name": "raw-body", + "version": "2.4.1" + } + }, + { + "id": "agent-base@4.2.1", + "info": { + "name": "agent-base", + "version": "4.2.1" + } + }, + { + "id": "smart-buffer@4.0.2", + "info": { + "name": "smart-buffer", + "version": "4.0.2" + } + }, + { + "id": "socks@2.3.2", + "info": { + "name": "socks", + "version": "2.3.2" + } + }, + { + "id": "socks-proxy-agent@4.0.2", + "info": { + "name": "socks-proxy-agent", + "version": "4.0.2" + } + }, + { + "id": "pac-proxy-agent@3.0.0", + "info": { + "name": "pac-proxy-agent", + "version": "3.0.0" + } + }, + { + "id": "proxy-from-env@1.0.0", + "info": { + "name": "proxy-from-env", + "version": "1.0.0" + } + }, + { + "id": "proxy-agent@3.1.0", + "info": { + "name": "proxy-agent", + "version": "3.1.0" + } + }, + { + "id": "async@1.5.2", + "info": { + "name": "async", + "version": "1.5.2" + } + }, + { + "id": "secure-keys@1.0.0", + "info": { + "name": "secure-keys", + "version": "1.0.0" + } + }, + { + "id": "camelcase@2.1.1", + "info": { + "name": "camelcase", + "version": "2.1.1" + } + }, + { + "id": "code-point-at@1.1.0", + "info": { + "name": "code-point-at", + "version": "1.1.0" + } + }, + { + "id": "number-is-nan@1.0.1", + "info": { + "name": "number-is-nan", + "version": "1.0.1" + } + }, + { + "id": "is-fullwidth-code-point@1.0.0", + "info": { + "name": "is-fullwidth-code-point", + "version": "1.0.0" + } + }, + { + "id": "ansi-regex@2.1.1", + "info": { + "name": "ansi-regex", + "version": "2.1.1" + } + }, + { + "id": "strip-ansi@3.0.1", + "info": { + "name": "strip-ansi", + "version": "3.0.1" + } + }, + { + "id": "string-width@1.0.2", + "info": { + "name": "string-width", + "version": "1.0.2" + } + }, + { + "id": "wrap-ansi@2.1.0", + "info": { + "name": "wrap-ansi", + "version": "2.1.0" + } + }, + { + "id": "cliui@3.2.0", + "info": { + "name": "cliui", + "version": "3.2.0" + } + }, + { + "id": "decamelize@1.2.0", + "info": { + "name": "decamelize", + "version": "1.2.0" + } + }, + { + "id": "invert-kv@1.0.0", + "info": { + "name": "invert-kv", + "version": "1.0.0" + } + }, + { + "id": "lcid@1.0.0", + "info": { + "name": "lcid", + "version": "1.0.0" + } + }, + { + "id": "os-locale@1.4.0", + "info": { + "name": "os-locale", + "version": "1.4.0" + } + }, + { + "id": "window-size@0.1.4", + "info": { + "name": "window-size", + "version": "0.1.4" + } + }, + { + "id": "y18n@3.2.1", + "info": { + "name": "y18n", + "version": "3.2.1" + } + }, + { + "id": "yargs@3.32.0", + "info": { + "name": "yargs", + "version": "3.32.0" + } + }, + { + "id": "nconf@0.10.0", + "info": { + "name": "nconf", + "version": "0.10.0" + } + }, + { + "id": "snyk-config@2.2.3", + "info": { + "name": "snyk-config", + "version": "2.2.3" + } + }, + { + "id": "debug@4.1.1", + "info": { + "name": "debug", + "version": "4.1.1" + } + }, + { + "id": "vscode-languageserver-types@3.14.0", + "info": { + "name": "vscode-languageserver-types", + "version": "3.14.0" + } + }, + { + "id": "dockerfile-ast@0.0.16", + "info": { + "name": "dockerfile-ast", + "version": "0.0.16" + } + }, + { + "id": "snyk-docker-plugin@1.29.1", + "info": { + "name": "snyk-docker-plugin", + "version": "1.29.1" + } + }, + { + "id": "toml@3.0.0", + "info": { + "name": "toml", + "version": "3.0.0" + } + }, + { + "id": "snyk-go-parser@1.3.1", + "info": { + "name": "snyk-go-parser", + "version": "1.3.1" + } + }, + { + "id": "snyk-go-plugin@1.11.0", + "info": { + "name": "snyk-go-plugin", + "version": "1.11.0" + } + }, + { + "id": "@snyk/cli-interface@2.1.0", + "info": { + "name": "@snyk/cli-interface", + "version": "2.1.0" + } + }, + { + "id": "@types/debug@4.1.5", + "info": { + "name": "@types/debug", + "version": "4.1.5" + } + }, + { + "id": "for-in@1.0.2", + "info": { + "name": "for-in", + "version": "1.0.2" + } + }, + { + "id": "for-own@1.0.0", + "info": { + "name": "for-own", + "version": "1.0.0" + } + }, + { + "id": "isobject@3.0.1", + "info": { + "name": "isobject", + "version": "3.0.1" + } + }, + { + "id": "is-plain-object@2.0.4", + "info": { + "name": "is-plain-object", + "version": "2.0.4" + } + }, + { + "id": "is-buffer@1.1.6", + "info": { + "name": "is-buffer", + "version": "1.1.6" + } + }, + { + "id": "kind-of@3.2.2", + "info": { + "name": "kind-of", + "version": "3.2.2" + } + }, + { + "id": "is-extendable@0.1.1", + "info": { + "name": "is-extendable", + "version": "0.1.1" + } + }, + { + "id": "kind-of@2.0.1", + "info": { + "name": "kind-of", + "version": "2.0.1" + } + }, + { + "id": "lazy-cache@0.2.7", + "info": { + "name": "lazy-cache", + "version": "0.2.7" + } + }, + { + "id": "for-in@0.1.8", + "info": { + "name": "for-in", + "version": "0.1.8" + } + }, + { + "id": "mixin-object@2.0.1", + "info": { + "name": "mixin-object", + "version": "2.0.1" + } + }, + { + "id": "shallow-clone@0.1.2", + "info": { + "name": "shallow-clone", + "version": "0.1.2" + } + }, + { + "id": "clone-deep@0.3.0", + "info": { + "name": "clone-deep", + "version": "0.3.0" + } + }, + { + "id": "snyk-gradle-plugin@3.1.0", + "info": { + "name": "snyk-gradle-plugin", + "version": "3.1.0" + } + }, + { + "id": "hosted-git-info@2.8.4", + "info": { + "name": "hosted-git-info", + "version": "2.8.4" + } + }, + { + "id": "snyk-module@1.9.1", + "info": { + "name": "snyk-module", + "version": "1.9.1" + } + }, + { + "id": "tslib@1.9.3", + "info": { + "name": "tslib", + "version": "1.9.3" + } + }, + { + "id": "snyk-mvn-plugin@2.4.0", + "info": { + "name": "snyk-mvn-plugin", + "version": "2.4.0" + } + }, + { + "id": "@yarnpkg/lockfile@1.1.0", + "info": { + "name": "@yarnpkg/lockfile", + "version": "1.1.0" + } + }, + { + "id": "uuid@3.3.3", + "info": { + "name": "uuid", + "version": "3.3.3" + } + }, + { + "id": "snyk-nodejs-lockfile-parser@1.16.0", + "info": { + "name": "snyk-nodejs-lockfile-parser", + "version": "1.16.0" + } + }, + { + "id": "@types/xml2js@0.4.3", + "info": { + "name": "@types/xml2js", + "version": "0.4.3" + } + }, + { + "id": "xmlbuilder@9.0.7", + "info": { + "name": "xmlbuilder", + "version": "9.0.7" + } + }, + { + "id": "xml2js@0.4.19", + "info": { + "name": "xml2js", + "version": "0.4.19" + } + }, + { + "id": "dotnet-deps-parser@4.5.0", + "info": { + "name": "dotnet-deps-parser", + "version": "4.5.0" + } + }, + { + "id": "immediate@3.0.6", + "info": { + "name": "immediate", + "version": "3.0.6" + } + }, + { + "id": "lie@3.3.0", + "info": { + "name": "lie", + "version": "3.3.0" + } + }, + { + "id": "pako@1.0.10", + "info": { + "name": "pako", + "version": "1.0.10" + } + }, + { + "id": "isarray@1.0.0", + "info": { + "name": "isarray", + "version": "1.0.0" + } + }, + { + "id": "process-nextick-args@2.0.0", + "info": { + "name": "process-nextick-args", + "version": "2.0.0" + } + }, + { + "id": "string_decoder@1.1.1", + "info": { + "name": "string_decoder", + "version": "1.1.1" + } + }, + { + "id": "readable-stream@2.3.6", + "info": { + "name": "readable-stream", + "version": "2.3.6" + } + }, + { + "id": "set-immediate-shim@1.0.1", + "info": { + "name": "set-immediate-shim", + "version": "1.0.1" + } + }, + { + "id": "jszip@3.2.2", + "info": { + "name": "jszip", + "version": "3.2.2" + } + }, + { + "id": "snyk-paket-parser@1.5.0", + "info": { + "name": "snyk-paket-parser", + "version": "1.5.0" + } + }, + { + "id": "object-keys@1.1.1", + "info": { + "name": "object-keys", + "version": "1.1.1" + } + }, + { + "id": "define-properties@1.1.3", + "info": { + "name": "define-properties", + "version": "1.1.3" + } + }, + { + "id": "is-callable@1.1.4", + "info": { + "name": "is-callable", + "version": "1.1.4" + } + }, + { + "id": "is-date-object@1.0.1", + "info": { + "name": "is-date-object", + "version": "1.0.1" + } + }, + { + "id": "has-symbols@1.0.0", + "info": { + "name": "has-symbols", + "version": "1.0.0" + } + }, + { + "id": "is-symbol@1.0.2", + "info": { + "name": "is-symbol", + "version": "1.0.2" + } + }, + { + "id": "es-to-primitive@1.2.0", + "info": { + "name": "es-to-primitive", + "version": "1.2.0" + } + }, + { + "id": "function-bind@1.1.1", + "info": { + "name": "function-bind", + "version": "1.1.1" + } + }, + { + "id": "has@1.0.3", + "info": { + "name": "has", + "version": "1.0.3" + } + }, + { + "id": "is-regex@1.0.4", + "info": { + "name": "is-regex", + "version": "1.0.4" + } + }, + { + "id": "object-inspect@1.6.0", + "info": { + "name": "object-inspect", + "version": "1.6.0" + } + }, + { + "id": "string.prototype.trimleft@2.1.0", + "info": { + "name": "string.prototype.trimleft", + "version": "2.1.0" + } + }, + { + "id": "string.prototype.trimright@2.1.0", + "info": { + "name": "string.prototype.trimright", + "version": "2.1.0" + } + }, + { + "id": "es-abstract@1.14.2", + "info": { + "name": "es-abstract", + "version": "1.14.2" + } + }, + { + "id": "object.getownpropertydescriptors@2.0.3", + "info": { + "name": "object.getownpropertydescriptors", + "version": "2.0.3" + } + }, + { + "id": "util.promisify@1.0.0", + "info": { + "name": "util.promisify", + "version": "1.0.0" + } + }, + { + "id": "xmlbuilder@11.0.1", + "info": { + "name": "xmlbuilder", + "version": "11.0.1" + } + }, + { + "id": "xml2js@0.4.22", + "info": { + "name": "xml2js", + "version": "0.4.22" + } + }, + { + "id": "snyk-nuget-plugin@1.12.1", + "info": { + "name": "snyk-nuget-plugin", + "version": "1.12.1" + } + }, + { + "id": "@snyk/composer-lockfile-parser@1.0.3", + "info": { + "name": "@snyk/composer-lockfile-parser", + "version": "1.0.3" + } + }, + { + "id": "snyk-php-plugin@1.6.4", + "info": { + "name": "snyk-php-plugin", + "version": "1.6.4" + } + }, + { + "id": "email-validator@2.0.4", + "info": { + "name": "email-validator", + "version": "2.0.4" + } + }, + { + "id": "lodash.clonedeep@4.5.0", + "info": { + "name": "lodash.clonedeep", + "version": "4.5.0" + } + }, + { + "id": "asap@2.0.6", + "info": { + "name": "asap", + "version": "2.0.6" + } + }, + { + "id": "promise@7.3.1", + "info": { + "name": "promise", + "version": "7.3.1" + } + }, + { + "id": "then-fs@2.0.0", + "info": { + "name": "then-fs", + "version": "2.0.0" + } + }, + { + "id": "snyk-resolve@1.0.1", + "info": { + "name": "snyk-resolve", + "version": "1.0.1" + } + }, + { + "id": "snyk-try-require@1.3.1", + "info": { + "name": "snyk-try-require", + "version": "1.3.1" + } + }, + { + "id": "snyk-policy@1.13.5", + "info": { + "name": "snyk-policy", + "version": "1.13.5" + } + }, + { + "id": "snyk-python-plugin@1.13.2", + "info": { + "name": "snyk-python-plugin", + "version": "1.13.2" + } + }, + { + "id": "@types/node@6.14.7", + "info": { + "name": "@types/node", + "version": "6.14.7" + } + }, + { + "id": "@types/semver@5.5.0", + "info": { + "name": "@types/semver", + "version": "5.5.0" + } + }, + { + "id": "ansicolors@0.3.2", + "info": { + "name": "ansicolors", + "version": "0.3.2" + } + }, + { + "id": "lodash.assign@4.2.0", + "info": { + "name": "lodash.assign", + "version": "4.2.0" + } + }, + { + "id": "lodash.assignin@4.2.0", + "info": { + "name": "lodash.assignin", + "version": "4.2.0" + } + }, + { + "id": "lodash.clone@4.5.0", + "info": { + "name": "lodash.clone", + "version": "4.5.0" + } + }, + { + "id": "lodash.flatten@4.4.0", + "info": { + "name": "lodash.flatten", + "version": "4.4.0" + } + }, + { + "id": "lodash.get@4.4.2", + "info": { + "name": "lodash.get", + "version": "4.4.2" + } + }, + { + "id": "lodash.set@4.3.2", + "info": { + "name": "lodash.set", + "version": "4.3.2" + } + }, + { + "id": "archy@1.0.0", + "info": { + "name": "archy", + "version": "1.0.0" + } + }, + { + "id": "snyk-tree@1.0.0", + "info": { + "name": "snyk-tree", + "version": "1.0.0" + } + }, + { + "id": "snyk-resolve-deps@4.4.0", + "info": { + "name": "snyk-resolve-deps", + "version": "4.4.0" + } + }, + { + "id": "rimraf@2.7.1", + "info": { + "name": "rimraf", + "version": "2.7.1" + } + }, + { + "id": "tmp@0.1.0", + "info": { + "name": "tmp", + "version": "0.1.0" + } + }, + { + "id": "tree-kill@1.2.1", + "info": { + "name": "tree-kill", + "version": "1.2.1" + } + }, + { + "id": "snyk-sbt-plugin@2.8.0", + "info": { + "name": "snyk-sbt-plugin", + "version": "2.8.0" + } + }, + { + "id": "temp-dir@1.0.0", + "info": { + "name": "temp-dir", + "version": "1.0.0" + } + }, + { + "id": "tempfile@2.0.0", + "info": { + "name": "tempfile", + "version": "2.0.0" + } + }, + { + "id": "ansi-align@2.0.0", + "info": { + "name": "ansi-align", + "version": "2.0.0" + } + }, + { + "id": "camelcase@4.1.0", + "info": { + "name": "camelcase", + "version": "4.1.0" + } + }, + { + "id": "cli-boxes@1.0.0", + "info": { + "name": "cli-boxes", + "version": "1.0.0" + } + }, + { + "id": "cross-spawn@5.1.0", + "info": { + "name": "cross-spawn", + "version": "5.1.0" + } + }, + { + "id": "get-stream@3.0.0", + "info": { + "name": "get-stream", + "version": "3.0.0" + } + }, + { + "id": "execa@0.7.0", + "info": { + "name": "execa", + "version": "0.7.0" + } + }, + { + "id": "term-size@1.2.0", + "info": { + "name": "term-size", + "version": "1.2.0" + } + }, + { + "id": "widest-line@2.0.1", + "info": { + "name": "widest-line", + "version": "2.0.1" + } + }, + { + "id": "boxen@1.3.0", + "info": { + "name": "boxen", + "version": "1.3.0" + } + }, + { + "id": "import-lazy@2.1.0", + "info": { + "name": "import-lazy", + "version": "2.1.0" + } + }, + { + "id": "ci-info@1.6.0", + "info": { + "name": "ci-info", + "version": "1.6.0" + } + }, + { + "id": "is-ci@1.2.1", + "info": { + "name": "is-ci", + "version": "1.2.1" + } + }, + { + "id": "global-dirs@0.1.1", + "info": { + "name": "global-dirs", + "version": "0.1.1" + } + }, + { + "id": "path-is-inside@1.0.2", + "info": { + "name": "path-is-inside", + "version": "1.0.2" + } + }, + { + "id": "is-path-inside@1.0.1", + "info": { + "name": "is-path-inside", + "version": "1.0.1" + } + }, + { + "id": "is-installed-globally@0.1.0", + "info": { + "name": "is-installed-globally", + "version": "0.1.0" + } + }, + { + "id": "is-npm@1.0.0", + "info": { + "name": "is-npm", + "version": "1.0.0" + } + }, + { + "id": "capture-stack-trace@1.0.1", + "info": { + "name": "capture-stack-trace", + "version": "1.0.1" + } + }, + { + "id": "create-error-class@3.0.2", + "info": { + "name": "create-error-class", + "version": "3.0.2" + } + }, + { + "id": "duplexer3@0.1.4", + "info": { + "name": "duplexer3", + "version": "0.1.4" + } + }, + { + "id": "is-redirect@1.0.0", + "info": { + "name": "is-redirect", + "version": "1.0.0" + } + }, + { + "id": "is-retry-allowed@1.2.0", + "info": { + "name": "is-retry-allowed", + "version": "1.2.0" + } + }, + { + "id": "lowercase-keys@1.0.1", + "info": { + "name": "lowercase-keys", + "version": "1.0.1" + } + }, + { + "id": "timed-out@4.0.1", + "info": { + "name": "timed-out", + "version": "4.0.1" + } + }, + { + "id": "unzip-response@2.0.1", + "info": { + "name": "unzip-response", + "version": "2.0.1" + } + }, + { + "id": "prepend-http@1.0.4", + "info": { + "name": "prepend-http", + "version": "1.0.4" + } + }, + { + "id": "url-parse-lax@1.0.0", + "info": { + "name": "url-parse-lax", + "version": "1.0.0" + } + }, + { + "id": "got@6.7.1", + "info": { + "name": "got", + "version": "6.7.1" + } + }, + { + "id": "deep-extend@0.6.0", + "info": { + "name": "deep-extend", + "version": "0.6.0" + } + }, + { + "id": "minimist@1.2.0", + "info": { + "name": "minimist", + "version": "1.2.0" + } + }, + { + "id": "strip-json-comments@2.0.1", + "info": { + "name": "strip-json-comments", + "version": "2.0.1" + } + }, + { + "id": "rc@1.2.8", + "info": { + "name": "rc", + "version": "1.2.8" + } + }, + { + "id": "registry-auth-token@3.4.0", + "info": { + "name": "registry-auth-token", + "version": "3.4.0" + } + }, + { + "id": "registry-url@3.1.0", + "info": { + "name": "registry-url", + "version": "3.1.0" + } + }, + { + "id": "package-json@4.0.1", + "info": { + "name": "package-json", + "version": "4.0.1" + } + }, + { + "id": "latest-version@3.1.0", + "info": { + "name": "latest-version", + "version": "3.1.0" + } + }, + { + "id": "semver-diff@2.1.0", + "info": { + "name": "semver-diff", + "version": "2.1.0" + } + }, + { + "id": "update-notifier@2.5.0", + "info": { + "name": "update-notifier", + "version": "2.5.0" + } + }, + { + "id": "emoji-regex@7.0.3", + "info": { + "name": "emoji-regex", + "version": "7.0.3" + } + }, + { + "id": "string-width@3.1.0", + "info": { + "name": "string-width", + "version": "3.1.0" + } + }, + { + "id": "wrap-ansi@5.1.0", + "info": { + "name": "wrap-ansi", + "version": "5.1.0" + } + }, + { + "id": "snyk@1.228.3", + "info": { + "name": "snyk", + "version": "1.228.3" + } + }, + { + "id": "async-cache@1.1.0", + "info": { + "name": "async-cache", + "version": "1.1.0" + } + }, + { + "id": "bl@1.2.2", + "info": { + "name": "bl", + "version": "1.2.2" + } + }, + { + "id": "fd@0.0.3", + "info": { + "name": "fd", + "version": "0.0.3" + } + }, + { + "id": "st@1.2.2", + "info": { + "name": "st", + "version": "1.2.2" + } + }, + { + "id": "stream-buffers@3.0.2", + "info": { + "name": "stream-buffers", + "version": "3.0.2" + } + } + ], + "graph": { + "rootNodeId": "root-node", + "nodes": [ + { + "nodeId": "root-node", + "pkgId": "goof@0.0.3", + "deps": [ + { + "nodeId": "@snyk/nodejs-runtime-agent@1.14.0" + }, + { + "nodeId": "cfenv@1.2.1" + }, + { + "nodeId": "consolidate@0.14.5" + }, + { + "nodeId": "cookie-parser@1.3.3" + }, + { + "nodeId": "dustjs-helpers@1.5.0" + }, + { + "nodeId": "ejs@2.5.5" + }, + { + "nodeId": "ejs-locals@1.0.2" + }, + { + "nodeId": "express@4.16.0" + }, + { + "nodeId": "express-fileupload@0.0.5" + }, + { + "nodeId": "humanize-ms@1.0.1" + }, + { + "nodeId": "method-override@3.0.0" + }, + { + "nodeId": "moment@2.19.3" + }, + { + "nodeId": "morgan@1.9.1" + }, + { + "nodeId": "ms@2.0.0" + }, + { + "nodeId": "npmconf@2.1.3" + }, + { + "nodeId": "optional@0.1.4" + }, + { + "nodeId": "snyk@1.228.3" + }, + { + "nodeId": "st@1.2.2" + }, + { + "nodeId": "stream-buffers@3.0.2" + } + ] + }, + { + "nodeId": "acorn@5.7.3", + "pkgId": "acorn@5.7.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ms@2.1.1", + "pkgId": "ms@2.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "debug@4.1.0", + "pkgId": "debug@4.1.0", + "deps": [ + { + "nodeId": "ms@2.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ms@2.0.0", + "pkgId": "ms@2.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "debug@2.6.9", + "pkgId": "debug@2.6.9", + "deps": [ + { + "nodeId": "ms@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "safer-buffer@2.1.2", + "pkgId": "safer-buffer@2.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "iconv-lite@0.4.24", + "pkgId": "iconv-lite@0.4.24", + "deps": [ + { + "nodeId": "safer-buffer@2.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "sax@1.2.4", + "pkgId": "sax@1.2.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "needle@2.2.4", + "pkgId": "needle@2.2.4", + "deps": [ + { + "nodeId": "debug@2.6.9" + }, + { + "nodeId": "iconv-lite@0.4.24" + }, + { + "nodeId": "sax@1.2.4" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "semver@5.6.0", + "pkgId": "semver@5.6.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@snyk/nodejs-runtime-agent@1.14.0", + "pkgId": "@snyk/nodejs-runtime-agent@1.14.0", + "deps": [ + { + "nodeId": "acorn@5.7.3" + }, + { + "nodeId": "debug@4.1.0" + }, + { + "nodeId": "needle@2.2.4" + }, + { + "nodeId": "semver@5.6.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "sprintf-js@1.0.3", + "pkgId": "sprintf-js@1.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "argparse@1.0.10", + "pkgId": "argparse@1.0.10", + "deps": [ + { + "nodeId": "sprintf-js@1.0.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "esprima@4.0.1", + "pkgId": "esprima@4.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "js-yaml@3.13.1", + "pkgId": "js-yaml@3.13.1", + "deps": [ + { + "nodeId": "argparse@1.0.10" + }, + { + "nodeId": "esprima@4.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ports@1.1.0", + "pkgId": "ports@1.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "underscore@1.9.1", + "pkgId": "underscore@1.9.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cfenv@1.2.1", + "pkgId": "cfenv@1.2.1", + "deps": [ + { + "nodeId": "js-yaml@3.13.1" + }, + { + "nodeId": "ports@1.1.0" + }, + { + "nodeId": "underscore@1.9.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "bluebird@3.5.3", + "pkgId": "bluebird@3.5.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "consolidate@0.14.5", + "pkgId": "consolidate@0.14.5", + "deps": [ + { + "nodeId": "bluebird@3.5.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cookie@0.1.2", + "pkgId": "cookie@0.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cookie-signature@1.0.5", + "pkgId": "cookie-signature@1.0.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cookie-parser@1.3.3", + "pkgId": "cookie-parser@1.3.3", + "deps": [ + { + "nodeId": "cookie@0.1.2" + }, + { + "nodeId": "cookie-signature@1.0.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "dustjs-helpers@1.5.0", + "pkgId": "dustjs-helpers@1.5.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ejs@2.5.5", + "pkgId": "ejs@2.5.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ejs@0.8.8", + "pkgId": "ejs@0.8.8", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ejs-locals@1.0.2", + "pkgId": "ejs-locals@1.0.2", + "deps": [ + { + "nodeId": "ejs@0.8.8" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mime-db@1.40.0", + "pkgId": "mime-db@1.40.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mime-types@2.1.24", + "pkgId": "mime-types@2.1.24", + "deps": [ + { + "nodeId": "mime-db@1.40.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "negotiator@0.6.2", + "pkgId": "negotiator@0.6.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "accepts@1.3.7", + "pkgId": "accepts@1.3.7", + "deps": [ + { + "nodeId": "mime-types@2.1.24" + }, + { + "nodeId": "negotiator@0.6.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "array-flatten@1.1.1", + "pkgId": "array-flatten@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "bytes@3.0.0", + "pkgId": "bytes@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "content-type@1.0.4", + "pkgId": "content-type@1.0.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "depd@1.1.2", + "pkgId": "depd@1.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "inherits@2.0.3", + "pkgId": "inherits@2.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "setprototypeof@1.1.0", + "pkgId": "setprototypeof@1.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "statuses@1.5.0", + "pkgId": "statuses@1.5.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "http-errors@1.6.3", + "pkgId": "http-errors@1.6.3", + "deps": [ + { + "nodeId": "depd@1.1.2" + }, + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "setprototypeof@1.1.0" + }, + { + "nodeId": "statuses@1.5.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "iconv-lite@0.4.19", + "pkgId": "iconv-lite@0.4.19", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ee-first@1.1.1", + "pkgId": "ee-first@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "on-finished@2.3.0", + "pkgId": "on-finished@2.3.0", + "deps": [ + { + "nodeId": "ee-first@1.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "qs@6.5.1", + "pkgId": "qs@6.5.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "depd@1.1.1", + "pkgId": "depd@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "setprototypeof@1.0.3", + "pkgId": "setprototypeof@1.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "statuses@1.3.1", + "pkgId": "statuses@1.3.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "http-errors@1.6.2", + "pkgId": "http-errors@1.6.2", + "deps": [ + { + "nodeId": "depd@1.1.1" + }, + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "setprototypeof@1.0.3" + }, + { + "nodeId": "statuses@1.3.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "unpipe@1.0.0", + "pkgId": "unpipe@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "raw-body@2.3.2", + "pkgId": "raw-body@2.3.2", + "deps": [ + { + "nodeId": "bytes@3.0.0" + }, + { + "nodeId": "http-errors@1.6.2" + }, + { + "nodeId": "iconv-lite@0.4.19" + }, + { + "nodeId": "unpipe@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "media-typer@0.3.0", + "pkgId": "media-typer@0.3.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "type-is@1.6.18", + "pkgId": "type-is@1.6.18", + "deps": [ + { + "nodeId": "media-typer@0.3.0" + }, + { + "nodeId": "mime-types@2.1.24" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "body-parser@1.18.2", + "pkgId": "body-parser@1.18.2", + "deps": [ + { + "nodeId": "bytes@3.0.0" + }, + { + "nodeId": "content-type@1.0.4" + }, + { + "nodeId": "debug@2.6.9" + }, + { + "nodeId": "depd@1.1.2" + }, + { + "nodeId": "http-errors@1.6.3" + }, + { + "nodeId": "iconv-lite@0.4.19" + }, + { + "nodeId": "on-finished@2.3.0" + }, + { + "nodeId": "qs@6.5.1" + }, + { + "nodeId": "raw-body@2.3.2" + }, + { + "nodeId": "type-is@1.6.18" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "content-disposition@0.5.2", + "pkgId": "content-disposition@0.5.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cookie@0.3.1", + "pkgId": "cookie@0.3.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cookie-signature@1.0.6", + "pkgId": "cookie-signature@1.0.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "encodeurl@1.0.2", + "pkgId": "encodeurl@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "escape-html@1.0.3", + "pkgId": "escape-html@1.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "etag@1.8.1", + "pkgId": "etag@1.8.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "parseurl@1.3.2", + "pkgId": "parseurl@1.3.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "finalhandler@1.1.0", + "pkgId": "finalhandler@1.1.0", + "deps": [ + { + "nodeId": "debug@2.6.9" + }, + { + "nodeId": "encodeurl@1.0.2" + }, + { + "nodeId": "escape-html@1.0.3" + }, + { + "nodeId": "on-finished@2.3.0" + }, + { + "nodeId": "parseurl@1.3.2" + }, + { + "nodeId": "statuses@1.3.1" + }, + { + "nodeId": "unpipe@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "fresh@0.5.2", + "pkgId": "fresh@0.5.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "merge-descriptors@1.0.1", + "pkgId": "merge-descriptors@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "methods@1.1.2", + "pkgId": "methods@1.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "path-to-regexp@0.1.7", + "pkgId": "path-to-regexp@0.1.7", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "forwarded@0.1.2", + "pkgId": "forwarded@0.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ipaddr.js@1.9.0", + "pkgId": "ipaddr.js@1.9.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "proxy-addr@2.0.5", + "pkgId": "proxy-addr@2.0.5", + "deps": [ + { + "nodeId": "forwarded@0.1.2" + }, + { + "nodeId": "ipaddr.js@1.9.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "range-parser@1.2.1", + "pkgId": "range-parser@1.2.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "safe-buffer@5.1.1", + "pkgId": "safe-buffer@5.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "destroy@1.0.4", + "pkgId": "destroy@1.0.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mime@1.4.1", + "pkgId": "mime@1.4.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "send@0.16.0", + "pkgId": "send@0.16.0", + "deps": [ + { + "nodeId": "debug@2.6.9" + }, + { + "nodeId": "depd@1.1.2" + }, + { + "nodeId": "destroy@1.0.4" + }, + { + "nodeId": "encodeurl@1.0.2" + }, + { + "nodeId": "escape-html@1.0.3" + }, + { + "nodeId": "etag@1.8.1" + }, + { + "nodeId": "fresh@0.5.2" + }, + { + "nodeId": "http-errors@1.6.3" + }, + { + "nodeId": "mime@1.4.1" + }, + { + "nodeId": "ms@2.0.0" + }, + { + "nodeId": "on-finished@2.3.0" + }, + { + "nodeId": "range-parser@1.2.1" + }, + { + "nodeId": "statuses@1.3.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "serve-static@1.13.0", + "pkgId": "serve-static@1.13.0", + "deps": [ + { + "nodeId": "encodeurl@1.0.2" + }, + { + "nodeId": "escape-html@1.0.3" + }, + { + "nodeId": "parseurl@1.3.2" + }, + { + "nodeId": "send@0.16.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "utils-merge@1.0.1", + "pkgId": "utils-merge@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "vary@1.1.2", + "pkgId": "vary@1.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "express@4.16.0", + "pkgId": "express@4.16.0", + "deps": [ + { + "nodeId": "accepts@1.3.7" + }, + { + "nodeId": "array-flatten@1.1.1" + }, + { + "nodeId": "body-parser@1.18.2" + }, + { + "nodeId": "content-disposition@0.5.2" + }, + { + "nodeId": "content-type@1.0.4" + }, + { + "nodeId": "cookie@0.3.1" + }, + { + "nodeId": "cookie-signature@1.0.6" + }, + { + "nodeId": "debug@2.6.9" + }, + { + "nodeId": "depd@1.1.2" + }, + { + "nodeId": "encodeurl@1.0.2" + }, + { + "nodeId": "escape-html@1.0.3" + }, + { + "nodeId": "etag@1.8.1" + }, + { + "nodeId": "finalhandler@1.1.0" + }, + { + "nodeId": "fresh@0.5.2" + }, + { + "nodeId": "merge-descriptors@1.0.1" + }, + { + "nodeId": "methods@1.1.2" + }, + { + "nodeId": "on-finished@2.3.0" + }, + { + "nodeId": "parseurl@1.3.2" + }, + { + "nodeId": "path-to-regexp@0.1.7" + }, + { + "nodeId": "proxy-addr@2.0.5" + }, + { + "nodeId": "qs@6.5.1" + }, + { + "nodeId": "range-parser@1.2.1" + }, + { + "nodeId": "safe-buffer@5.1.1" + }, + { + "nodeId": "send@0.16.0" + }, + { + "nodeId": "serve-static@1.13.0" + }, + { + "nodeId": "setprototypeof@1.1.0" + }, + { + "nodeId": "statuses@1.3.1" + }, + { + "nodeId": "type-is@1.6.18" + }, + { + "nodeId": "utils-merge@1.0.1" + }, + { + "nodeId": "vary@1.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "core-util-is@1.0.2", + "pkgId": "core-util-is@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "isarray@0.0.1", + "pkgId": "isarray@0.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string_decoder@0.10.31", + "pkgId": "string_decoder@0.10.31", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "readable-stream@1.1.14", + "pkgId": "readable-stream@1.1.14", + "deps": [ + { + "nodeId": "core-util-is@1.0.2" + }, + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "isarray@0.0.1" + }, + { + "nodeId": "string_decoder@0.10.31" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "streamsearch@0.1.2", + "pkgId": "streamsearch@0.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "dicer@0.2.5", + "pkgId": "dicer@0.2.5", + "deps": [ + { + "nodeId": "readable-stream@1.1.14" + }, + { + "nodeId": "streamsearch@0.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "busboy@0.2.14", + "pkgId": "busboy@0.2.14", + "deps": [ + { + "nodeId": "dicer@0.2.5" + }, + { + "nodeId": "readable-stream@1.1.14" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "connect-busboy@0.0.2", + "pkgId": "connect-busboy@0.0.2", + "deps": [ + { + "nodeId": "busboy@0.2.14" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "graceful-fs@4.1.15", + "pkgId": "graceful-fs@4.1.15", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "jsonfile@2.4.0", + "pkgId": "jsonfile@2.4.0", + "deps": [ + { + "nodeId": "graceful-fs@4.1.15" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "fs.realpath@1.0.0", + "pkgId": "fs.realpath@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "wrappy@1.0.2", + "pkgId": "wrappy@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "once@1.4.0", + "pkgId": "once@1.4.0", + "deps": [ + { + "nodeId": "wrappy@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "inflight@1.0.6", + "pkgId": "inflight@1.0.6", + "deps": [ + { + "nodeId": "once@1.4.0" + }, + { + "nodeId": "wrappy@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "balanced-match@1.0.0", + "pkgId": "balanced-match@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "concat-map@0.0.1", + "pkgId": "concat-map@0.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "brace-expansion@1.1.11", + "pkgId": "brace-expansion@1.1.11", + "deps": [ + { + "nodeId": "balanced-match@1.0.0" + }, + { + "nodeId": "concat-map@0.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "minimatch@3.0.4", + "pkgId": "minimatch@3.0.4", + "deps": [ + { + "nodeId": "brace-expansion@1.1.11" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "path-is-absolute@1.0.1", + "pkgId": "path-is-absolute@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "glob@7.1.3", + "pkgId": "glob@7.1.3", + "deps": [ + { + "nodeId": "fs.realpath@1.0.0" + }, + { + "nodeId": "inflight@1.0.6" + }, + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "minimatch@3.0.4" + }, + { + "nodeId": "once@1.4.0" + }, + { + "nodeId": "path-is-absolute@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "rimraf@2.6.2", + "pkgId": "rimraf@2.6.2", + "deps": [ + { + "nodeId": "glob@7.1.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "fs-extra@0.22.1", + "pkgId": "fs-extra@0.22.1", + "deps": [ + { + "nodeId": "graceful-fs@4.1.15" + }, + { + "nodeId": "jsonfile@2.4.0" + }, + { + "nodeId": "rimraf@2.6.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "streamifier@0.1.1", + "pkgId": "streamifier@0.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "express-fileupload@0.0.5", + "pkgId": "express-fileupload@0.0.5", + "deps": [ + { + "nodeId": "connect-busboy@0.0.2" + }, + { + "nodeId": "fs-extra@0.22.1" + }, + { + "nodeId": "streamifier@0.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ms@0.6.2", + "pkgId": "ms@0.6.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "humanize-ms@1.0.1", + "pkgId": "humanize-ms@1.0.1", + "deps": [ + { + "nodeId": "ms@0.6.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "debug@3.1.0", + "pkgId": "debug@3.1.0", + "deps": [ + { + "nodeId": "ms@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "method-override@3.0.0", + "pkgId": "method-override@3.0.0", + "deps": [ + { + "nodeId": "debug@3.1.0" + }, + { + "nodeId": "methods@1.1.2" + }, + { + "nodeId": "parseurl@1.3.2" + }, + { + "nodeId": "vary@1.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "moment@2.19.3", + "pkgId": "moment@2.19.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "safe-buffer@5.1.2", + "pkgId": "safe-buffer@5.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "basic-auth@2.0.1", + "pkgId": "basic-auth@2.0.1", + "deps": [ + { + "nodeId": "safe-buffer@5.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "on-headers@1.0.1", + "pkgId": "on-headers@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "morgan@1.9.1", + "pkgId": "morgan@1.9.1", + "deps": [ + { + "nodeId": "basic-auth@2.0.1" + }, + { + "nodeId": "debug@2.6.9" + }, + { + "nodeId": "depd@1.1.2" + }, + { + "nodeId": "on-finished@2.3.0" + }, + { + "nodeId": "on-headers@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ini@1.3.5", + "pkgId": "ini@1.3.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "proto-list@1.2.4", + "pkgId": "proto-list@1.2.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "config-chain@1.1.12", + "pkgId": "config-chain@1.1.12", + "deps": [ + { + "nodeId": "ini@1.3.5" + }, + { + "nodeId": "proto-list@1.2.4" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "minimist@0.0.8", + "pkgId": "minimist@0.0.8", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mkdirp@0.5.1", + "pkgId": "mkdirp@0.5.1", + "deps": [ + { + "nodeId": "minimist@0.0.8" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "abbrev@1.1.1", + "pkgId": "abbrev@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "nopt@3.0.6", + "pkgId": "nopt@3.0.6", + "deps": [ + { + "nodeId": "abbrev@1.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "once@1.3.3", + "pkgId": "once@1.3.3", + "deps": [ + { + "nodeId": "wrappy@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "os-homedir@1.0.2", + "pkgId": "os-homedir@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "os-tmpdir@1.0.2", + "pkgId": "os-tmpdir@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "osenv@0.1.5", + "pkgId": "osenv@0.1.5", + "deps": [ + { + "nodeId": "os-homedir@1.0.2" + }, + { + "nodeId": "os-tmpdir@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "semver@4.3.6", + "pkgId": "semver@4.3.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "uid-number@0.0.5", + "pkgId": "uid-number@0.0.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "npmconf@2.1.3", + "pkgId": "npmconf@2.1.3", + "deps": [ + { + "nodeId": "config-chain@1.1.12" + }, + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "ini@1.3.5" + }, + { + "nodeId": "mkdirp@0.5.1" + }, + { + "nodeId": "nopt@3.0.6" + }, + { + "nodeId": "once@1.3.3" + }, + { + "nodeId": "osenv@0.1.5" + }, + { + "nodeId": "safe-buffer@5.1.2" + }, + { + "nodeId": "semver@4.3.6" + }, + { + "nodeId": "uid-number@0.0.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "optional@0.1.4", + "pkgId": "optional@0.1.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash@4.17.15", + "pkgId": "lodash@4.17.15", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "graphlib@2.1.7", + "pkgId": "graphlib@2.1.7", + "deps": [ + { + "nodeId": "lodash@4.17.15" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "object-hash@1.3.1", + "pkgId": "object-hash@1.3.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "semver@6.3.0", + "pkgId": "semver@6.3.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "buffer-from@1.1.1", + "pkgId": "buffer-from@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "source-map@0.6.1", + "pkgId": "source-map@0.6.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "source-map-support@0.5.13", + "pkgId": "source-map-support@0.5.13", + "deps": [ + { + "nodeId": "buffer-from@1.1.1" + }, + { + "nodeId": "source-map@0.6.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "tslib@1.10.0", + "pkgId": "tslib@1.10.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@snyk/dep-graph@1.12.0", + "pkgId": "@snyk/dep-graph@1.12.0", + "deps": [ + { + "nodeId": "graphlib@2.1.7" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "object-hash@1.3.1" + }, + { + "nodeId": "semver@6.3.0" + }, + { + "nodeId": "source-map-support@0.5.13" + }, + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@snyk/gemfile@1.2.0", + "pkgId": "@snyk/gemfile@1.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/events@3.0.0", + "pkgId": "@types/events@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/node@12.7.5", + "pkgId": "@types/node@12.7.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/agent-base@4.2.0", + "pkgId": "@types/agent-base@4.2.0", + "deps": [ + { + "nodeId": "@types/events@3.0.0" + }, + { + "nodeId": "@types/node@12.7.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/bunyan@1.8.6", + "pkgId": "@types/bunyan@1.8.6", + "deps": [ + { + "nodeId": "@types/node@12.7.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/restify@4.3.6", + "pkgId": "@types/restify@4.3.6", + "deps": [ + { + "nodeId": "@types/bunyan@1.8.6" + }, + { + "nodeId": "@types/node@12.7.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansi-escapes@3.2.0", + "pkgId": "ansi-escapes@3.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "color-name@1.1.3", + "pkgId": "color-name@1.1.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "color-convert@1.9.3", + "pkgId": "color-convert@1.9.3", + "deps": [ + { + "nodeId": "color-name@1.1.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansi-styles@3.2.1", + "pkgId": "ansi-styles@3.2.1", + "deps": [ + { + "nodeId": "color-convert@1.9.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "escape-string-regexp@1.0.5", + "pkgId": "escape-string-regexp@1.0.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "has-flag@3.0.0", + "pkgId": "has-flag@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "supports-color@5.5.0", + "pkgId": "supports-color@5.5.0", + "deps": [ + { + "nodeId": "has-flag@3.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "chalk@2.4.2", + "pkgId": "chalk@2.4.2", + "deps": [ + { + "nodeId": "ansi-styles@3.2.1" + }, + { + "nodeId": "escape-string-regexp@1.0.5" + }, + { + "nodeId": "supports-color@5.5.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-obj@1.0.1", + "pkgId": "is-obj@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "dot-prop@4.2.0", + "pkgId": "dot-prop@4.2.0", + "deps": [ + { + "nodeId": "is-obj@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "pify@3.0.0", + "pkgId": "pify@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "make-dir@1.3.0", + "pkgId": "make-dir@1.3.0", + "deps": [ + { + "nodeId": "pify@3.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "crypto-random-string@1.0.0", + "pkgId": "crypto-random-string@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "unique-string@1.0.0", + "pkgId": "unique-string@1.0.0", + "deps": [ + { + "nodeId": "crypto-random-string@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "imurmurhash@0.1.4", + "pkgId": "imurmurhash@0.1.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "signal-exit@3.0.2", + "pkgId": "signal-exit@3.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "write-file-atomic@2.4.3", + "pkgId": "write-file-atomic@2.4.3", + "deps": [ + { + "nodeId": "graceful-fs@4.1.15" + }, + { + "nodeId": "imurmurhash@0.1.4" + }, + { + "nodeId": "signal-exit@3.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "xdg-basedir@3.0.0", + "pkgId": "xdg-basedir@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "configstore@3.1.2", + "pkgId": "configstore@3.1.2", + "deps": [ + { + "nodeId": "dot-prop@4.2.0" + }, + { + "nodeId": "graceful-fs@4.1.15" + }, + { + "nodeId": "make-dir@1.3.0" + }, + { + "nodeId": "unique-string@1.0.0" + }, + { + "nodeId": "write-file-atomic@2.4.3" + }, + { + "nodeId": "xdg-basedir@3.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ms@2.1.2", + "pkgId": "ms@2.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "debug@3.2.6", + "pkgId": "debug@3.2.6", + "deps": [ + { + "nodeId": "ms@2.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "diff@4.0.1", + "pkgId": "diff@4.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "protocols@1.4.7", + "pkgId": "protocols@1.4.7", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-ssh@1.3.1", + "pkgId": "is-ssh@1.3.1", + "deps": [ + { + "nodeId": "protocols@1.4.7" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "normalize-url@3.3.0", + "pkgId": "normalize-url@3.3.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "parse-path@4.0.1", + "pkgId": "parse-path@4.0.1", + "deps": [ + { + "nodeId": "is-ssh@1.3.1" + }, + { + "nodeId": "protocols@1.4.7" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "parse-url@5.0.1", + "pkgId": "parse-url@5.0.1", + "deps": [ + { + "nodeId": "is-ssh@1.3.1" + }, + { + "nodeId": "normalize-url@3.3.0" + }, + { + "nodeId": "parse-path@4.0.1" + }, + { + "nodeId": "protocols@1.4.7" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "git-up@4.0.1", + "pkgId": "git-up@4.0.1", + "deps": [ + { + "nodeId": "is-ssh@1.3.1" + }, + { + "nodeId": "parse-url@5.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "git-url-parse@11.1.2", + "pkgId": "git-url-parse@11.1.2", + "deps": [ + { + "nodeId": "git-up@4.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mimic-fn@1.2.0", + "pkgId": "mimic-fn@1.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "onetime@2.0.1", + "pkgId": "onetime@2.0.1", + "deps": [ + { + "nodeId": "mimic-fn@1.2.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "restore-cursor@2.0.0", + "pkgId": "restore-cursor@2.0.0", + "deps": [ + { + "nodeId": "onetime@2.0.1" + }, + { + "nodeId": "signal-exit@3.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cli-cursor@2.1.0", + "pkgId": "cli-cursor@2.1.0", + "deps": [ + { + "nodeId": "restore-cursor@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cli-width@2.2.0", + "pkgId": "cli-width@2.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "chardet@0.7.0", + "pkgId": "chardet@0.7.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "tmp@0.0.33", + "pkgId": "tmp@0.0.33", + "deps": [ + { + "nodeId": "os-tmpdir@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "external-editor@3.1.0", + "pkgId": "external-editor@3.1.0", + "deps": [ + { + "nodeId": "chardet@0.7.0" + }, + { + "nodeId": "iconv-lite@0.4.24" + }, + { + "nodeId": "tmp@0.0.33" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "figures@2.0.0", + "pkgId": "figures@2.0.0", + "deps": [ + { + "nodeId": "escape-string-regexp@1.0.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mute-stream@0.0.7", + "pkgId": "mute-stream@0.0.7", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-promise@2.1.0", + "pkgId": "is-promise@2.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "run-async@2.3.0", + "pkgId": "run-async@2.3.0", + "deps": [ + { + "nodeId": "is-promise@2.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "rxjs@6.5.3", + "pkgId": "rxjs@6.5.3", + "deps": [ + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-fullwidth-code-point@2.0.0", + "pkgId": "is-fullwidth-code-point@2.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansi-regex@3.0.0", + "pkgId": "ansi-regex@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "strip-ansi@4.0.0", + "pkgId": "strip-ansi@4.0.0", + "deps": [ + { + "nodeId": "ansi-regex@3.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string-width@2.1.1", + "pkgId": "string-width@2.1.1", + "deps": [ + { + "nodeId": "is-fullwidth-code-point@2.0.0" + }, + { + "nodeId": "strip-ansi@4.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansi-regex@4.1.0", + "pkgId": "ansi-regex@4.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "strip-ansi@5.2.0", + "pkgId": "strip-ansi@5.2.0", + "deps": [ + { + "nodeId": "ansi-regex@4.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "through@2.3.8", + "pkgId": "through@2.3.8", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "inquirer@6.5.2", + "pkgId": "inquirer@6.5.2", + "deps": [ + { + "nodeId": "ansi-escapes@3.2.0" + }, + { + "nodeId": "chalk@2.4.2" + }, + { + "nodeId": "cli-cursor@2.1.0" + }, + { + "nodeId": "cli-width@2.2.0" + }, + { + "nodeId": "external-editor@3.1.0" + }, + { + "nodeId": "figures@2.0.0" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "mute-stream@0.0.7" + }, + { + "nodeId": "run-async@2.3.0" + }, + { + "nodeId": "rxjs@6.5.3" + }, + { + "nodeId": "string-width@2.1.1" + }, + { + "nodeId": "strip-ansi@5.2.0" + }, + { + "nodeId": "through@2.3.8" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-wsl@1.1.0", + "pkgId": "is-wsl@1.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "opn@5.5.0", + "pkgId": "opn@5.5.0", + "deps": [ + { + "nodeId": "is-wsl@1.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "macos-release@2.3.0", + "pkgId": "macos-release@2.3.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "nice-try@1.0.5", + "pkgId": "nice-try@1.0.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "path-key@2.0.1", + "pkgId": "path-key@2.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "shebang-regex@1.0.0", + "pkgId": "shebang-regex@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "shebang-command@1.2.0", + "pkgId": "shebang-command@1.2.0", + "deps": [ + { + "nodeId": "shebang-regex@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "isexe@2.0.0", + "pkgId": "isexe@2.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "which@1.3.1", + "pkgId": "which@1.3.1", + "deps": [ + { + "nodeId": "isexe@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cross-spawn@6.0.5", + "pkgId": "cross-spawn@6.0.5", + "deps": [ + { + "nodeId": "nice-try@1.0.5" + }, + { + "nodeId": "path-key@2.0.1" + }, + { + "nodeId": "semver@5.6.0" + }, + { + "nodeId": "shebang-command@1.2.0" + }, + { + "nodeId": "which@1.3.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "end-of-stream@1.4.2", + "pkgId": "end-of-stream@1.4.2", + "deps": [ + { + "nodeId": "once@1.4.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "pump@3.0.0", + "pkgId": "pump@3.0.0", + "deps": [ + { + "nodeId": "end-of-stream@1.4.2" + }, + { + "nodeId": "once@1.4.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "get-stream@4.1.0", + "pkgId": "get-stream@4.1.0", + "deps": [ + { + "nodeId": "pump@3.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-stream@1.1.0", + "pkgId": "is-stream@1.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "npm-run-path@2.0.2", + "pkgId": "npm-run-path@2.0.2", + "deps": [ + { + "nodeId": "path-key@2.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "p-finally@1.0.0", + "pkgId": "p-finally@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "strip-eof@1.0.0", + "pkgId": "strip-eof@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "execa@1.0.0", + "pkgId": "execa@1.0.0", + "deps": [ + { + "nodeId": "cross-spawn@6.0.5" + }, + { + "nodeId": "get-stream@4.1.0" + }, + { + "nodeId": "is-stream@1.1.0" + }, + { + "nodeId": "npm-run-path@2.0.2" + }, + { + "nodeId": "p-finally@1.0.0" + }, + { + "nodeId": "signal-exit@3.0.2" + }, + { + "nodeId": "strip-eof@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "windows-release@3.2.0", + "pkgId": "windows-release@3.2.0", + "deps": [ + { + "nodeId": "execa@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "os-name@3.1.0", + "pkgId": "os-name@3.1.0", + "deps": [ + { + "nodeId": "macos-release@2.3.0" + }, + { + "nodeId": "windows-release@3.2.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "es6-promise@4.2.8", + "pkgId": "es6-promise@4.2.8", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "es6-promisify@5.0.0", + "pkgId": "es6-promisify@5.0.0", + "deps": [ + { + "nodeId": "es6-promise@4.2.8" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "agent-base@4.3.0", + "pkgId": "agent-base@4.3.0", + "deps": [ + { + "nodeId": "es6-promisify@5.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "http-proxy-agent@2.1.0", + "pkgId": "http-proxy-agent@2.1.0", + "deps": [ + { + "nodeId": "agent-base@4.3.0" + }, + { + "nodeId": "debug@3.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "https-proxy-agent@2.2.2", + "pkgId": "https-proxy-agent@2.2.2", + "deps": [ + { + "nodeId": "agent-base@4.3.0" + }, + { + "nodeId": "debug@3.2.6" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "pseudomap@1.0.2", + "pkgId": "pseudomap@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "yallist@2.1.2", + "pkgId": "yallist@2.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lru-cache@4.1.5", + "pkgId": "lru-cache@4.1.5", + "deps": [ + { + "nodeId": "pseudomap@1.0.2" + }, + { + "nodeId": "yallist@2.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/node@8.10.54", + "pkgId": "@types/node@8.10.54", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "data-uri-to-buffer@2.0.1", + "pkgId": "data-uri-to-buffer@2.0.1", + "deps": [ + { + "nodeId": "@types/node@8.10.54" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "extend@3.0.2", + "pkgId": "extend@3.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "file-uri-to-path@1.0.0", + "pkgId": "file-uri-to-path@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "xregexp@2.0.0", + "pkgId": "xregexp@2.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ftp@0.3.10", + "pkgId": "ftp@0.3.10", + "deps": [ + { + "nodeId": "readable-stream@1.1.14" + }, + { + "nodeId": "xregexp@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "safe-buffer@5.2.0", + "pkgId": "safe-buffer@5.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string_decoder@1.3.0", + "pkgId": "string_decoder@1.3.0", + "deps": [ + { + "nodeId": "safe-buffer@5.2.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "util-deprecate@1.0.2", + "pkgId": "util-deprecate@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "readable-stream@3.4.0", + "pkgId": "readable-stream@3.4.0", + "deps": [ + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "string_decoder@1.3.0" + }, + { + "nodeId": "util-deprecate@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "get-uri@2.0.3", + "pkgId": "get-uri@2.0.3", + "deps": [ + { + "nodeId": "data-uri-to-buffer@2.0.1" + }, + { + "nodeId": "debug@4.1.0" + }, + { + "nodeId": "extend@3.0.2" + }, + { + "nodeId": "file-uri-to-path@1.0.0" + }, + { + "nodeId": "ftp@0.3.10" + }, + { + "nodeId": "readable-stream@3.4.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "co@4.6.0", + "pkgId": "co@4.6.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ast-types@0.13.2", + "pkgId": "ast-types@0.13.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "esprima@3.1.3", + "pkgId": "esprima@3.1.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "estraverse@4.3.0", + "pkgId": "estraverse@4.3.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "esutils@2.0.3", + "pkgId": "esutils@2.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "deep-is@0.1.3", + "pkgId": "deep-is@0.1.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "fast-levenshtein@2.0.6", + "pkgId": "fast-levenshtein@2.0.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "prelude-ls@1.1.2", + "pkgId": "prelude-ls@1.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "type-check@0.3.2", + "pkgId": "type-check@0.3.2", + "deps": [ + { + "nodeId": "prelude-ls@1.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "levn@0.3.0", + "pkgId": "levn@0.3.0", + "deps": [ + { + "nodeId": "prelude-ls@1.1.2" + }, + { + "nodeId": "type-check@0.3.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "wordwrap@1.0.0", + "pkgId": "wordwrap@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "optionator@0.8.2", + "pkgId": "optionator@0.8.2", + "deps": [ + { + "nodeId": "deep-is@0.1.3" + }, + { + "nodeId": "fast-levenshtein@2.0.6" + }, + { + "nodeId": "levn@0.3.0" + }, + { + "nodeId": "prelude-ls@1.1.2" + }, + { + "nodeId": "type-check@0.3.2" + }, + { + "nodeId": "wordwrap@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "escodegen@1.12.0", + "pkgId": "escodegen@1.12.0", + "deps": [ + { + "nodeId": "esprima@3.1.3" + }, + { + "nodeId": "estraverse@4.3.0" + }, + { + "nodeId": "esutils@2.0.3" + }, + { + "nodeId": "optionator@0.8.2" + }, + { + "nodeId": "source-map@0.6.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "degenerator@1.0.4", + "pkgId": "degenerator@1.0.4", + "deps": [ + { + "nodeId": "ast-types@0.13.2" + }, + { + "nodeId": "escodegen@1.12.0" + }, + { + "nodeId": "esprima@3.1.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ip@1.1.5", + "pkgId": "ip@1.1.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "netmask@1.0.6", + "pkgId": "netmask@1.0.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "thunkify@2.1.2", + "pkgId": "thunkify@2.1.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "pac-resolver@3.0.0", + "pkgId": "pac-resolver@3.0.0", + "deps": [ + { + "nodeId": "co@4.6.0" + }, + { + "nodeId": "degenerator@1.0.4" + }, + { + "nodeId": "ip@1.1.5" + }, + { + "nodeId": "netmask@1.0.6" + }, + { + "nodeId": "thunkify@2.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "bytes@3.1.0", + "pkgId": "bytes@3.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "inherits@2.0.4", + "pkgId": "inherits@2.0.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "setprototypeof@1.1.1", + "pkgId": "setprototypeof@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "toidentifier@1.0.0", + "pkgId": "toidentifier@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "http-errors@1.7.3", + "pkgId": "http-errors@1.7.3", + "deps": [ + { + "nodeId": "depd@1.1.2" + }, + { + "nodeId": "inherits@2.0.4" + }, + { + "nodeId": "setprototypeof@1.1.1" + }, + { + "nodeId": "statuses@1.5.0" + }, + { + "nodeId": "toidentifier@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "raw-body@2.4.1", + "pkgId": "raw-body@2.4.1", + "deps": [ + { + "nodeId": "bytes@3.1.0" + }, + { + "nodeId": "http-errors@1.7.3" + }, + { + "nodeId": "iconv-lite@0.4.24" + }, + { + "nodeId": "unpipe@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "agent-base@4.2.1", + "pkgId": "agent-base@4.2.1", + "deps": [ + { + "nodeId": "es6-promisify@5.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "smart-buffer@4.0.2", + "pkgId": "smart-buffer@4.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "socks@2.3.2", + "pkgId": "socks@2.3.2", + "deps": [ + { + "nodeId": "ip@1.1.5" + }, + { + "nodeId": "smart-buffer@4.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "socks-proxy-agent@4.0.2", + "pkgId": "socks-proxy-agent@4.0.2", + "deps": [ + { + "nodeId": "agent-base@4.2.1" + }, + { + "nodeId": "socks@2.3.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "pac-proxy-agent@3.0.0", + "pkgId": "pac-proxy-agent@3.0.0", + "deps": [ + { + "nodeId": "agent-base@4.3.0" + }, + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "get-uri@2.0.3" + }, + { + "nodeId": "http-proxy-agent@2.1.0" + }, + { + "nodeId": "https-proxy-agent@2.2.2" + }, + { + "nodeId": "pac-resolver@3.0.0" + }, + { + "nodeId": "raw-body@2.4.1" + }, + { + "nodeId": "socks-proxy-agent@4.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "proxy-from-env@1.0.0", + "pkgId": "proxy-from-env@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "proxy-agent@3.1.0", + "pkgId": "proxy-agent@3.1.0", + "deps": [ + { + "nodeId": "agent-base@4.3.0" + }, + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "http-proxy-agent@2.1.0" + }, + { + "nodeId": "https-proxy-agent@2.2.2" + }, + { + "nodeId": "lru-cache@4.1.5" + }, + { + "nodeId": "pac-proxy-agent@3.0.0" + }, + { + "nodeId": "proxy-from-env@1.0.0" + }, + { + "nodeId": "socks-proxy-agent@4.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "async@1.5.2", + "pkgId": "async@1.5.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "secure-keys@1.0.0", + "pkgId": "secure-keys@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "camelcase@2.1.1", + "pkgId": "camelcase@2.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "code-point-at@1.1.0", + "pkgId": "code-point-at@1.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "number-is-nan@1.0.1", + "pkgId": "number-is-nan@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-fullwidth-code-point@1.0.0", + "pkgId": "is-fullwidth-code-point@1.0.0", + "deps": [ + { + "nodeId": "number-is-nan@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansi-regex@2.1.1", + "pkgId": "ansi-regex@2.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "strip-ansi@3.0.1", + "pkgId": "strip-ansi@3.0.1", + "deps": [ + { + "nodeId": "ansi-regex@2.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string-width@1.0.2", + "pkgId": "string-width@1.0.2", + "deps": [ + { + "nodeId": "code-point-at@1.1.0" + }, + { + "nodeId": "is-fullwidth-code-point@1.0.0" + }, + { + "nodeId": "strip-ansi@3.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "wrap-ansi@2.1.0", + "pkgId": "wrap-ansi@2.1.0", + "deps": [ + { + "nodeId": "string-width@1.0.2" + }, + { + "nodeId": "strip-ansi@3.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cliui@3.2.0", + "pkgId": "cliui@3.2.0", + "deps": [ + { + "nodeId": "string-width@1.0.2" + }, + { + "nodeId": "strip-ansi@3.0.1" + }, + { + "nodeId": "wrap-ansi@2.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "decamelize@1.2.0", + "pkgId": "decamelize@1.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "invert-kv@1.0.0", + "pkgId": "invert-kv@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lcid@1.0.0", + "pkgId": "lcid@1.0.0", + "deps": [ + { + "nodeId": "invert-kv@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "os-locale@1.4.0", + "pkgId": "os-locale@1.4.0", + "deps": [ + { + "nodeId": "lcid@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "window-size@0.1.4", + "pkgId": "window-size@0.1.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "y18n@3.2.1", + "pkgId": "y18n@3.2.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "yargs@3.32.0", + "pkgId": "yargs@3.32.0", + "deps": [ + { + "nodeId": "camelcase@2.1.1" + }, + { + "nodeId": "cliui@3.2.0" + }, + { + "nodeId": "decamelize@1.2.0" + }, + { + "nodeId": "os-locale@1.4.0" + }, + { + "nodeId": "string-width@1.0.2" + }, + { + "nodeId": "window-size@0.1.4" + }, + { + "nodeId": "y18n@3.2.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "nconf@0.10.0", + "pkgId": "nconf@0.10.0", + "deps": [ + { + "nodeId": "async@1.5.2" + }, + { + "nodeId": "ini@1.3.5" + }, + { + "nodeId": "secure-keys@1.0.0" + }, + { + "nodeId": "yargs@3.32.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-config@2.2.3", + "pkgId": "snyk-config@2.2.3", + "deps": [ + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "nconf@0.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "debug@4.1.1", + "pkgId": "debug@4.1.1", + "deps": [ + { + "nodeId": "ms@2.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "vscode-languageserver-types@3.14.0", + "pkgId": "vscode-languageserver-types@3.14.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "dockerfile-ast@0.0.16", + "pkgId": "dockerfile-ast@0.0.16", + "deps": [ + { + "nodeId": "vscode-languageserver-types@3.14.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-docker-plugin@1.29.1", + "pkgId": "snyk-docker-plugin@1.29.1", + "deps": [ + { + "nodeId": "debug@4.1.1" + }, + { + "nodeId": "dockerfile-ast@0.0.16" + }, + { + "nodeId": "semver@6.3.0" + }, + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "toml@3.0.0", + "pkgId": "toml@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-go-parser@1.3.1", + "pkgId": "snyk-go-parser@1.3.1", + "deps": [ + { + "nodeId": "toml@3.0.0" + }, + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-go-plugin@1.11.0", + "pkgId": "snyk-go-plugin@1.11.0", + "deps": [ + { + "nodeId": "debug@4.1.1" + }, + { + "nodeId": "graphlib@2.1.7" + }, + { + "nodeId": "snyk-go-parser@1.3.1" + }, + { + "nodeId": "tmp@0.0.33" + }, + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@snyk/cli-interface@2.1.0", + "pkgId": "@snyk/cli-interface@2.1.0", + "deps": [ + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/debug@4.1.5", + "pkgId": "@types/debug@4.1.5", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "for-in@1.0.2", + "pkgId": "for-in@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "for-own@1.0.0", + "pkgId": "for-own@1.0.0", + "deps": [ + { + "nodeId": "for-in@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "isobject@3.0.1", + "pkgId": "isobject@3.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-plain-object@2.0.4", + "pkgId": "is-plain-object@2.0.4", + "deps": [ + { + "nodeId": "isobject@3.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-buffer@1.1.6", + "pkgId": "is-buffer@1.1.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "kind-of@3.2.2", + "pkgId": "kind-of@3.2.2", + "deps": [ + { + "nodeId": "is-buffer@1.1.6" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-extendable@0.1.1", + "pkgId": "is-extendable@0.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "kind-of@2.0.1", + "pkgId": "kind-of@2.0.1", + "deps": [ + { + "nodeId": "is-buffer@1.1.6" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lazy-cache@0.2.7", + "pkgId": "lazy-cache@0.2.7", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "for-in@0.1.8", + "pkgId": "for-in@0.1.8", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "mixin-object@2.0.1", + "pkgId": "mixin-object@2.0.1", + "deps": [ + { + "nodeId": "for-in@0.1.8" + }, + { + "nodeId": "is-extendable@0.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "shallow-clone@0.1.2", + "pkgId": "shallow-clone@0.1.2", + "deps": [ + { + "nodeId": "is-extendable@0.1.1" + }, + { + "nodeId": "kind-of@2.0.1" + }, + { + "nodeId": "lazy-cache@0.2.7" + }, + { + "nodeId": "mixin-object@2.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "clone-deep@0.3.0", + "pkgId": "clone-deep@0.3.0", + "deps": [ + { + "nodeId": "for-own@1.0.0" + }, + { + "nodeId": "is-plain-object@2.0.4" + }, + { + "nodeId": "kind-of@3.2.2" + }, + { + "nodeId": "shallow-clone@0.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-gradle-plugin@3.1.0", + "pkgId": "snyk-gradle-plugin@3.1.0", + "deps": [ + { + "nodeId": "@snyk/cli-interface@2.1.0" + }, + { + "nodeId": "@types/debug@4.1.5" + }, + { + "nodeId": "chalk@2.4.2" + }, + { + "nodeId": "clone-deep@0.3.0" + }, + { + "nodeId": "debug@4.1.1" + }, + { + "nodeId": "tmp@0.0.33" + }, + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "hosted-git-info@2.8.4", + "pkgId": "hosted-git-info@2.8.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-module@1.9.1", + "pkgId": "snyk-module@1.9.1", + "deps": [ + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "hosted-git-info@2.8.4" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "tslib@1.9.3", + "pkgId": "tslib@1.9.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-mvn-plugin@2.4.0", + "pkgId": "snyk-mvn-plugin@2.4.0", + "deps": [ + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "tslib@1.9.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@yarnpkg/lockfile@1.1.0", + "pkgId": "@yarnpkg/lockfile@1.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "uuid@3.3.3", + "pkgId": "uuid@3.3.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-nodejs-lockfile-parser@1.16.0", + "pkgId": "snyk-nodejs-lockfile-parser@1.16.0", + "deps": [ + { + "nodeId": "@yarnpkg/lockfile@1.1.0" + }, + { + "nodeId": "graphlib@2.1.7" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "source-map-support@0.5.13" + }, + { + "nodeId": "tslib@1.10.0" + }, + { + "nodeId": "uuid@3.3.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/xml2js@0.4.3", + "pkgId": "@types/xml2js@0.4.3", + "deps": [ + { + "nodeId": "@types/events@3.0.0" + }, + { + "nodeId": "@types/node@12.7.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "xmlbuilder@9.0.7", + "pkgId": "xmlbuilder@9.0.7", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "xml2js@0.4.19", + "pkgId": "xml2js@0.4.19", + "deps": [ + { + "nodeId": "sax@1.2.4" + }, + { + "nodeId": "xmlbuilder@9.0.7" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "dotnet-deps-parser@4.5.0", + "pkgId": "dotnet-deps-parser@4.5.0", + "deps": [ + { + "nodeId": "@types/xml2js@0.4.3" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "source-map-support@0.5.13" + }, + { + "nodeId": "tslib@1.10.0" + }, + { + "nodeId": "xml2js@0.4.19" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "immediate@3.0.6", + "pkgId": "immediate@3.0.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lie@3.3.0", + "pkgId": "lie@3.3.0", + "deps": [ + { + "nodeId": "immediate@3.0.6" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "pako@1.0.10", + "pkgId": "pako@1.0.10", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "isarray@1.0.0", + "pkgId": "isarray@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "process-nextick-args@2.0.0", + "pkgId": "process-nextick-args@2.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string_decoder@1.1.1", + "pkgId": "string_decoder@1.1.1", + "deps": [ + { + "nodeId": "safe-buffer@5.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "readable-stream@2.3.6", + "pkgId": "readable-stream@2.3.6", + "deps": [ + { + "nodeId": "core-util-is@1.0.2" + }, + { + "nodeId": "inherits@2.0.3" + }, + { + "nodeId": "isarray@1.0.0" + }, + { + "nodeId": "process-nextick-args@2.0.0" + }, + { + "nodeId": "safe-buffer@5.1.2" + }, + { + "nodeId": "string_decoder@1.1.1" + }, + { + "nodeId": "util-deprecate@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "set-immediate-shim@1.0.1", + "pkgId": "set-immediate-shim@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "jszip@3.2.2", + "pkgId": "jszip@3.2.2", + "deps": [ + { + "nodeId": "lie@3.3.0" + }, + { + "nodeId": "pako@1.0.10" + }, + { + "nodeId": "readable-stream@2.3.6" + }, + { + "nodeId": "set-immediate-shim@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-paket-parser@1.5.0", + "pkgId": "snyk-paket-parser@1.5.0", + "deps": [ + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "object-keys@1.1.1", + "pkgId": "object-keys@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "define-properties@1.1.3", + "pkgId": "define-properties@1.1.3", + "deps": [ + { + "nodeId": "object-keys@1.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-callable@1.1.4", + "pkgId": "is-callable@1.1.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-date-object@1.0.1", + "pkgId": "is-date-object@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "has-symbols@1.0.0", + "pkgId": "has-symbols@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-symbol@1.0.2", + "pkgId": "is-symbol@1.0.2", + "deps": [ + { + "nodeId": "has-symbols@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "es-to-primitive@1.2.0", + "pkgId": "es-to-primitive@1.2.0", + "deps": [ + { + "nodeId": "is-callable@1.1.4" + }, + { + "nodeId": "is-date-object@1.0.1" + }, + { + "nodeId": "is-symbol@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "function-bind@1.1.1", + "pkgId": "function-bind@1.1.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "has@1.0.3", + "pkgId": "has@1.0.3", + "deps": [ + { + "nodeId": "function-bind@1.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-regex@1.0.4", + "pkgId": "is-regex@1.0.4", + "deps": [ + { + "nodeId": "has@1.0.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "object-inspect@1.6.0", + "pkgId": "object-inspect@1.6.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string.prototype.trimleft@2.1.0", + "pkgId": "string.prototype.trimleft@2.1.0", + "deps": [ + { + "nodeId": "define-properties@1.1.3" + }, + { + "nodeId": "function-bind@1.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string.prototype.trimright@2.1.0", + "pkgId": "string.prototype.trimright@2.1.0", + "deps": [ + { + "nodeId": "define-properties@1.1.3" + }, + { + "nodeId": "function-bind@1.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "es-abstract@1.14.2", + "pkgId": "es-abstract@1.14.2", + "deps": [ + { + "nodeId": "es-to-primitive@1.2.0" + }, + { + "nodeId": "function-bind@1.1.1" + }, + { + "nodeId": "has@1.0.3" + }, + { + "nodeId": "has-symbols@1.0.0" + }, + { + "nodeId": "is-callable@1.1.4" + }, + { + "nodeId": "is-regex@1.0.4" + }, + { + "nodeId": "object-inspect@1.6.0" + }, + { + "nodeId": "object-keys@1.1.1" + }, + { + "nodeId": "string.prototype.trimleft@2.1.0" + }, + { + "nodeId": "string.prototype.trimright@2.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "object.getownpropertydescriptors@2.0.3", + "pkgId": "object.getownpropertydescriptors@2.0.3", + "deps": [ + { + "nodeId": "define-properties@1.1.3" + }, + { + "nodeId": "es-abstract@1.14.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "util.promisify@1.0.0", + "pkgId": "util.promisify@1.0.0", + "deps": [ + { + "nodeId": "define-properties@1.1.3" + }, + { + "nodeId": "object.getownpropertydescriptors@2.0.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "xmlbuilder@11.0.1", + "pkgId": "xmlbuilder@11.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "xml2js@0.4.22", + "pkgId": "xml2js@0.4.22", + "deps": [ + { + "nodeId": "sax@1.2.4" + }, + { + "nodeId": "util.promisify@1.0.0" + }, + { + "nodeId": "xmlbuilder@11.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-nuget-plugin@1.12.1", + "pkgId": "snyk-nuget-plugin@1.12.1", + "deps": [ + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "dotnet-deps-parser@4.5.0" + }, + { + "nodeId": "jszip@3.2.2" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "snyk-paket-parser@1.5.0" + }, + { + "nodeId": "tslib@1.10.0" + }, + { + "nodeId": "xml2js@0.4.22" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@snyk/composer-lockfile-parser@1.0.3", + "pkgId": "@snyk/composer-lockfile-parser@1.0.3", + "deps": [ + { + "nodeId": "lodash@4.17.15" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-php-plugin@1.6.4", + "pkgId": "snyk-php-plugin@1.6.4", + "deps": [ + { + "nodeId": "@snyk/composer-lockfile-parser@1.0.3" + }, + { + "nodeId": "tslib@1.9.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "email-validator@2.0.4", + "pkgId": "email-validator@2.0.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.clonedeep@4.5.0", + "pkgId": "lodash.clonedeep@4.5.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "asap@2.0.6", + "pkgId": "asap@2.0.6", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "promise@7.3.1", + "pkgId": "promise@7.3.1", + "deps": [ + { + "nodeId": "asap@2.0.6" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "then-fs@2.0.0", + "pkgId": "then-fs@2.0.0", + "deps": [ + { + "nodeId": "promise@7.3.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-resolve@1.0.1", + "pkgId": "snyk-resolve@1.0.1", + "deps": [ + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "then-fs@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-try-require@1.3.1", + "pkgId": "snyk-try-require@1.3.1", + "deps": [ + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "lodash.clonedeep@4.5.0" + }, + { + "nodeId": "lru-cache@4.1.5" + }, + { + "nodeId": "then-fs@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-policy@1.13.5", + "pkgId": "snyk-policy@1.13.5", + "deps": [ + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "email-validator@2.0.4" + }, + { + "nodeId": "js-yaml@3.13.1" + }, + { + "nodeId": "lodash.clonedeep@4.5.0" + }, + { + "nodeId": "semver@6.3.0" + }, + { + "nodeId": "snyk-module@1.9.1" + }, + { + "nodeId": "snyk-resolve@1.0.1" + }, + { + "nodeId": "snyk-try-require@1.3.1" + }, + { + "nodeId": "then-fs@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-python-plugin@1.13.2", + "pkgId": "snyk-python-plugin@1.13.2", + "deps": [ + { + "nodeId": "@snyk/cli-interface@2.1.0" + }, + { + "nodeId": "tmp@0.0.33" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/node@6.14.7", + "pkgId": "@types/node@6.14.7", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "@types/semver@5.5.0", + "pkgId": "@types/semver@5.5.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansicolors@0.3.2", + "pkgId": "ansicolors@0.3.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.assign@4.2.0", + "pkgId": "lodash.assign@4.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.assignin@4.2.0", + "pkgId": "lodash.assignin@4.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.clone@4.5.0", + "pkgId": "lodash.clone@4.5.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.flatten@4.4.0", + "pkgId": "lodash.flatten@4.4.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.get@4.4.2", + "pkgId": "lodash.get@4.4.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lodash.set@4.3.2", + "pkgId": "lodash.set@4.3.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "archy@1.0.0", + "pkgId": "archy@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-tree@1.0.0", + "pkgId": "snyk-tree@1.0.0", + "deps": [ + { + "nodeId": "archy@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-resolve-deps@4.4.0", + "pkgId": "snyk-resolve-deps@4.4.0", + "deps": [ + { + "nodeId": "@types/node@6.14.7" + }, + { + "nodeId": "@types/semver@5.5.0" + }, + { + "nodeId": "ansicolors@0.3.2" + }, + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "lodash.assign@4.2.0" + }, + { + "nodeId": "lodash.assignin@4.2.0" + }, + { + "nodeId": "lodash.clone@4.5.0" + }, + { + "nodeId": "lodash.flatten@4.4.0" + }, + { + "nodeId": "lodash.get@4.4.2" + }, + { + "nodeId": "lodash.set@4.3.2" + }, + { + "nodeId": "lru-cache@4.1.5" + }, + { + "nodeId": "semver@5.6.0" + }, + { + "nodeId": "snyk-module@1.9.1" + }, + { + "nodeId": "snyk-resolve@1.0.1" + }, + { + "nodeId": "snyk-tree@1.0.0" + }, + { + "nodeId": "snyk-try-require@1.3.1" + }, + { + "nodeId": "then-fs@2.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "rimraf@2.7.1", + "pkgId": "rimraf@2.7.1", + "deps": [ + { + "nodeId": "glob@7.1.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "tmp@0.1.0", + "pkgId": "tmp@0.1.0", + "deps": [ + { + "nodeId": "rimraf@2.7.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "tree-kill@1.2.1", + "pkgId": "tree-kill@1.2.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk-sbt-plugin@2.8.0", + "pkgId": "snyk-sbt-plugin@2.8.0", + "deps": [ + { + "nodeId": "semver@6.3.0" + }, + { + "nodeId": "tmp@0.1.0" + }, + { + "nodeId": "tree-kill@1.2.1" + }, + { + "nodeId": "tslib@1.10.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "temp-dir@1.0.0", + "pkgId": "temp-dir@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "tempfile@2.0.0", + "pkgId": "tempfile@2.0.0", + "deps": [ + { + "nodeId": "temp-dir@1.0.0" + }, + { + "nodeId": "uuid@3.3.3" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ansi-align@2.0.0", + "pkgId": "ansi-align@2.0.0", + "deps": [ + { + "nodeId": "string-width@2.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "camelcase@4.1.0", + "pkgId": "camelcase@4.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cli-boxes@1.0.0", + "pkgId": "cli-boxes@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "cross-spawn@5.1.0", + "pkgId": "cross-spawn@5.1.0", + "deps": [ + { + "nodeId": "lru-cache@4.1.5" + }, + { + "nodeId": "shebang-command@1.2.0" + }, + { + "nodeId": "which@1.3.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "get-stream@3.0.0", + "pkgId": "get-stream@3.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "execa@0.7.0", + "pkgId": "execa@0.7.0", + "deps": [ + { + "nodeId": "cross-spawn@5.1.0" + }, + { + "nodeId": "get-stream@3.0.0" + }, + { + "nodeId": "is-stream@1.1.0" + }, + { + "nodeId": "npm-run-path@2.0.2" + }, + { + "nodeId": "p-finally@1.0.0" + }, + { + "nodeId": "signal-exit@3.0.2" + }, + { + "nodeId": "strip-eof@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "term-size@1.2.0", + "pkgId": "term-size@1.2.0", + "deps": [ + { + "nodeId": "execa@0.7.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "widest-line@2.0.1", + "pkgId": "widest-line@2.0.1", + "deps": [ + { + "nodeId": "string-width@2.1.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "boxen@1.3.0", + "pkgId": "boxen@1.3.0", + "deps": [ + { + "nodeId": "ansi-align@2.0.0" + }, + { + "nodeId": "camelcase@4.1.0" + }, + { + "nodeId": "chalk@2.4.2" + }, + { + "nodeId": "cli-boxes@1.0.0" + }, + { + "nodeId": "string-width@2.1.1" + }, + { + "nodeId": "term-size@1.2.0" + }, + { + "nodeId": "widest-line@2.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "import-lazy@2.1.0", + "pkgId": "import-lazy@2.1.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "ci-info@1.6.0", + "pkgId": "ci-info@1.6.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-ci@1.2.1", + "pkgId": "is-ci@1.2.1", + "deps": [ + { + "nodeId": "ci-info@1.6.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "global-dirs@0.1.1", + "pkgId": "global-dirs@0.1.1", + "deps": [ + { + "nodeId": "ini@1.3.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "path-is-inside@1.0.2", + "pkgId": "path-is-inside@1.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-path-inside@1.0.1", + "pkgId": "is-path-inside@1.0.1", + "deps": [ + { + "nodeId": "path-is-inside@1.0.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-installed-globally@0.1.0", + "pkgId": "is-installed-globally@0.1.0", + "deps": [ + { + "nodeId": "global-dirs@0.1.1" + }, + { + "nodeId": "is-path-inside@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-npm@1.0.0", + "pkgId": "is-npm@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "capture-stack-trace@1.0.1", + "pkgId": "capture-stack-trace@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "create-error-class@3.0.2", + "pkgId": "create-error-class@3.0.2", + "deps": [ + { + "nodeId": "capture-stack-trace@1.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "duplexer3@0.1.4", + "pkgId": "duplexer3@0.1.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-redirect@1.0.0", + "pkgId": "is-redirect@1.0.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "is-retry-allowed@1.2.0", + "pkgId": "is-retry-allowed@1.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "lowercase-keys@1.0.1", + "pkgId": "lowercase-keys@1.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "timed-out@4.0.1", + "pkgId": "timed-out@4.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "unzip-response@2.0.1", + "pkgId": "unzip-response@2.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "prepend-http@1.0.4", + "pkgId": "prepend-http@1.0.4", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "url-parse-lax@1.0.0", + "pkgId": "url-parse-lax@1.0.0", + "deps": [ + { + "nodeId": "prepend-http@1.0.4" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "got@6.7.1", + "pkgId": "got@6.7.1", + "deps": [ + { + "nodeId": "create-error-class@3.0.2" + }, + { + "nodeId": "duplexer3@0.1.4" + }, + { + "nodeId": "get-stream@3.0.0" + }, + { + "nodeId": "is-redirect@1.0.0" + }, + { + "nodeId": "is-retry-allowed@1.2.0" + }, + { + "nodeId": "is-stream@1.1.0" + }, + { + "nodeId": "lowercase-keys@1.0.1" + }, + { + "nodeId": "safe-buffer@5.1.2" + }, + { + "nodeId": "timed-out@4.0.1" + }, + { + "nodeId": "unzip-response@2.0.1" + }, + { + "nodeId": "url-parse-lax@1.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "deep-extend@0.6.0", + "pkgId": "deep-extend@0.6.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "minimist@1.2.0", + "pkgId": "minimist@1.2.0", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "strip-json-comments@2.0.1", + "pkgId": "strip-json-comments@2.0.1", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "rc@1.2.8", + "pkgId": "rc@1.2.8", + "deps": [ + { + "nodeId": "deep-extend@0.6.0" + }, + { + "nodeId": "ini@1.3.5" + }, + { + "nodeId": "minimist@1.2.0" + }, + { + "nodeId": "strip-json-comments@2.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "registry-auth-token@3.4.0", + "pkgId": "registry-auth-token@3.4.0", + "deps": [ + { + "nodeId": "rc@1.2.8" + }, + { + "nodeId": "safe-buffer@5.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "registry-url@3.1.0", + "pkgId": "registry-url@3.1.0", + "deps": [ + { + "nodeId": "rc@1.2.8" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "package-json@4.0.1", + "pkgId": "package-json@4.0.1", + "deps": [ + { + "nodeId": "got@6.7.1" + }, + { + "nodeId": "registry-auth-token@3.4.0" + }, + { + "nodeId": "registry-url@3.1.0" + }, + { + "nodeId": "semver@5.6.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "latest-version@3.1.0", + "pkgId": "latest-version@3.1.0", + "deps": [ + { + "nodeId": "package-json@4.0.1" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "semver-diff@2.1.0", + "pkgId": "semver-diff@2.1.0", + "deps": [ + { + "nodeId": "semver@5.6.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "update-notifier@2.5.0", + "pkgId": "update-notifier@2.5.0", + "deps": [ + { + "nodeId": "boxen@1.3.0" + }, + { + "nodeId": "chalk@2.4.2" + }, + { + "nodeId": "configstore@3.1.2" + }, + { + "nodeId": "import-lazy@2.1.0" + }, + { + "nodeId": "is-ci@1.2.1" + }, + { + "nodeId": "is-installed-globally@0.1.0" + }, + { + "nodeId": "is-npm@1.0.0" + }, + { + "nodeId": "latest-version@3.1.0" + }, + { + "nodeId": "semver-diff@2.1.0" + }, + { + "nodeId": "xdg-basedir@3.0.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "emoji-regex@7.0.3", + "pkgId": "emoji-regex@7.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "string-width@3.1.0", + "pkgId": "string-width@3.1.0", + "deps": [ + { + "nodeId": "emoji-regex@7.0.3" + }, + { + "nodeId": "is-fullwidth-code-point@2.0.0" + }, + { + "nodeId": "strip-ansi@5.2.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "wrap-ansi@5.1.0", + "pkgId": "wrap-ansi@5.1.0", + "deps": [ + { + "nodeId": "ansi-styles@3.2.1" + }, + { + "nodeId": "string-width@3.1.0" + }, + { + "nodeId": "strip-ansi@5.2.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "snyk@1.228.3", + "pkgId": "snyk@1.228.3", + "deps": [ + { + "nodeId": "@snyk/dep-graph@1.12.0" + }, + { + "nodeId": "@snyk/gemfile@1.2.0" + }, + { + "nodeId": "@types/agent-base@4.2.0" + }, + { + "nodeId": "@types/restify@4.3.6" + }, + { + "nodeId": "abbrev@1.1.1" + }, + { + "nodeId": "ansi-escapes@3.2.0" + }, + { + "nodeId": "chalk@2.4.2" + }, + { + "nodeId": "configstore@3.1.2" + }, + { + "nodeId": "debug@3.2.6" + }, + { + "nodeId": "diff@4.0.1" + }, + { + "nodeId": "git-url-parse@11.1.2" + }, + { + "nodeId": "glob@7.1.3" + }, + { + "nodeId": "inquirer@6.5.2" + }, + { + "nodeId": "lodash@4.17.15" + }, + { + "nodeId": "needle@2.2.4" + }, + { + "nodeId": "opn@5.5.0" + }, + { + "nodeId": "os-name@3.1.0" + }, + { + "nodeId": "proxy-agent@3.1.0" + }, + { + "nodeId": "proxy-from-env@1.0.0" + }, + { + "nodeId": "semver@6.3.0" + }, + { + "nodeId": "snyk-config@2.2.3" + }, + { + "nodeId": "snyk-docker-plugin@1.29.1" + }, + { + "nodeId": "snyk-go-plugin@1.11.0" + }, + { + "nodeId": "snyk-gradle-plugin@3.1.0" + }, + { + "nodeId": "snyk-module@1.9.1" + }, + { + "nodeId": "snyk-mvn-plugin@2.4.0" + }, + { + "nodeId": "snyk-nodejs-lockfile-parser@1.16.0" + }, + { + "nodeId": "snyk-nuget-plugin@1.12.1" + }, + { + "nodeId": "snyk-php-plugin@1.6.4" + }, + { + "nodeId": "snyk-policy@1.13.5" + }, + { + "nodeId": "snyk-python-plugin@1.13.2" + }, + { + "nodeId": "snyk-resolve@1.0.1" + }, + { + "nodeId": "snyk-resolve-deps@4.4.0" + }, + { + "nodeId": "snyk-sbt-plugin@2.8.0" + }, + { + "nodeId": "snyk-tree@1.0.0" + }, + { + "nodeId": "snyk-try-require@1.3.1" + }, + { + "nodeId": "source-map-support@0.5.13" + }, + { + "nodeId": "strip-ansi@5.2.0" + }, + { + "nodeId": "tempfile@2.0.0" + }, + { + "nodeId": "then-fs@2.0.0" + }, + { + "nodeId": "update-notifier@2.5.0" + }, + { + "nodeId": "uuid@3.3.3" + }, + { + "nodeId": "wrap-ansi@5.1.0" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "async-cache@1.1.0", + "pkgId": "async-cache@1.1.0", + "deps": [ + { + "nodeId": "lru-cache@4.1.5" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "bl@1.2.2", + "pkgId": "bl@1.2.2", + "deps": [ + { + "nodeId": "readable-stream@2.3.6" + }, + { + "nodeId": "safe-buffer@5.1.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "fd@0.0.3", + "pkgId": "fd@0.0.3", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "st@1.2.2", + "pkgId": "st@1.2.2", + "deps": [ + { + "nodeId": "async-cache@1.1.0" + }, + { + "nodeId": "bl@1.2.2" + }, + { + "nodeId": "fd@0.0.3" + }, + { + "nodeId": "graceful-fs@4.1.15" + }, + { + "nodeId": "mime@1.4.1" + }, + { + "nodeId": "negotiator@0.6.2" + } + ], + "info": { + "labels": { + "scope": "prod" + } + } + }, + { + "nodeId": "stream-buffers@3.0.2", + "pkgId": "stream-buffers@3.0.2", + "deps": [], + "info": { + "labels": { + "scope": "prod" + } + } + } + ] + } + } +} \ No newline at end of file diff --git a/test/fixtures/projectDepGraph.json b/test/fixtures/projectDepGraph.json new file mode 100644 index 0000000..d58ef51 --- /dev/null +++ b/test/fixtures/projectDepGraph.json @@ -0,0 +1,58 @@ +{ + "depGraph": { + "schemaVersion": "1.1.0", + "pkgManager": { + "name": "npm" + }, + "pkgs": [ + { + "id": "demo-app-for-test@1.1.1", + "info": { + "name": "demo-app-for-test", + "version": "1.1.1" + } + }, + { + "id": "express@4.4.0", + "info": { + "name": "express", + "version": "4.4.0" + } + }, + { + "id": "ws@1.0.0", + "info": { + "name": "ws", + "version": "1.0.0" + } + } + ], + "graph": { + "rootNodeId": "root-node", + "nodes": [ + { + "nodeId": "root-node", + "pkgId": "demo-app-for-test@1.1.1", + "deps": [ + { + "nodeId": "express@4.4.0" + }, + { + "nodeId": "ws@1.0.0" + } + ] + }, + { + "nodeId": "express@4.4.0", + "pkgId": "express@4.4.0", + "deps": [] + }, + { + "nodeId": "ws@1.0.0", + "pkgId": "ws@1.0.0", + "deps": [] + } + ] + } + } + } \ No newline at end of file diff --git a/test/fixtures/snyk-lic-npm-goof-GPL-2-0-issue-paths.json b/test/fixtures/snyk-lic-npm-goof-GPL-2-0-issue-paths.json new file mode 100644 index 0000000..33387d8 --- /dev/null +++ b/test/fixtures/snyk-lic-npm-goof-GPL-2-0-issue-paths.json @@ -0,0 +1,8 @@ +{ + "snapshotId": "9139c6c6-66a2-4e2c-a6ff-2f697d1d0e9a", + "paths": [[{ "name": "goof", "version": "0.0.3" }]], + "total": 1, + "links": { + "last": "https://app.snyk.io/api/v1/org/f20676f4-3066-40aa-bdf6-ac28ba609ab6/project/a0e4716d-0f0d-495b-a77b-bd9ba5692e31/issue/snyk:lic:npm:goof:GPL-2.0/paths?page=1&snapshotId=9139c6c6-66a2-4e2c-a6ff-2f697d1d0e9a" + } +} diff --git a/test/fixtures/snykTest-test-goof-with-one-more-license-issue.json b/test/fixtures/snykTest-test-goof-with-one-more-license-issue.json new file mode 100644 index 0000000..f806bf0 --- /dev/null +++ b/test/fixtures/snykTest-test-goof-with-one-more-license-issue.json @@ -0,0 +1,1973 @@ +{ + "vulnerabilities": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-01-28T15:18:37.743372Z", + "credit": [ + "aaron_costello" + ], + "cvssScore": 6.3, + "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", + "disclosureTime": "2020-01-28T10:17:51Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "5.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": [ + "CVE-2020-8116" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2020-01-31T17:21:49.331710Z", + "moduleName": "dot-prop", + "packageManager": "npm", + "packageName": "dot-prop", + "patches": [], + "publicationTime": "2020-01-28T16:23:39Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/719856" + } + ], + "semver": { + "vulnerable": [ + "<5.1.1" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "configstore@3.1.2", + "dot-prop@4.2.0" + ], + "upgradePath": [ + false, + "snyk@1.290.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dot-prop", + "version": "4.2.0" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-01-28T15:18:37.743372Z", + "credit": [ + "aaron_costello" + ], + "cvssScore": 6.3, + "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", + "disclosureTime": "2020-01-28T10:17:51Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "5.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": [ + "CVE-2020-8116" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2020-01-31T17:21:49.331710Z", + "moduleName": "dot-prop", + "packageManager": "npm", + "packageName": "dot-prop", + "patches": [], + "publicationTime": "2020-01-28T16:23:39Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/719856" + } + ], + "semver": { + "vulnerable": [ + "<5.1.1" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "configstore@3.1.2", + "dot-prop@4.2.0" + ], + "upgradePath": [ + false, + "snyk@1.290.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dot-prop", + "version": "4.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [], + "creationTime": "2019-10-22T12:22:54.665794Z", + "credit": [ + "Roman Burunkov" + ], + "cvssScore": 9.8, + "description": "## Overview\n\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\n\nAffected versions of this package are vulnerable to Denial of Service (DoS).\nThe package does not limit file name length.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\n\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n\n\n## References\n\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n", + "disclosureTime": "2019-10-18T11:17:09Z", + "exploit": "Not Defined", + "fixedIn": [ + "1.1.6-alpha.6" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-79" + ], + "NSP": [ + 1216 + ] + }, + "language": "js", + "modificationTime": "2019-11-20T09:48:38.528931Z", + "moduleName": "express-fileupload", + "packageManager": "npm", + "packageName": "express-fileupload", + "patches": [], + "publicationTime": "2019-10-22T15:08:40Z", + "references": [ + { + "title": "GitHub PR", + "url": "https://github.com/richardgirges/express-fileupload/pull/171" + } + ], + "semver": { + "vulnerable": [ + "<1.1.6-alpha.6" + ] + }, + "severity": "high", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "express-fileupload@0.0.5" + ], + "upgradePath": [ + false, + "express-fileupload@1.1.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "express-fileupload", + "version": "0.0.5" + }, + { + "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", + "alternativeIds": [], + "creationTime": "2019-09-26T10:01:07.677036Z", + "credit": [ + "Kris Adler" + ], + "cvssScore": 6.1, + "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", + "disclosureTime": "2019-09-25T08:21:57Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "2.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-HTTPSPROXYAGENT-469131", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-300" + ], + "NSP": [ + 1184 + ] + }, + "language": "js", + "modificationTime": "2019-10-23T09:58:05.142531Z", + "moduleName": "https-proxy-agent", + "packageManager": "npm", + "packageName": "https-proxy-agent", + "patches": [ + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", + "modificationTime": "2019-12-03T11:40:45.721480Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" + ], + "version": "=2.2.1" + }, + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", + "modificationTime": "2019-12-03T11:40:45.723464Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" + ], + "version": "=2.2.2" + } + ], + "publicationTime": "2019-10-02T08:08:11Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" + }, + { + "title": "GitHub PR", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/541502" + } + ], + "semver": { + "vulnerable": [ + "<2.2.3" + ] + }, + "severity": "medium", + "title": "Man-in-the-Middle (MitM)", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "proxy-agent@3.1.0", + "https-proxy-agent@2.2.2" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "proxy-agent@3.1.0", + "https-proxy-agent@2.2.3" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "https-proxy-agent", + "version": "2.2.2" + }, + { + "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", + "alternativeIds": [], + "creationTime": "2019-09-26T10:01:07.677036Z", + "credit": [ + "Kris Adler" + ], + "cvssScore": 6.1, + "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", + "disclosureTime": "2019-09-25T08:21:57Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "2.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-HTTPSPROXYAGENT-469131", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-300" + ], + "NSP": [ + 1184 + ] + }, + "language": "js", + "modificationTime": "2019-10-23T09:58:05.142531Z", + "moduleName": "https-proxy-agent", + "packageManager": "npm", + "packageName": "https-proxy-agent", + "patches": [ + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", + "modificationTime": "2019-12-03T11:40:45.721480Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" + ], + "version": "=2.2.1" + }, + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", + "modificationTime": "2019-12-03T11:40:45.723464Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" + ], + "version": "=2.2.2" + } + ], + "publicationTime": "2019-10-02T08:08:11Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" + }, + { + "title": "GitHub PR", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/541502" + } + ], + "semver": { + "vulnerable": [ + "<2.2.3" + ] + }, + "severity": "medium", + "title": "Man-in-the-Middle (MitM)", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "proxy-agent@3.1.0", + "pac-proxy-agent@3.0.0", + "https-proxy-agent@2.2.2" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "proxy-agent@3.1.0", + "pac-proxy-agent@3.0.0", + "https-proxy-agent@2.2.3" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "https-proxy-agent", + "version": "2.2.2" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "npmconf@2.1.3", + "mkdirp@0.5.1", + "minimist@0.0.8" + ], + "upgradePath": [ + false, + "npmconf@2.1.3", + "mkdirp@0.5.2", + "minimist@1.2.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "minimist", + "version": "0.0.8" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-auth-token@3.4.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-auth-token@3.4.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "alternativeIds": [], + "creationTime": "2019-12-05T10:31:49.505060Z", + "credit": [ + "mik317" + ], + "cvssScore": 7, + "description": "## Overview\n\n[tree-kill](https://www.npmjs.com/package/tree-kill) is a package to kill all processes in the process tree, including the root process.\n\n\nAffected versions of this package are vulnerable to Command Injection.\nUser input is concatenated with a `command` within `tree-kill` and `treekill` that will be executed without any check. \r\n\r\nNote: This vulnerability is only applicable if the package is used on a Windows operating system.\r\n\r\n### PoC by mik317 \r\n1) Create this POC file\r\n```\r\n//poc.js\r\nvar kill = require('tree-kill');\r\nkill('3333332 & echo \"HACKED\" > HACKED.txt & ');\r\n```\r\n\r\n2) Execute the following commands in another terminal:\r\n```\r\nnpm i tree-kill # Install affected module\r\ndir # Check *HACKED.txt* doesn't exist\r\nnode poc.js # Run the PoC\r\ndir # Now *HACKED.txt* exists :)\r\n```\r\n3) A new file called `HACKED.txt` will be created, containing the `HACKED` string\n\n## Remediation\n\nUpgrade `tree-kill` to version 1.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c)\n\n- [tree-kill HackerOne Report](https://hackerone.com/reports/701183)\n\n- [treekill HackerOne Report](https://hackerone.com/reports/703415)\n\n- [Vulnerable Code treekill](https://github.com/node-modules/treekill/blob/master/index.js#L32)\n\n- [Vulnerable Code tree-kill](https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20)\n", + "disclosureTime": "2019-12-04T19:54:11Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "1.2.2" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-TREEKILL-536781", + "identifiers": { + "CVE": [ + "CVE-2019-15598", + "CVE-2019-15599" + ], + "CWE": [ + "CWE-78" + ], + "NSP": [ + 1432, + 1433 + ] + }, + "language": "js", + "modificationTime": "2019-12-12T13:54:40.599000Z", + "moduleName": "tree-kill", + "packageManager": "npm", + "packageName": "tree-kill", + "patches": [ + { + "comments": [], + "id": "patch:SNYK-JS-TREEKILL-536781:0", + "modificationTime": "2019-12-11T11:57:51.268946Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/tree-kill/20191210/tree-kill_0_0_20191210_e5d66d1fbd4b392294512d4644ac22bdc888573c.patch" + ], + "version": ">=1.0.0" + } + ], + "publicationTime": "2019-12-05T10:51:40Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c" + }, + { + "title": "tree-kill HackerOne Report", + "url": "https://hackerone.com/reports/701183" + }, + { + "title": "treekill HackerOne Report", + "url": "https://hackerone.com/reports/703415" + }, + { + "title": "Vulnerable Code treekill", + "url": "https://github.com/node-modules/treekill/blob/master/index.js%23L32" + }, + { + "title": "Vulnerable Code tree-kill", + "url": "https://github.com/pkrumins/node-tree-kill/blob/master/index.js%23L20" + } + ], + "semver": { + "vulnerable": [ + "<1.2.2" + ] + }, + "severity": "high", + "title": "Command Injection", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "snyk-sbt-plugin@2.8.0", + "tree-kill@1.2.1" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "snyk-sbt-plugin@2.8.0", + "tree-kill@1.2.2" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "tree-kill", + "version": "1.2.1" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "goof", + "version": "0.0.3" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3", + "whatever@1.0.0" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "ok": false, + "dependencyCount": 418, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" + }, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": [ + "express-fileupload@0.0.5" + ], + "vulns": [ + "SNYK-JS-EXPRESSFILEUPLOAD-473997" + ] + }, + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": [ + "dot-prop@4.2.0" + ], + "vulns": [ + "SNYK-JS-DOTPROP-543489" + ] + } + }, + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + }, + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } + }, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": [ + "SNYK-JS-MS-10064" + ], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": [ + "Adam Baldwin" + ], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": [ + "0.7.1" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-MS-10064" + ], + "CVE": [ + "CVE-2015-8315" + ], + "CWE": [ + "CWE-400" + ], + "NSP": [ + 46 + ] + }, + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": [ + "<0.7.1" + ] + }, + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "humanize-ms@1.0.1", + "ms@0.6.2" + ], + "upgradePath": [ + false, + "humanize-ms@1.0.2", + "ms@0.7.1" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": [ + "humanize-ms", + "ms" + ] + } + ] + } + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" +} diff --git a/test/fixtures/snykTest-test-goof-with-one-more-vuln.json b/test/fixtures/snykTest-test-goof-with-one-more-vuln.json new file mode 100644 index 0000000..57eadf5 --- /dev/null +++ b/test/fixtures/snykTest-test-goof-with-one-more-vuln.json @@ -0,0 +1,2021 @@ +{ + "vulnerabilities": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "express-fileupload@0.0.5", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-01-28T15:18:37.743372Z", + "credit": [ + "aaron_costello" + ], + "cvssScore": 6.3, + "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", + "disclosureTime": "2020-01-28T10:17:51Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "5.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": [ + "CVE-2020-8116" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2020-01-31T17:21:49.331710Z", + "moduleName": "dot-prop", + "packageManager": "npm", + "packageName": "dot-prop", + "patches": [], + "publicationTime": "2020-01-28T16:23:39Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/719856" + } + ], + "semver": { + "vulnerable": [ + "<5.1.1" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "configstore@3.1.2", + "dot-prop@4.2.0" + ], + "upgradePath": [ + false, + "snyk@1.290.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dot-prop", + "version": "4.2.0" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-01-28T15:18:37.743372Z", + "credit": [ + "aaron_costello" + ], + "cvssScore": 6.3, + "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", + "disclosureTime": "2020-01-28T10:17:51Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "5.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": [ + "CVE-2020-8116" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2020-01-31T17:21:49.331710Z", + "moduleName": "dot-prop", + "packageManager": "npm", + "packageName": "dot-prop", + "patches": [], + "publicationTime": "2020-01-28T16:23:39Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/719856" + } + ], + "semver": { + "vulnerable": [ + "<5.1.1" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "configstore@3.1.2", + "dot-prop@4.2.0" + ], + "upgradePath": [ + false, + "snyk@1.290.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dot-prop", + "version": "4.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [], + "creationTime": "2019-10-22T12:22:54.665794Z", + "credit": [ + "Roman Burunkov" + ], + "cvssScore": 9.8, + "description": "## Overview\n\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\n\nAffected versions of this package are vulnerable to Denial of Service (DoS).\nThe package does not limit file name length.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\n\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n\n\n## References\n\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n", + "disclosureTime": "2019-10-18T11:17:09Z", + "exploit": "Not Defined", + "fixedIn": [ + "1.1.6-alpha.6" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-79" + ], + "NSP": [ + 1216 + ] + }, + "language": "js", + "modificationTime": "2019-11-20T09:48:38.528931Z", + "moduleName": "express-fileupload", + "packageManager": "npm", + "packageName": "express-fileupload", + "patches": [], + "publicationTime": "2019-10-22T15:08:40Z", + "references": [ + { + "title": "GitHub PR", + "url": "https://github.com/richardgirges/express-fileupload/pull/171" + } + ], + "semver": { + "vulnerable": [ + "<1.1.6-alpha.6" + ] + }, + "severity": "high", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "express-fileupload@0.0.5" + ], + "upgradePath": [ + false, + "express-fileupload@1.1.6" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "express-fileupload", + "version": "0.0.5" + }, + { + "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", + "alternativeIds": [], + "creationTime": "2019-09-26T10:01:07.677036Z", + "credit": [ + "Kris Adler" + ], + "cvssScore": 6.1, + "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", + "disclosureTime": "2019-09-25T08:21:57Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "2.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-HTTPSPROXYAGENT-469131", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-300" + ], + "NSP": [ + 1184 + ] + }, + "language": "js", + "modificationTime": "2019-10-23T09:58:05.142531Z", + "moduleName": "https-proxy-agent", + "packageManager": "npm", + "packageName": "https-proxy-agent", + "patches": [ + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", + "modificationTime": "2019-12-03T11:40:45.721480Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" + ], + "version": "=2.2.1" + }, + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", + "modificationTime": "2019-12-03T11:40:45.723464Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" + ], + "version": "=2.2.2" + } + ], + "publicationTime": "2019-10-02T08:08:11Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" + }, + { + "title": "GitHub PR", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/541502" + } + ], + "semver": { + "vulnerable": [ + "<2.2.3" + ] + }, + "severity": "medium", + "title": "Man-in-the-Middle (MitM)", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "proxy-agent@3.1.0", + "https-proxy-agent@2.2.2" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "proxy-agent@3.1.0", + "https-proxy-agent@2.2.3" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "https-proxy-agent", + "version": "2.2.2" + }, + { + "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", + "alternativeIds": [], + "creationTime": "2019-09-26T10:01:07.677036Z", + "credit": [ + "Kris Adler" + ], + "cvssScore": 6.1, + "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", + "disclosureTime": "2019-09-25T08:21:57Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "2.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-HTTPSPROXYAGENT-469131", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-300" + ], + "NSP": [ + 1184 + ] + }, + "language": "js", + "modificationTime": "2019-10-23T09:58:05.142531Z", + "moduleName": "https-proxy-agent", + "packageManager": "npm", + "packageName": "https-proxy-agent", + "patches": [ + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", + "modificationTime": "2019-12-03T11:40:45.721480Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" + ], + "version": "=2.2.1" + }, + { + "comments": [], + "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", + "modificationTime": "2019-12-03T11:40:45.723464Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" + ], + "version": "=2.2.2" + } + ], + "publicationTime": "2019-10-02T08:08:11Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" + }, + { + "title": "GitHub PR", + "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/541502" + } + ], + "semver": { + "vulnerable": [ + "<2.2.3" + ] + }, + "severity": "medium", + "title": "Man-in-the-Middle (MitM)", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "proxy-agent@3.1.0", + "pac-proxy-agent@3.0.0", + "https-proxy-agent@2.2.2" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "proxy-agent@3.1.0", + "pac-proxy-agent@3.0.0", + "https-proxy-agent@2.2.3" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "https-proxy-agent", + "version": "2.2.2" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "npmconf@2.1.3", + "mkdirp@0.5.1", + "minimist@0.0.8" + ], + "upgradePath": [ + false, + "npmconf@2.1.3", + "mkdirp@0.5.2", + "minimist@1.2.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "minimist", + "version": "0.0.8" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-auth-token@3.4.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-auth-token@3.4.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", + "alternativeIds": [], + "creationTime": "2019-12-05T10:31:49.505060Z", + "credit": [ + "mik317" + ], + "cvssScore": 7, + "description": "## Overview\n\n[tree-kill](https://www.npmjs.com/package/tree-kill) is a package to kill all processes in the process tree, including the root process.\n\n\nAffected versions of this package are vulnerable to Command Injection.\nUser input is concatenated with a `command` within `tree-kill` and `treekill` that will be executed without any check. \r\n\r\nNote: This vulnerability is only applicable if the package is used on a Windows operating system.\r\n\r\n### PoC by mik317 \r\n1) Create this POC file\r\n```\r\n//poc.js\r\nvar kill = require('tree-kill');\r\nkill('3333332 & echo \"HACKED\" > HACKED.txt & ');\r\n```\r\n\r\n2) Execute the following commands in another terminal:\r\n```\r\nnpm i tree-kill # Install affected module\r\ndir # Check *HACKED.txt* doesn't exist\r\nnode poc.js # Run the PoC\r\ndir # Now *HACKED.txt* exists :)\r\n```\r\n3) A new file called `HACKED.txt` will be created, containing the `HACKED` string\n\n## Remediation\n\nUpgrade `tree-kill` to version 1.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c)\n\n- [tree-kill HackerOne Report](https://hackerone.com/reports/701183)\n\n- [treekill HackerOne Report](https://hackerone.com/reports/703415)\n\n- [Vulnerable Code treekill](https://github.com/node-modules/treekill/blob/master/index.js#L32)\n\n- [Vulnerable Code tree-kill](https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20)\n", + "disclosureTime": "2019-12-04T19:54:11Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "1.2.2" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-TREEKILL-536781", + "identifiers": { + "CVE": [ + "CVE-2019-15598", + "CVE-2019-15599" + ], + "CWE": [ + "CWE-78" + ], + "NSP": [ + 1432, + 1433 + ] + }, + "language": "js", + "modificationTime": "2019-12-12T13:54:40.599000Z", + "moduleName": "tree-kill", + "packageManager": "npm", + "packageName": "tree-kill", + "patches": [ + { + "comments": [], + "id": "patch:SNYK-JS-TREEKILL-536781:0", + "modificationTime": "2019-12-11T11:57:51.268946Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/tree-kill/20191210/tree-kill_0_0_20191210_e5d66d1fbd4b392294512d4644ac22bdc888573c.patch" + ], + "version": ">=1.0.0" + } + ], + "publicationTime": "2019-12-05T10:51:40Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c" + }, + { + "title": "tree-kill HackerOne Report", + "url": "https://hackerone.com/reports/701183" + }, + { + "title": "treekill HackerOne Report", + "url": "https://hackerone.com/reports/703415" + }, + { + "title": "Vulnerable Code treekill", + "url": "https://github.com/node-modules/treekill/blob/master/index.js%23L32" + }, + { + "title": "Vulnerable Code tree-kill", + "url": "https://github.com/pkrumins/node-tree-kill/blob/master/index.js%23L20" + } + ], + "semver": { + "vulnerable": [ + "<1.2.2" + ] + }, + "severity": "high", + "title": "Command Injection", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "snyk-sbt-plugin@2.8.0", + "tree-kill@1.2.1" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "snyk-sbt-plugin@2.8.0", + "tree-kill@1.2.2" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "tree-kill", + "version": "1.2.1" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "ok": false, + "dependencyCount": 418, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" + }, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": [ + "express-fileupload@0.0.5" + ], + "vulns": [ + "SNYK-JS-EXPRESSFILEUPLOAD-473997" + ] + }, + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": [ + "dot-prop@4.2.0" + ], + "vulns": [ + "SNYK-JS-DOTPROP-543489" + ] + } + }, + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + }, + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } + }, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": [ + "SNYK-JS-MS-10064" + ], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": [ + "Adam Baldwin" + ], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": [ + "0.7.1" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-MS-10064" + ], + "CVE": [ + "CVE-2015-8315" + ], + "CWE": [ + "CWE-400" + ], + "NSP": [ + 46 + ] + }, + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": [ + "<0.7.1" + ] + }, + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "humanize-ms@1.0.1", + "ms@0.6.2" + ], + "upgradePath": [ + false, + "humanize-ms@1.0.2", + "ms@0.7.1" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": [ + "humanize-ms", + "ms" + ] + } + ] + } + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" +} diff --git a/test/fixtures/snykTestOutput/test-goof-one-vuln.json b/test/fixtures/snykTestOutput/test-goof-one-vuln.json new file mode 100644 index 0000000..8c0562b --- /dev/null +++ b/test/fixtures/snykTestOutput/test-goof-one-vuln.json @@ -0,0 +1,908 @@ +{ + "vulnerabilities": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + } + ], + "ok": false, + "dependencyCount": 1, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" + }, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": [ + "express-fileupload@0.0.5" + ], + "vulns": [ + "SNYK-JS-EXPRESSFILEUPLOAD-473997" + ] + }, + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": [ + "dot-prop@4.2.0" + ], + "vulns": [ + "SNYK-JS-DOTPROP-543489" + ] + } + }, + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + }, + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } + }, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": [ + "SNYK-JS-MS-10064" + ], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": [ + "Adam Baldwin" + ], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": [ + "0.7.1" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-MS-10064" + ], + "CVE": [ + "CVE-2015-8315" + ], + "CWE": [ + "CWE-400" + ], + "NSP": [ + 46 + ] + }, + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": [ + "<0.7.1" + ] + }, + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "humanize-ms@1.0.1", + "ms@0.6.2" + ], + "upgradePath": [ + false, + "humanize-ms@1.0.2", + "ms@0.7.1" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": [ + "humanize-ms", + "ms" + ] + } + ] + } + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" +} diff --git a/test/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json b/test/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json new file mode 100644 index 0000000..3b3df77 --- /dev/null +++ b/test/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json @@ -0,0 +1,1024 @@ +{ + "vulnerabilities": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-01-28T15:18:37.743372Z", + "credit": [ + "aaron_costello" + ], + "cvssScore": 6.3, + "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", + "disclosureTime": "2020-01-28T10:17:51Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "5.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": [ + "CVE-2020-8116" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2020-01-31T17:21:49.331710Z", + "moduleName": "dot-prop", + "packageManager": "npm", + "packageName": "dot-prop", + "patches": [], + "publicationTime": "2020-01-28T16:23:39Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/719856" + } + ], + "semver": { + "vulnerable": [ + "<5.1.1" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "configstore@3.1.2", + "dot-prop@4.2.0" + ], + "upgradePath": [ + false, + "snyk@1.290.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dot-prop", + "version": "4.2.0" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "goof", + "version": "0.0.3" + }, + { + "license": "Artistic-2.0", + "semver": { + "vulnerable": [">=1.3.6"] + }, + "id": "snyk:lic:npm:npm:Artistic-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "npm", + "title": "Artistic-2.0 license", + "description": "Artistic-2.0 license", + "publicationTime": "2021-04-04T06:00:13.541Z", + "creationTime": "2021-04-04T06:00:13.541Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Artistic-2.0.txt", + "severity": "medium", + "from": ["goof@1.0.1", "npm@7.12.0"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "npm", + "version": "7.12.0" + } + ], + "ok": false, + "dependencyCount": 1, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" + }, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": [ + "express-fileupload@0.0.5" + ], + "vulns": [ + "SNYK-JS-EXPRESSFILEUPLOAD-473997" + ] + }, + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": [ + "dot-prop@4.2.0" + ], + "vulns": [ + "SNYK-JS-DOTPROP-543489" + ] + } + }, + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + }, + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } + }, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": [ + "SNYK-JS-MS-10064" + ], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": [ + "Adam Baldwin" + ], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": [ + "0.7.1" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-MS-10064" + ], + "CVE": [ + "CVE-2015-8315" + ], + "CWE": [ + "CWE-400" + ], + "NSP": [ + 46 + ] + }, + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": [ + "<0.7.1" + ] + }, + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "humanize-ms@1.0.1", + "ms@0.6.2" + ], + "upgradePath": [ + false, + "humanize-ms@1.0.2", + "ms@0.7.1" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": [ + "humanize-ms", + "ms" + ] + } + ] + } + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" +} diff --git a/test/fixtures/snykTestOutput/test-goof-two-vuln.json b/test/fixtures/snykTestOutput/test-goof-two-vuln.json new file mode 100644 index 0000000..52ba0e1 --- /dev/null +++ b/test/fixtures/snykTestOutput/test-goof-two-vuln.json @@ -0,0 +1,972 @@ +{ + "vulnerabilities": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-01-28T15:18:37.743372Z", + "credit": [ + "aaron_costello" + ], + "cvssScore": 6.3, + "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", + "disclosureTime": "2020-01-28T10:17:51Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "5.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-DOTPROP-543489", + "identifiers": { + "CVE": [ + "CVE-2020-8116" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2020-01-31T17:21:49.331710Z", + "moduleName": "dot-prop", + "packageManager": "npm", + "packageName": "dot-prop", + "patches": [], + "publicationTime": "2020-01-28T16:23:39Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" + }, + { + "title": "HackerOne Report", + "url": "https://hackerone.com/reports/719856" + } + ], + "semver": { + "vulnerable": [ + "<5.1.1" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "configstore@3.1.2", + "dot-prop@4.2.0" + ], + "upgradePath": [ + false, + "snyk@1.290.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "dot-prop", + "version": "4.2.0" + } + ], + "ok": false, + "dependencyCount": 1, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" + }, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": [ + "Peter van der Zee" + ], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": [ + "5.7.4", + "6.4.1", + "7.1.1" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-6chw-6frg-f759" + ], + "NSP": [ + 1488 + ] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [ + ">=5.5.0 <5.7.4", + ">=6.0.0 <6.4.1", + ">=7.0.0 <7.1.1" + ] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": [ + "Snyk Security Team" + ], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": [ + "0.2.1", + "1.2.3" + ], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": [ + "CVE-2020-7598" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vh95-rmgr-6w4m" + ], + "NSP": [ + 1179 + ] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": [ + "<0.2.1", + ">=1.0.0 <1.2.3" + ] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10218" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.3" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": [ + "<2.2.1" + ] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [ + ">=2.2.1 <2.5.3" + ] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10218" + ], + "CVE": [ + "CVE-2017-1000228" + ], + "CWE": [ + "CWE-94" + ] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.3" + ] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": [ + "SNYK-JS-EJS-10225" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10225" + ], + "CVE": [ + "CVE-2017-1000188" + ], + "CWE": [ + "CWE-79" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [ + "SNYK-JS-EJS-10226" + ], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": [ + "Snyk Security Research Team" + ], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": [ + "2.5.5" + ], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-EJS-10226" + ], + "CVE": [ + "CVE-2017-1000189" + ], + "CWE": [ + "CWE-400" + ] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": [ + "<2.5.5" + ] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": [ + "goof@0.0.3", + "ejs-locals@1.0.2", + "ejs@0.8.8" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [ + ">=0" + ] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": [ + "goof@0.0.3" + ], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": [ + "express-fileupload@0.0.5" + ], + "vulns": [ + "SNYK-JS-EXPRESSFILEUPLOAD-473997" + ] + }, + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": [ + "dot-prop@4.2.0" + ], + "vulns": [ + "SNYK-JS-DOTPROP-543489" + ] + } + }, + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + }, + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } + }, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": [ + "SNYK-JS-MS-10064" + ], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": [ + "Adam Baldwin" + ], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": [ + "0.7.1" + ], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [ + ">0.1.0 <=0.3.0" + ] + }, + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [ + ">0.3.0 <0.7.1" + ] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": [ + "SNYK-JS-MS-10064" + ], + "CVE": [ + "CVE-2015-8315" + ], + "CWE": [ + "CWE-400" + ], + "NSP": [ + 46 + ] + }, + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": [ + "<0.7.1" + ] + }, + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "humanize-ms@1.0.1", + "ms@0.6.2" + ], + "upgradePath": [ + false, + "humanize-ms@1.0.2", + "ms@0.7.1" + ], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": [ + "humanize-ms", + "ms" + ] + } + ] + } + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" +} diff --git a/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-and-unmonitored.json b/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-and-unmonitored.json index 7470d94..05334fa 100644 --- a/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-and-unmonitored.json +++ b/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-and-unmonitored.json @@ -122,810 +122,6 @@ "name": "acorn", "version": "5.7.3" }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-01-28T15:18:37.743372Z", - "credit": ["aaron_costello"], - "cvssScore": 6.3, - "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", - "disclosureTime": "2020-01-28T10:17:51Z", - "exploit": "Proof of Concept", - "fixedIn": ["5.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-DOTPROP-543489", - "identifiers": { - "CVE": ["CVE-2020-8116"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2020-01-31T17:21:49.331710Z", - "moduleName": "dot-prop", - "packageManager": "npm", - "packageName": "dot-prop", - "patches": [], - "publicationTime": "2020-01-28T16:23:39Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/719856" - } - ], - "semver": { - "vulnerable": ["<5.1.1"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "configstore@3.1.2", - "dot-prop@4.2.0" - ], - "upgradePath": [false, "snyk@1.290.1"], - "isUpgradable": true, - "isPatchable": false, - "name": "dot-prop", - "version": "4.2.0" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-01-28T15:18:37.743372Z", - "credit": ["aaron_costello"], - "cvssScore": 6.3, - "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", - "disclosureTime": "2020-01-28T10:17:51Z", - "exploit": "Proof of Concept", - "fixedIn": ["5.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-DOTPROP-543489", - "identifiers": { - "CVE": ["CVE-2020-8116"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2020-01-31T17:21:49.331710Z", - "moduleName": "dot-prop", - "packageManager": "npm", - "packageName": "dot-prop", - "patches": [], - "publicationTime": "2020-01-28T16:23:39Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/719856" - } - ], - "semver": { - "vulnerable": ["<5.1.1"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "configstore@3.1.2", - "dot-prop@4.2.0" - ], - "upgradePath": [false, "snyk@1.290.1"], - "isUpgradable": true, - "isPatchable": false, - "name": "dot-prop", - "version": "4.2.0" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": [], - "creationTime": "2019-10-22T12:22:54.665794Z", - "credit": ["Roman Burunkov"], - "cvssScore": 9.8, - "description": "## Overview\n\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\n\nAffected versions of this package are vulnerable to Denial of Service (DoS).\nThe package does not limit file name length.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\n\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n\n\n## References\n\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n", - "disclosureTime": "2019-10-18T11:17:09Z", - "exploit": "Not Defined", - "fixedIn": ["1.1.6-alpha.6"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", - "identifiers": { - "CVE": [], - "CWE": ["CWE-79"], - "NSP": [1216] - }, - "language": "js", - "modificationTime": "2019-11-20T09:48:38.528931Z", - "moduleName": "express-fileupload", - "packageManager": "npm", - "packageName": "express-fileupload", - "patches": [], - "publicationTime": "2019-10-22T15:08:40Z", - "references": [ - { - "title": "GitHub PR", - "url": "https://github.com/richardgirges/express-fileupload/pull/171" - } - ], - "semver": { - "vulnerable": ["<1.1.6-alpha.6"] - }, - "severity": "high", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "express-fileupload@0.0.5"], - "upgradePath": [false, "express-fileupload@1.1.6"], - "isUpgradable": true, - "isPatchable": false, - "name": "express-fileupload", - "version": "0.0.5" - }, - { - "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-09-26T10:01:07.677036Z", - "credit": ["Kris Adler"], - "cvssScore": 6.1, - "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", - "disclosureTime": "2019-09-25T08:21:57Z", - "exploit": "Proof of Concept", - "fixedIn": ["2.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-HTTPSPROXYAGENT-469131", - "identifiers": { - "CVE": [], - "CWE": ["CWE-300"], - "NSP": [1184] - }, - "language": "js", - "modificationTime": "2019-10-23T09:58:05.142531Z", - "moduleName": "https-proxy-agent", - "packageManager": "npm", - "packageName": "https-proxy-agent", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", - "modificationTime": "2019-12-03T11:40:45.721480Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" - ], - "version": "=2.2.1" - }, - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", - "modificationTime": "2019-12-03T11:40:45.723464Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" - ], - "version": "=2.2.2" - } - ], - "publicationTime": "2019-10-02T08:08:11Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" - }, - { - "title": "GitHub PR", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/541502" - } - ], - "semver": { - "vulnerable": ["<2.2.3"] - }, - "severity": "medium", - "title": "Man-in-the-Middle (MitM)", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "proxy-agent@3.1.0", - "https-proxy-agent@2.2.2" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "proxy-agent@3.1.0", - "https-proxy-agent@2.2.3" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "https-proxy-agent", - "version": "2.2.2" - }, - { - "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-09-26T10:01:07.677036Z", - "credit": ["Kris Adler"], - "cvssScore": 6.1, - "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", - "disclosureTime": "2019-09-25T08:21:57Z", - "exploit": "Proof of Concept", - "fixedIn": ["2.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-HTTPSPROXYAGENT-469131", - "identifiers": { - "CVE": [], - "CWE": ["CWE-300"], - "NSP": [1184] - }, - "language": "js", - "modificationTime": "2019-10-23T09:58:05.142531Z", - "moduleName": "https-proxy-agent", - "packageManager": "npm", - "packageName": "https-proxy-agent", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", - "modificationTime": "2019-12-03T11:40:45.721480Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" - ], - "version": "=2.2.1" - }, - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", - "modificationTime": "2019-12-03T11:40:45.723464Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" - ], - "version": "=2.2.2" - } - ], - "publicationTime": "2019-10-02T08:08:11Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" - }, - { - "title": "GitHub PR", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/541502" - } - ], - "semver": { - "vulnerable": ["<2.2.3"] - }, - "severity": "medium", - "title": "Man-in-the-Middle (MitM)", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "proxy-agent@3.1.0", - "pac-proxy-agent@3.0.0", - "https-proxy-agent@2.2.2" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "proxy-agent@3.1.0", - "pac-proxy-agent@3.0.0", - "https-proxy-agent@2.2.3" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "https-proxy-agent", - "version": "2.2.2" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] - }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": ["goof@0.0.3", "npmconf@2.1.3", "mkdirp@0.5.1", "minimist@0.0.8"], - "upgradePath": [false, "npmconf@2.1.3", "mkdirp@0.5.2", "minimist@1.2.5"], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "0.0.8" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] - }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-auth-token@3.4.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-auth-token@3.4.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "1.2.0" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] - }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "1.2.0" - }, - { - "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-12-05T10:31:49.505060Z", - "credit": ["mik317"], - "cvssScore": 7, - "description": "## Overview\n\n[tree-kill](https://www.npmjs.com/package/tree-kill) is a package to kill all processes in the process tree, including the root process.\n\n\nAffected versions of this package are vulnerable to Command Injection.\nUser input is concatenated with a `command` within `tree-kill` and `treekill` that will be executed without any check. \r\n\r\nNote: This vulnerability is only applicable if the package is used on a Windows operating system.\r\n\r\n### PoC by mik317 \r\n1) Create this POC file\r\n```\r\n//poc.js\r\nvar kill = require('tree-kill');\r\nkill('3333332 & echo \"HACKED\" > HACKED.txt & ');\r\n```\r\n\r\n2) Execute the following commands in another terminal:\r\n```\r\nnpm i tree-kill # Install affected module\r\ndir # Check *HACKED.txt* doesn't exist\r\nnode poc.js # Run the PoC\r\ndir # Now *HACKED.txt* exists :)\r\n```\r\n3) A new file called `HACKED.txt` will be created, containing the `HACKED` string\n\n## Remediation\n\nUpgrade `tree-kill` to version 1.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c)\n\n- [tree-kill HackerOne Report](https://hackerone.com/reports/701183)\n\n- [treekill HackerOne Report](https://hackerone.com/reports/703415)\n\n- [Vulnerable Code treekill](https://github.com/node-modules/treekill/blob/master/index.js#L32)\n\n- [Vulnerable Code tree-kill](https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20)\n", - "disclosureTime": "2019-12-04T19:54:11Z", - "exploit": "Proof of Concept", - "fixedIn": ["1.2.2"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-TREEKILL-536781", - "identifiers": { - "CVE": ["CVE-2019-15598", "CVE-2019-15599"], - "CWE": ["CWE-78"], - "NSP": [1432, 1433] - }, - "language": "js", - "modificationTime": "2019-12-12T13:54:40.599000Z", - "moduleName": "tree-kill", - "packageManager": "npm", - "packageName": "tree-kill", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-TREEKILL-536781:0", - "modificationTime": "2019-12-11T11:57:51.268946Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/tree-kill/20191210/tree-kill_0_0_20191210_e5d66d1fbd4b392294512d4644ac22bdc888573c.patch" - ], - "version": ">=1.0.0" - } - ], - "publicationTime": "2019-12-05T10:51:40Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c" - }, - { - "title": "tree-kill HackerOne Report", - "url": "https://hackerone.com/reports/701183" - }, - { - "title": "treekill HackerOne Report", - "url": "https://hackerone.com/reports/703415" - }, - { - "title": "Vulnerable Code treekill", - "url": "https://github.com/node-modules/treekill/blob/master/index.js%23L32" - }, - { - "title": "Vulnerable Code tree-kill", - "url": "https://github.com/pkrumins/node-tree-kill/blob/master/index.js%23L20" - } - ], - "semver": { - "vulnerable": ["<1.2.2"] - }, - "severity": "high", - "title": "Command Injection", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "snyk-sbt-plugin@2.8.0", - "tree-kill@1.2.1" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "snyk-sbt-plugin@2.8.0", - "tree-kill@1.2.2" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "tree-kill", - "version": "1.2.1" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": ["SNYK-JS-EJS-10218"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 8.1, - "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.3"], - "functions": [ - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.exports.render" - }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "exports.render" - }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - } - ], - "functions_new": [ - { - "functionId": { - "filePath": "ejs.js", - "functionName": "1.exports.render" - }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "filePath": "lib/ejs.js", - "functionName": "exports.render" - }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - }, - { - "functionId": { - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - } - ], - "id": "npm:ejs:20161128", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10218"], - "CVE": ["CVE-2017-1000228"], - "CWE": ["CWE-94"] - }, - "language": "js", - "modificationTime": "2019-03-05T14:14:20.921506Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [ - { - "comments": [], - "id": "patch:npm:ejs:20161128:0", - "modificationTime": "2019-12-03T11:40:45.851976Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" - ], - "version": "<2.5.3 >=2.2.4" - } - ], - "publicationTime": "2016-11-28T18:44:12Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.3"] - }, - "severity": "high", - "title": "Arbitrary Code Execution", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "alternativeIds": ["SNYK-JS-EJS-10225"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10225"], - "CVE": ["CVE-2017-1000188"], - "CWE": ["CWE-79"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.194966Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Cross-site Scripting (XSS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": ["SNYK-JS-EJS-10226"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130-1", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10226"], - "CVE": ["CVE-2017-1000189"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.206452Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, { "license": "GPL-2.0", "semver": { diff --git a/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-only.json b/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-only.json index f4ae0db..f4302c5 100644 --- a/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-only.json +++ b/test/fixtures/snyktest-all-projects-with-one-more-vuln-for-one-project-only.json @@ -62,1126 +62,312 @@ "version": "5.7.3" }, { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-01-28T15:18:37.743372Z", - "credit": ["aaron_costello"], - "cvssScore": 6.3, - "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", - "disclosureTime": "2020-01-28T10:17:51Z", - "exploit": "Proof of Concept", - "fixedIn": ["5.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-DOTPROP-543489", - "identifiers": { - "CVE": ["CVE-2020-8116"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2020-01-31T17:21:49.331710Z", - "moduleName": "dot-prop", - "packageManager": "npm", - "packageName": "dot-prop", - "patches": [], - "publicationTime": "2020-01-28T16:23:39Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/719856" - } - ], + "license": "GPL-2.0", "semver": { - "vulnerable": ["<5.1.1"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "configstore@3.1.2", - "dot-prop@4.2.0" - ], - "upgradePath": [false, "snyk@1.290.1"], - "isUpgradable": true, - "isPatchable": false, - "name": "dot-prop", - "version": "4.2.0" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-01-28T15:18:37.743372Z", - "credit": ["aaron_costello"], - "cvssScore": 6.3, - "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", - "disclosureTime": "2020-01-28T10:17:51Z", - "exploit": "Proof of Concept", - "fixedIn": ["5.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-DOTPROP-543489", - "identifiers": { - "CVE": ["CVE-2020-8116"], - "CWE": ["CWE-400"] + "vulnerable": [">=0"] }, - "language": "js", - "modificationTime": "2020-01-31T17:21:49.331710Z", - "moduleName": "dot-prop", + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", "packageManager": "npm", - "packageName": "dot-prop", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", "patches": [], - "publicationTime": "2020-01-28T16:23:39Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/719856" - } - ], - "semver": { - "vulnerable": ["<5.1.1"] - }, + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "configstore@3.1.2", - "dot-prop@4.2.0" - ], - "upgradePath": [false, "snyk@1.290.1"], - "isUpgradable": true, + "from": ["goof@0.0.3"], + "upgradePath": [], + "isUpgradable": false, "isPatchable": false, - "name": "dot-prop", - "version": "4.2.0" + "name": "goof", + "version": "0.0.3" + } + ], + "ok": false, + "dependencyCount": 418, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": [], - "creationTime": "2019-10-22T12:22:54.665794Z", - "credit": ["Roman Burunkov"], - "cvssScore": 9.8, - "description": "## Overview\n\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\n\nAffected versions of this package are vulnerable to Denial of Service (DoS).\nThe package does not limit file name length.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\n\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n\n\n## References\n\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n", - "disclosureTime": "2019-10-18T11:17:09Z", - "exploit": "Not Defined", - "fixedIn": ["1.1.6-alpha.6"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", - "identifiers": { - "CVE": [], - "CWE": ["CWE-79"], - "NSP": [1216] + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" }, - "language": "js", - "modificationTime": "2019-11-20T09:48:38.528931Z", - "moduleName": "express-fileupload", - "packageManager": "npm", - "packageName": "express-fileupload", - "patches": [], - "publicationTime": "2019-10-22T15:08:40Z", - "references": [ - { - "title": "GitHub PR", - "url": "https://github.com/richardgirges/express-fileupload/pull/171" - } - ], - "semver": { - "vulnerable": ["<1.1.6-alpha.6"] + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" }, - "severity": "high", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "express-fileupload@0.0.5"], - "upgradePath": [false, "express-fileupload@1.1.6"], - "isUpgradable": true, - "isPatchable": false, - "name": "express-fileupload", - "version": "0.0.5" - }, - { - "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-09-26T10:01:07.677036Z", - "credit": ["Kris Adler"], - "cvssScore": 6.1, - "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", - "disclosureTime": "2019-09-25T08:21:57Z", - "exploit": "Proof of Concept", - "fixedIn": ["2.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-HTTPSPROXYAGENT-469131", - "identifiers": { - "CVE": [], - "CWE": ["CWE-300"], - "NSP": [1184] + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" }, - "language": "js", - "modificationTime": "2019-10-23T09:58:05.142531Z", - "moduleName": "https-proxy-agent", - "packageManager": "npm", - "packageName": "https-proxy-agent", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", - "modificationTime": "2019-12-03T11:40:45.721480Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" - ], - "version": "=2.2.1" - }, - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", - "modificationTime": "2019-12-03T11:40:45.723464Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" - ], - "version": "=2.2.2" - } - ], - "publicationTime": "2019-10-02T08:08:11Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" - }, - { - "title": "GitHub PR", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/541502" - } - ], - "semver": { - "vulnerable": ["<2.2.3"] + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" }, - "severity": "medium", - "title": "Man-in-the-Middle (MitM)", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "proxy-agent@3.1.0", - "https-proxy-agent@2.2.2" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "proxy-agent@3.1.0", - "https-proxy-agent@2.2.3" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "https-proxy-agent", - "version": "2.2.2" - }, - { - "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-09-26T10:01:07.677036Z", - "credit": ["Kris Adler"], - "cvssScore": 6.1, - "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", - "disclosureTime": "2019-09-25T08:21:57Z", - "exploit": "Proof of Concept", - "fixedIn": ["2.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-HTTPSPROXYAGENT-469131", - "identifiers": { - "CVE": [], - "CWE": ["CWE-300"], - "NSP": [1184] + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" }, - "language": "js", - "modificationTime": "2019-10-23T09:58:05.142531Z", - "moduleName": "https-proxy-agent", - "packageManager": "npm", - "packageName": "https-proxy-agent", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", - "modificationTime": "2019-12-03T11:40:45.721480Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" - ], - "version": "=2.2.1" - }, - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", - "modificationTime": "2019-12-03T11:40:45.723464Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" - ], - "version": "=2.2.2" - } - ], - "publicationTime": "2019-10-02T08:08:11Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" - }, - { - "title": "GitHub PR", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/541502" - } - ], - "semver": { - "vulnerable": ["<2.2.3"] + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" }, - "severity": "medium", - "title": "Man-in-the-Middle (MitM)", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "proxy-agent@3.1.0", - "pac-proxy-agent@3.0.0", - "https-proxy-agent@2.2.2" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "proxy-agent@3.1.0", - "pac-proxy-agent@3.0.0", - "https-proxy-agent@2.2.3" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "https-proxy-agent", - "version": "2.2.2" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "npmconf@2.1.3", - "mkdirp@0.5.1", - "minimist@0.0.8" - ], - "upgradePath": [ - false, - "npmconf@2.1.3", - "mkdirp@0.5.2", - "minimist@1.2.5" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "0.0.8" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-auth-token@3.4.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-auth-token@3.4.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "1.2.0" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "1.2.0" - }, - { - "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-12-05T10:31:49.505060Z", - "credit": ["mik317"], - "cvssScore": 7, - "description": "## Overview\n\n[tree-kill](https://www.npmjs.com/package/tree-kill) is a package to kill all processes in the process tree, including the root process.\n\n\nAffected versions of this package are vulnerable to Command Injection.\nUser input is concatenated with a `command` within `tree-kill` and `treekill` that will be executed without any check. \r\n\r\nNote: This vulnerability is only applicable if the package is used on a Windows operating system.\r\n\r\n### PoC by mik317 \r\n1) Create this POC file\r\n```\r\n//poc.js\r\nvar kill = require('tree-kill');\r\nkill('3333332 & echo \"HACKED\" > HACKED.txt & ');\r\n```\r\n\r\n2) Execute the following commands in another terminal:\r\n```\r\nnpm i tree-kill # Install affected module\r\ndir # Check *HACKED.txt* doesn't exist\r\nnode poc.js # Run the PoC\r\ndir # Now *HACKED.txt* exists :)\r\n```\r\n3) A new file called `HACKED.txt` will be created, containing the `HACKED` string\n\n## Remediation\n\nUpgrade `tree-kill` to version 1.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c)\n\n- [tree-kill HackerOne Report](https://hackerone.com/reports/701183)\n\n- [treekill HackerOne Report](https://hackerone.com/reports/703415)\n\n- [Vulnerable Code treekill](https://github.com/node-modules/treekill/blob/master/index.js#L32)\n\n- [Vulnerable Code tree-kill](https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20)\n", - "disclosureTime": "2019-12-04T19:54:11Z", - "exploit": "Proof of Concept", - "fixedIn": ["1.2.2"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-TREEKILL-536781", - "identifiers": { - "CVE": ["CVE-2019-15598", "CVE-2019-15599"], - "CWE": ["CWE-78"], - "NSP": [1432, 1433] + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" }, - "language": "js", - "modificationTime": "2019-12-12T13:54:40.599000Z", - "moduleName": "tree-kill", - "packageManager": "npm", - "packageName": "tree-kill", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-TREEKILL-536781:0", - "modificationTime": "2019-12-11T11:57:51.268946Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/tree-kill/20191210/tree-kill_0_0_20191210_e5d66d1fbd4b392294512d4644ac22bdc888573c.patch" - ], - "version": ">=1.0.0" - } - ], - "publicationTime": "2019-12-05T10:51:40Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c" - }, - { - "title": "tree-kill HackerOne Report", - "url": "https://hackerone.com/reports/701183" - }, - { - "title": "treekill HackerOne Report", - "url": "https://hackerone.com/reports/703415" - }, - { - "title": "Vulnerable Code treekill", - "url": "https://github.com/node-modules/treekill/blob/master/index.js%23L32" + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": ["Peter van der Zee"], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-6chw-6frg-f759"], + "NSP": [1488] }, - { - "title": "Vulnerable Code tree-kill", - "url": "https://github.com/pkrumins/node-tree-kill/blob/master/index.js%23L20" - } - ], - "semver": { - "vulnerable": ["<1.2.2"] - }, - "severity": "high", - "title": "Command Injection", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "snyk-sbt-plugin@2.8.0", - "tree-kill@1.2.1" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "snyk-sbt-plugin@2.8.0", - "tree-kill@1.2.2" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "tree-kill", - "version": "1.2.1" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": ["SNYK-JS-EJS-10218"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 8.1, - "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.3"], - "functions": [ - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.exports.render" + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "exports.render" + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" }, - "version": ["<2.2.1"] + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] }, - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": ["Snyk Security Team"], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": ["0.2.1", "1.2.3"], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": ["CVE-2020-7598"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-vh95-rmgr-6w4m"], + "NSP": [1179] }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - } - ], - "functions_new": [ - { - "functionId": { - "filePath": "ejs.js", - "functionName": "1.exports.render" + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "filePath": "lib/ejs.js", - "functionName": "exports.render" + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" }, - "version": [">=2.2.1 <2.5.3"] + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] }, - { - "functionId": { - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - } - ], - "id": "npm:ejs:20161128", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10218"], - "CVE": ["CVE-2017-1000228"], - "CWE": ["CWE-94"] + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" }, - "language": "js", - "modificationTime": "2019-03-05T14:14:20.921506Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [ - { - "comments": [], - "id": "patch:npm:ejs:20161128:0", - "modificationTime": "2019-12-03T11:40:45.851976Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" - ], - "version": "<2.5.3 >=2.2.4" - } - ], - "publicationTime": "2016-11-28T18:44:12Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.3"] - }, - "severity": "high", - "title": "Arbitrary Code Execution", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "alternativeIds": ["SNYK-JS-EJS-10225"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10225"], - "CVE": ["CVE-2017-1000188"], - "CWE": ["CWE-79"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.194966Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Cross-site Scripting (XSS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": ["SNYK-JS-EJS-10226"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130-1", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10226"], - "CVE": ["CVE-2017-1000189"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.206452Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "license": "GPL-2.0", - "semver": { - "vulnerable": [">=0"] - }, - "id": "snyk:lic:npm:goof:GPL-2.0", - "type": "license", - "packageManager": "npm", - "language": "js", - "packageName": "goof", - "title": "GPL-2.0 license", - "description": "GPL-2.0 license", - "publicationTime": "2020-04-09T19:48:50.751Z", - "creationTime": "2020-04-09T19:48:50.751Z", - "patches": [], - "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", - "severity": "medium", - "from": ["goof@0.0.3"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "goof", - "version": "0.0.3" - } - ], - "ok": false, - "dependencyCount": 418, - "org": "playground", - "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", - "isPrivate": true, - "licensesPolicy": { - "severities": { - "AGPL-1.0": "high", - "AGPL-3.0": "high", - "CDDL-1.0": "medium", - "CPOL-1.02": "high", - "GPL-2.0": "medium", - "LGPL-2.0": "low", - "LGPL-2.1": "low", - "LGPL-2.1+": "medium", - "LGPL-3.0": "low", - "LGPL-3.0+": "medium", - "MPL-1.1": "medium", - "MPL-2.0": "medium", - "MS-RL": "medium", - "SimPL-2.0": "high" - }, - "orgLicenseRules": { - "AGPL-1.0": { - "licenseType": "AGPL-1.0", - "severity": "high", - "instructions": "jbvhgvg Test" - }, - "AGPL-3.0": { - "licenseType": "AGPL-3.0", - "severity": "high", - "instructions": "" - }, - "CDDL-1.0": { - "licenseType": "CDDL-1.0", - "severity": "medium", - "instructions": "" - }, - "CPOL-1.02": { - "licenseType": "CPOL-1.02", - "severity": "high", - "instructions": "" - }, - "GPL-2.0": { - "licenseType": "GPL-2.0", - "severity": "medium", - "instructions": "" - }, - "LGPL-2.0": { - "licenseType": "LGPL-2.0", - "severity": "low", - "instructions": "" - }, - "LGPL-2.1": { - "licenseType": "LGPL-2.1", - "severity": "low", - "instructions": "" - }, - "LGPL-2.1+": { - "licenseType": "LGPL-2.1+", - "severity": "medium", - "instructions": "" - }, - "LGPL-3.0": { - "licenseType": "LGPL-3.0", - "severity": "low", - "instructions": "" - }, - "LGPL-3.0+": { - "licenseType": "LGPL-3.0+", - "severity": "medium", - "instructions": "" - }, - "MPL-1.1": { - "licenseType": "MPL-1.1", - "severity": "medium", - "instructions": "" - }, - "MPL-2.0": { - "licenseType": "MPL-2.0", - "severity": "medium", - "instructions": "" - }, - "MS-RL": { - "licenseType": "MS-RL", - "severity": "medium", - "instructions": "" - }, - "SimPL-2.0": { - "licenseType": "SimPL-2.0", - "severity": "high", - "instructions": "" - } - } - }, - "packageManager": "npm", - "ignoreSettings": { - "adminOnly": false, - "reasonRequired": false, - "disregardFilesystemIgnores": false - }, - "summary": "15 vulnerable dependency paths", - "remediation": { - "unresolved": [ { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": [], - "creationTime": "2020-03-07T00:18:41.509507Z", - "credit": ["Peter van der Zee"], - "cvssScore": 7.5, - "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", - "disclosureTime": "2020-03-02T19:21:25Z", + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": ["SNYK-JS-EJS-10218"], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": ["Snyk Security Research Team"], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", "exploit": "Not Defined", - "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-ACORN-559469", - "identifiers": { - "CVE": [], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-6chw-6frg-f759"], - "NSP": [1488] - }, - "language": "js", - "modificationTime": "2020-03-10T10:19:13.616093Z", - "moduleName": "acorn", - "packageManager": "npm", - "packageName": "acorn", - "patches": [], - "publicationTime": "2020-03-07T00:19:23Z", - "references": [ + "fixedIn": ["2.5.3"], + "functions": [ { - "title": "GitHub Commit", - "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": ["<2.2.1"] }, { - "title": "GitHub Issue 6.x Branch", - "url": "https://github.com/acornjs/acorn/issues/929" + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": ["<2.2.1"] }, { - "title": "NPM Security Advisory", - "url": "https://www.npmjs.com/advisories/1488" - } - ], - "semver": { - "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] - }, - "severity": "high", - "title": "Regular Expression Denial of Service (ReDoS)", - "from": [ - "goof@0.0.3", - "@snyk/nodejs-runtime-agent@1.14.0", - "acorn@5.7.3" - ], - "upgradePath": [ - false, - "@snyk/nodejs-runtime-agent@1.14.0", - "acorn@5.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "isPinnable": false, - "name": "acorn", - "version": "5.7.3" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] - }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "isPinnable": false, - "name": "minimist", - "version": "1.2.0" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": ["SNYK-JS-EJS-10218"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 8.1, - "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.3"], - "functions": [ - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.exports.render" - }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "exports.render" - }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" - }, - "version": [">=2.2.1 <2.5.3"] + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [">=2.2.1 <2.5.3"] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [">=2.2.1 <2.5.3"] } ], "functions_new": [ @@ -1256,1291 +442,393 @@ "upgradePath": [], "isUpgradable": false, "isPatchable": false, - "isPinnable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "alternativeIds": ["SNYK-JS-EJS-10225"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10225"], - "CVE": ["CVE-2017-1000188"], - "CWE": ["CWE-79"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.194966Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Cross-site Scripting (XSS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": ["SNYK-JS-EJS-10226"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130-1", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10226"], - "CVE": ["CVE-2017-1000189"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.206452Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "license": "GPL-2.0", - "semver": { - "vulnerable": [">=0"] - }, - "id": "snyk:lic:npm:goof:GPL-2.0", - "type": "license", - "packageManager": "npm", - "language": "js", - "packageName": "goof", - "title": "GPL-2.0 license", - "description": "GPL-2.0 license", - "publicationTime": "2020-04-09T19:48:50.751Z", - "creationTime": "2020-04-09T19:48:50.751Z", - "patches": [], - "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", - "severity": "medium", - "from": ["goof@0.0.3"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "isPinnable": false, - "name": "goof", - "version": "0.0.3" - } - ], - "upgrade": { - "express-fileupload@0.0.5": { - "upgradeTo": "express-fileupload@1.1.6", - "upgrades": ["express-fileupload@0.0.5"], - "vulns": ["SNYK-JS-EXPRESSFILEUPLOAD-473997"] - }, - "snyk@1.228.3": { - "upgradeTo": "snyk@1.290.1", - "upgrades": ["dot-prop@4.2.0"], - "vulns": ["SNYK-JS-DOTPROP-543489"] - } - }, - "patch": { - "SNYK-JS-HTTPSPROXYAGENT-469131": { - "paths": [ - { - "snyk > proxy-agent > https-proxy-agent": { - "patched": "2020-04-09T21:29:35.234Z" - } - }, - { - "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { - "patched": "2020-04-09T21:29:35.234Z" - } - } - ] - }, - "SNYK-JS-TREEKILL-536781": { - "paths": [ - { - "snyk > snyk-sbt-plugin > tree-kill": { - "patched": "2020-04-09T21:29:35.234Z" - } - } - ] - } - }, - "ignore": {}, - "pin": {} - }, - "filesystemPolicy": true, - "filtered": { - "ignore": [], - "patch": [ - { - "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "alternativeIds": ["SNYK-JS-MS-10064"], - "creationTime": "2015-11-06T02:09:36.187000Z", - "credit": ["Adam Baldwin"], - "cvssScore": 5.3, - "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", - "disclosureTime": "2015-10-24T20:39:59Z", - "exploit": "Not Defined", - "fixedIn": ["0.7.1"], - "functions": [ - { - "functionId": { - "className": null, - "filePath": "ms.js", - "functionName": "parse" - }, - "version": [">0.1.0 <=0.3.0"] - }, - { - "functionId": { - "className": null, - "filePath": "index.js", - "functionName": "parse" - }, - "version": [">0.3.0 <0.7.1"] - } - ], - "functions_new": [ - { - "functionId": { - "filePath": "ms.js", - "functionName": "parse" - }, - "version": [">0.1.0 <=0.3.0"] - }, - { - "functionId": { - "filePath": "index.js", - "functionName": "parse" - }, - "version": [">0.3.0 <0.7.1"] - } - ], - "id": "npm:ms:20151024", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-MS-10064"], - "CVE": ["CVE-2015-8315"], - "CWE": ["CWE-400"], - "NSP": [46] - }, - "language": "js", - "modificationTime": "2019-05-23T07:46:17.408630Z", - "moduleName": "ms", - "packageManager": "npm", - "packageName": "ms", - "patches": [ - { - "comments": [], - "id": "patch:npm:ms:20151024:0", - "modificationTime": "2019-12-03T11:40:45.772009Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" - ], - "version": "=0.7.0" - }, - { - "comments": [], - "id": "patch:npm:ms:20151024:1", - "modificationTime": "2019-12-03T11:40:45.773094Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" - ], - "version": "<0.7.0 >=0.6.0" - }, - { - "comments": [], - "id": "patch:npm:ms:20151024:2", - "modificationTime": "2019-12-03T11:40:45.774221Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" - ], - "version": "<0.6.0 >0.3.0" - }, - { - "comments": [], - "id": "patch:npm:ms:20151024:3", - "modificationTime": "2019-12-03T11:40:45.775292Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" - ], - "version": "=0.3.0" - }, - { - "comments": [], - "id": "patch:npm:ms:20151024:4", - "modificationTime": "2019-12-03T11:40:45.776329Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" - ], - "version": "=0.2.0" - }, - { - "comments": [], - "id": "patch:npm:ms:20151024:5", - "modificationTime": "2019-12-03T11:40:45.777474Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" - ], - "version": "=0.1.0" - } - ], - "publicationTime": "2015-11-06T02:09:36Z", - "references": [ - { - "title": "OSS security Advisory", - "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" - }, - { - "title": "OWASP - ReDoS", - "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" - }, - { - "title": "Security Focus", - "url": "https://www.securityfocus.com/bid/96389" - } - ], - "semver": { - "vulnerable": ["<0.7.1"] - }, - "severity": "medium", - "title": "Regular Expression Denial of Service (ReDoS)", - "from": ["goof@0.0.3", "humanize-ms@1.0.1", "ms@0.6.2"], - "upgradePath": [false, "humanize-ms@1.0.2", "ms@0.7.1"], - "isUpgradable": true, - "isPatchable": true, - "name": "ms", - "version": "0.6.2", - "filtered": { - "patches": [ - { - "patched": "2019-09-23T21:21:17.183Z", - "path": ["humanize-ms", "ms"] - } - ] - } - } - ] - }, - "uniqueCount": 10, - "projectName": "goof", - "projectId": "09235fa4-c241-42c6-8c63-c053bd272789", - "displayTargetFile": "package-lock.json", - "path": "/home/antoine/Documents/SnykSB/goof" - }, - { - "vulnerabilities": [ - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": [], - "creationTime": "2020-03-07T00:18:41.509507Z", - "credit": ["Peter van der Zee"], - "cvssScore": 7.5, - "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", - "disclosureTime": "2020-03-02T19:21:25Z", - "exploit": "Not Defined", - "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-ACORN-559469", - "identifiers": { - "CVE": [], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-6chw-6frg-f759"], - "NSP": [1488] - }, - "language": "js", - "modificationTime": "2020-03-10T10:19:13.616093Z", - "moduleName": "acorn", - "packageManager": "npm", - "packageName": "acorn", - "patches": [], - "publicationTime": "2020-03-07T00:19:23Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" - }, - { - "title": "GitHub Issue 6.x Branch", - "url": "https://github.com/acornjs/acorn/issues/929" - }, - { - "title": "NPM Security Advisory", - "url": "https://www.npmjs.com/advisories/1488" - } - ], - "semver": { - "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] - }, - "severity": "high", - "title": "Regular Expression Denial of Service (ReDoS)", - "from": [ - "goof@0.0.3", - "@snyk/nodejs-runtime-agent@1.14.0", - "acorn@5.7.3" - ], - "upgradePath": [ - false, - "@snyk/nodejs-runtime-agent@1.14.0", - "acorn@5.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "acorn", - "version": "5.7.3" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": [], - "creationTime": "2020-03-07T00:18:41.509507Z", - "credit": ["Peter van der Zee"], - "cvssScore": 7.5, - "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", - "disclosureTime": "2020-03-02T19:21:25Z", - "exploit": "Not Defined", - "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-ACORN-559469", - "identifiers": { - "CVE": [], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-6chw-6frg-f759"], - "NSP": [1488] - }, - "language": "js", - "modificationTime": "2020-03-10T10:19:13.616093Z", - "moduleName": "acorn", - "packageManager": "npm", - "packageName": "acorn", - "patches": [], - "publicationTime": "2020-03-07T00:19:23Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" - }, - { - "title": "GitHub Issue 6.x Branch", - "url": "https://github.com/acornjs/acorn/issues/929" - }, - { - "title": "NPM Security Advisory", - "url": "https://www.npmjs.com/advisories/1488" - } - ], - "semver": { - "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] - }, - "severity": "high", - "title": "Regular Expression Denial of Service (ReDoS)", - "from": [ - "goof@0.0.3", - "express-fileupload@0.0.5", - "@snyk/nodejs-runtime-agent@1.14.0", - "acorn@5.7.3" - ], - "upgradePath": [ - false, - "@snyk/nodejs-runtime-agent@1.14.0", - "acorn@5.7.4" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "acorn", - "version": "5.7.3" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-01-28T15:18:37.743372Z", - "credit": ["aaron_costello"], - "cvssScore": 6.3, - "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", - "disclosureTime": "2020-01-28T10:17:51Z", - "exploit": "Proof of Concept", - "fixedIn": ["5.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-DOTPROP-543489", - "identifiers": { - "CVE": ["CVE-2020-8116"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2020-01-31T17:21:49.331710Z", - "moduleName": "dot-prop", - "packageManager": "npm", - "packageName": "dot-prop", - "patches": [], - "publicationTime": "2020-01-28T16:23:39Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/719856" - } - ], - "semver": { - "vulnerable": ["<5.1.1"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "configstore@3.1.2", - "dot-prop@4.2.0" - ], - "upgradePath": [false, "snyk@1.290.1"], - "isUpgradable": true, - "isPatchable": false, - "name": "dot-prop", - "version": "4.2.0" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-01-28T15:18:37.743372Z", - "credit": ["aaron_costello"], - "cvssScore": 6.3, - "description": "## Overview\n\n[dot-prop](https://github.com/sindresorhus/dot-prop#readme) is a package to get, set, or delete a property from a nested object using a dot path.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nIt is possible for a user to modify the prototype of a base object.\r\n\r\n## PoC by aaron_costello \r\n```\r\nvar dotProp = require(\"dot-prop\")\r\nconst object = {};\r\nconsole.log(\"Before \" + object.b); //Undefined\r\ndotProp.set(object, '__proto__.b', true);\r\nconsole.log(\"After \" + {}.b); //true\r\n```\n\n## Remediation\n\nUpgrade `dot-prop` to version 5.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2)\n\n- [HackerOne Report](https://hackerone.com/reports/719856)\n", - "disclosureTime": "2020-01-28T10:17:51Z", - "exploit": "Proof of Concept", - "fixedIn": ["5.1.1"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-DOTPROP-543489", - "identifiers": { - "CVE": ["CVE-2020-8116"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2020-01-31T17:21:49.331710Z", - "moduleName": "dot-prop", - "packageManager": "npm", - "packageName": "dot-prop", - "patches": [], - "publicationTime": "2020-01-28T16:23:39Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/719856" - } - ], - "semver": { - "vulnerable": ["<5.1.1"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "configstore@3.1.2", - "dot-prop@4.2.0" - ], - "upgradePath": [false, "snyk@1.290.1"], - "isUpgradable": true, - "isPatchable": false, - "name": "dot-prop", - "version": "4.2.0" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": [], - "creationTime": "2019-10-22T12:22:54.665794Z", - "credit": ["Roman Burunkov"], - "cvssScore": 9.8, - "description": "## Overview\n\n[express-fileupload](https://github.com/richardgirges/express-fileupload) is a file upload middleware for express that wraps around busboy.\n\n\nAffected versions of this package are vulnerable to Denial of Service (DoS).\nThe package does not limit file name length.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## Remediation\n\nUpgrade `express-fileupload` to version 1.1.6-alpha.6 or higher.\n\n\n## References\n\n- [GitHub PR](https://github.com/richardgirges/express-fileupload/pull/171)\n", - "disclosureTime": "2019-10-18T11:17:09Z", - "exploit": "Not Defined", - "fixedIn": ["1.1.6-alpha.6"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-EXPRESSFILEUPLOAD-473997", - "identifiers": { - "CVE": [], - "CWE": ["CWE-79"], - "NSP": [1216] - }, - "language": "js", - "modificationTime": "2019-11-20T09:48:38.528931Z", - "moduleName": "express-fileupload", - "packageManager": "npm", - "packageName": "express-fileupload", - "patches": [], - "publicationTime": "2019-10-22T15:08:40Z", - "references": [ - { - "title": "GitHub PR", - "url": "https://github.com/richardgirges/express-fileupload/pull/171" - } - ], - "semver": { - "vulnerable": ["<1.1.6-alpha.6"] - }, - "severity": "high", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "express-fileupload@0.0.5"], - "upgradePath": [false, "express-fileupload@1.1.6"], - "isUpgradable": true, - "isPatchable": false, - "name": "express-fileupload", - "version": "0.0.5" - }, - { - "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-09-26T10:01:07.677036Z", - "credit": ["Kris Adler"], - "cvssScore": 6.1, - "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", - "disclosureTime": "2019-09-25T08:21:57Z", - "exploit": "Proof of Concept", - "fixedIn": ["2.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-HTTPSPROXYAGENT-469131", - "identifiers": { - "CVE": [], - "CWE": ["CWE-300"], - "NSP": [1184] - }, - "language": "js", - "modificationTime": "2019-10-23T09:58:05.142531Z", - "moduleName": "https-proxy-agent", - "packageManager": "npm", - "packageName": "https-proxy-agent", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", - "modificationTime": "2019-12-03T11:40:45.721480Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" - ], - "version": "=2.2.1" - }, - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", - "modificationTime": "2019-12-03T11:40:45.723464Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" - ], - "version": "=2.2.2" - } - ], - "publicationTime": "2019-10-02T08:08:11Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" - }, - { - "title": "GitHub PR", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/541502" - } - ], - "semver": { - "vulnerable": ["<2.2.3"] - }, - "severity": "medium", - "title": "Man-in-the-Middle (MitM)", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "proxy-agent@3.1.0", - "https-proxy-agent@2.2.2" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "proxy-agent@3.1.0", - "https-proxy-agent@2.2.3" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "https-proxy-agent", - "version": "2.2.2" - }, - { - "CVSSv3": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-09-26T10:01:07.677036Z", - "credit": ["Kris Adler"], - "cvssScore": 6.1, - "description": "## Overview\n\n[https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent#readme) is a module that provides an http.Agent implementation that connects to a specified HTTP or HTTPS proxy server, and can be used with the built-in https module.\n\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM).\nWhen targeting a HTTP proxy, `https-proxy-agent` opens a socket to the proxy, and sends the proxy server a `CONNECT` request. If the proxy server responds with something other than a HTTP response `200`, `https-proxy-agent` incorrectly returns the socket without any TLS upgrade. This request data may contain basic auth credentials or other secrets, is sent over an unencrypted connection. A suitably positioned attacker could steal these secrets and impersonate the client.\r\n\r\n### PoC by Kris Adler\r\n\r\n```\r\nvar url = require('url');\r\nvar https = require('https');\r\nvar HttpsProxyAgent = require('https-proxy-agent');\r\n\r\nvar proxyOpts = url.parse('http://127.0.0.1:80');\r\nvar opts = url.parse('https://www.google.com');\r\nvar agent = new HttpsProxyAgent(proxyOpts);\r\nopts.agent = agent;\r\nopts.auth = 'username:password';\r\nhttps.get(opts);\r\n```\n\n## Remediation\n\nUpgrade `https-proxy-agent` to version 2.2.3 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b)\n\n- [GitHub PR](https://github.com/TooTallNate/node-https-proxy-agent/pull/77)\n\n- [HackerOne Report](https://hackerone.com/reports/541502)\n", - "disclosureTime": "2019-09-25T08:21:57Z", - "exploit": "Proof of Concept", - "fixedIn": ["2.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-HTTPSPROXYAGENT-469131", - "identifiers": { - "CVE": [], - "CWE": ["CWE-300"], - "NSP": [1184] - }, - "language": "js", - "modificationTime": "2019-10-23T09:58:05.142531Z", - "moduleName": "https-proxy-agent", - "packageManager": "npm", - "packageName": "https-proxy-agent", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:0", - "modificationTime": "2019-12-03T11:40:45.721480Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_0_20190929.patch" - ], - "version": "=2.2.1" - }, - { - "comments": [], - "id": "patch:SNYK-JS-HTTPSPROXYAGENT-469131:1", - "modificationTime": "2019-12-03T11:40:45.723464Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/https-proxy-agent/20190929/https-proxy-agent_0_1_20190929.patch" - ], - "version": "=2.2.2" - } - ], - "publicationTime": "2019-10-02T08:08:11Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" - }, - { - "title": "GitHub PR", - "url": "https://github.com/TooTallNate/node-https-proxy-agent/pull/77" - }, - { - "title": "HackerOne Report", - "url": "https://hackerone.com/reports/541502" - } - ], - "semver": { - "vulnerable": ["<2.2.3"] - }, - "severity": "medium", - "title": "Man-in-the-Middle (MitM)", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "proxy-agent@3.1.0", - "pac-proxy-agent@3.0.0", - "https-proxy-agent@2.2.2" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "proxy-agent@3.1.0", - "pac-proxy-agent@3.0.0", - "https-proxy-agent@2.2.3" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "https-proxy-agent", - "version": "2.2.2" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] - }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "npmconf@2.1.3", - "mkdirp@0.5.1", - "minimist@0.0.8" - ], - "upgradePath": [ - false, - "npmconf@2.1.3", - "mkdirp@0.5.2", - "minimist@1.2.5" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "0.0.8" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" - }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": ["SNYK-JS-EJS-10225"], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": ["Snyk Security Research Team"], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": ["2.5.5"], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-EJS-10225"], + "CVE": ["CVE-2017-1000188"], + "CWE": ["CWE-79"] }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": ["<2.5.5"] }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] - }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-auth-token@3.4.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-auth-token@3.4.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "1.2.0" - }, - { - "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", - "alternativeIds": [], - "creationTime": "2020-03-11T08:25:47.093051Z", - "credit": ["Snyk Security Team"], - "cvssScore": 5.6, - "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", - "disclosureTime": "2020-03-10T08:22:24Z", - "exploit": "Proof of Concept", - "fixedIn": ["0.2.1", "1.2.3"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-MINIMIST-559764", - "identifiers": { - "CVE": ["CVE-2020-7598"], - "CWE": ["CWE-400"], - "GHSA": ["GHSA-vh95-rmgr-6w4m"], - "NSP": [1179] + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" }, - "language": "js", - "modificationTime": "2020-03-18T10:21:38.800415Z", - "moduleName": "minimist", - "packageManager": "npm", - "packageName": "minimist", - "patches": [], - "publicationTime": "2020-03-11T08:22:19Z", - "references": [ - { - "title": "Command Injection PoC", - "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": ["SNYK-JS-EJS-10226"], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": ["Snyk Security Research Team"], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": ["2.5.5"], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-EJS-10226"], + "CVE": ["CVE-2017-1000189"], + "CWE": ["CWE-400"] }, - { - "title": "GitHub Fix Commit #1", - "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": ["<2.5.5"] }, - { - "title": "GitHub Fix Commit #2", - "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [">=0"] }, - { - "title": "Snyk Research Blog", - "url": "https://snyk.io/blog/prototype-pollution-minimist/" - } - ], - "semver": { - "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": ["goof@0.0.3"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": ["express-fileupload@0.0.5"], + "vulns": ["SNYK-JS-EXPRESSFILEUPLOAD-473997"] }, - "severity": "medium", - "title": "Prototype Pollution", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.0" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "update-notifier@2.5.0", - "latest-version@3.1.0", - "package-json@4.0.1", - "registry-url@3.1.0", - "rc@1.2.8", - "minimist@1.2.3" - ], - "isUpgradable": true, - "isPatchable": false, - "name": "minimist", - "version": "1.2.0" + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": ["dot-prop@4.2.0"], + "vulns": ["SNYK-JS-DOTPROP-543489"] + } }, - { - "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C", - "alternativeIds": [], - "creationTime": "2019-12-05T10:31:49.505060Z", - "credit": ["mik317"], - "cvssScore": 7, - "description": "## Overview\n\n[tree-kill](https://www.npmjs.com/package/tree-kill) is a package to kill all processes in the process tree, including the root process.\n\n\nAffected versions of this package are vulnerable to Command Injection.\nUser input is concatenated with a `command` within `tree-kill` and `treekill` that will be executed without any check. \r\n\r\nNote: This vulnerability is only applicable if the package is used on a Windows operating system.\r\n\r\n### PoC by mik317 \r\n1) Create this POC file\r\n```\r\n//poc.js\r\nvar kill = require('tree-kill');\r\nkill('3333332 & echo \"HACKED\" > HACKED.txt & ');\r\n```\r\n\r\n2) Execute the following commands in another terminal:\r\n```\r\nnpm i tree-kill # Install affected module\r\ndir # Check *HACKED.txt* doesn't exist\r\nnode poc.js # Run the PoC\r\ndir # Now *HACKED.txt* exists :)\r\n```\r\n3) A new file called `HACKED.txt` will be created, containing the `HACKED` string\n\n## Remediation\n\nUpgrade `tree-kill` to version 1.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c)\n\n- [tree-kill HackerOne Report](https://hackerone.com/reports/701183)\n\n- [treekill HackerOne Report](https://hackerone.com/reports/703415)\n\n- [Vulnerable Code treekill](https://github.com/node-modules/treekill/blob/master/index.js#L32)\n\n- [Vulnerable Code tree-kill](https://github.com/pkrumins/node-tree-kill/blob/master/index.js#L20)\n", - "disclosureTime": "2019-12-04T19:54:11Z", - "exploit": "Proof of Concept", - "fixedIn": ["1.2.2"], - "functions": [], - "functions_new": [], - "id": "SNYK-JS-TREEKILL-536781", - "identifiers": { - "CVE": ["CVE-2019-15598", "CVE-2019-15599"], - "CWE": ["CWE-78"], - "NSP": [1432, 1433] - }, - "language": "js", - "modificationTime": "2019-12-12T13:54:40.599000Z", - "moduleName": "tree-kill", - "packageManager": "npm", - "packageName": "tree-kill", - "patches": [ - { - "comments": [], - "id": "patch:SNYK-JS-TREEKILL-536781:0", - "modificationTime": "2019-12-11T11:57:51.268946Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/tree-kill/20191210/tree-kill_0_0_20191210_e5d66d1fbd4b392294512d4644ac22bdc888573c.patch" - ], - "version": ">=1.0.0" - } - ], - "publicationTime": "2019-12-05T10:51:40Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/pkrumins/node-tree-kill/commit/ff73dbf144c4c2daa67799a50dfff59cd455c63c" - }, - { - "title": "tree-kill HackerOne Report", - "url": "https://hackerone.com/reports/701183" - }, - { - "title": "treekill HackerOne Report", - "url": "https://hackerone.com/reports/703415" - }, - { - "title": "Vulnerable Code treekill", - "url": "https://github.com/node-modules/treekill/blob/master/index.js%23L32" - }, - { - "title": "Vulnerable Code tree-kill", - "url": "https://github.com/pkrumins/node-tree-kill/blob/master/index.js%23L20" - } - ], - "semver": { - "vulnerable": ["<1.2.2"] + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] }, - "severity": "high", - "title": "Command Injection", - "from": [ - "goof@0.0.3", - "snyk@1.228.3", - "snyk-sbt-plugin@2.8.0", - "tree-kill@1.2.1" - ], - "upgradePath": [ - false, - "snyk@1.228.3", - "snyk-sbt-plugin@2.8.0", - "tree-kill@1.2.2" - ], - "isUpgradable": true, - "isPatchable": true, - "name": "tree-kill", - "version": "1.2.1" + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "alternativeIds": ["SNYK-JS-EJS-10218"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 8.1, - "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.3"], - "functions": [ - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.exports.render" + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": ["SNYK-JS-MS-10064"], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": ["Adam Baldwin"], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": ["0.7.1"], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [">0.1.0 <=0.3.0"] }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "exports.render" + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [">0.3.0 <0.7.1"] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [">0.1.0 <=0.3.0"] }, - "version": ["<2.2.1"] + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [">0.3.0 <0.7.1"] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-MS-10064"], + "CVE": ["CVE-2015-8315"], + "CWE": ["CWE-400"], + "NSP": [46] }, - { - "functionId": { - "className": null, - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" }, - "version": [">=2.2.1 <2.5.3"] - }, - { - "functionId": { - "className": null, - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" }, - "version": [">=2.2.1 <2.5.3"] - } - ], - "functions_new": [ - { - "functionId": { - "filePath": "ejs.js", - "functionName": "1.exports.render" + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "filePath": "lib/ejs.js", - "functionName": "exports.render" + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" }, - "version": ["<2.2.1"] - }, - { - "functionId": { - "filePath": "ejs.js", - "functionName": "1.cpOptsInData" + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" }, - "version": [">=2.2.1 <2.5.3"] - }, - { - "functionId": { - "filePath": "lib/ejs.js", - "functionName": "cpOptsInData" + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" }, - "version": [">=2.2.1 <2.5.3"] - } - ], - "id": "npm:ejs:20161128", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10218"], - "CVE": ["CVE-2017-1000228"], - "CWE": ["CWE-94"] - }, - "language": "js", - "modificationTime": "2019-03-05T14:14:20.921506Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [ - { - "comments": [], - "id": "patch:npm:ejs:20161128:0", - "modificationTime": "2019-12-03T11:40:45.851976Z", - "urls": [ - "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" - ], - "version": "<2.5.3 >=2.2.4" - } - ], - "publicationTime": "2016-11-28T18:44:12Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": ["<0.7.1"] }, - { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": ["goof@0.0.3", "humanize-ms@1.0.1", "ms@0.6.2"], + "upgradePath": [false, "humanize-ms@1.0.2", "ms@0.7.1"], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": ["humanize-ms", "ms"] + } + ] } - ], - "semver": { - "vulnerable": ["<2.5.3"] - }, - "severity": "high", - "title": "Arbitrary Code Execution", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "projectId": "09235fa4-c241-42c6-8c63-c053bd272789", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" + }, + { + "vulnerabilities": [ { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "alternativeIds": ["SNYK-JS-EJS-10225"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": ["Peter van der Zee"], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", "exploit": "Not Defined", - "fixedIn": ["2.5.5"], + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], "functions": [], "functions_new": [], - "id": "npm:ejs:20161130", + "id": "SNYK-JS-ACORN-559469", "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10225"], - "CVE": ["CVE-2017-1000188"], - "CWE": ["CWE-79"] + "CVE": [], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-6chw-6frg-f759"], + "NSP": [1488] }, "language": "js", - "modificationTime": "2019-02-18T08:31:22.194966Z", - "moduleName": "ejs", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", "packageManager": "npm", - "packageName": "ejs", + "packageName": "acorn", "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", + "publicationTime": "2020-03-07T00:19:23Z", "references": [ { "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" }, { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" - } - ], - "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Cross-site Scripting (XSS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "alternativeIds": ["SNYK-JS-EJS-10226"], - "creationTime": "2016-11-28T18:44:12.405000Z", - "credit": ["Snyk Security Research Team"], - "cvssScore": 5.9, - "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", - "disclosureTime": "2016-11-27T22:00:00Z", - "exploit": "Not Defined", - "fixedIn": ["2.5.5"], - "functions": [], - "functions_new": [], - "id": "npm:ejs:20161130-1", - "identifiers": { - "ALTERNATIVE": ["SNYK-JS-EJS-10226"], - "CVE": ["CVE-2017-1000189"], - "CWE": ["CWE-400"] - }, - "language": "js", - "modificationTime": "2019-02-18T08:31:22.206452Z", - "moduleName": "ejs", - "packageManager": "npm", - "packageName": "ejs", - "patches": [], - "publicationTime": "2016-12-06T15:00:00Z", - "references": [ - { - "title": "GitHub Commit", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" }, { - "title": "Snyk Blog", - "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" } ], "semver": { - "vulnerable": ["<2.5.5"] - }, - "severity": "medium", - "title": "Denial of Service (DoS)", - "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], - "upgradePath": [], - "isUpgradable": false, - "isPatchable": false, - "name": "ejs", - "version": "0.8.8" - }, - { - "license": "GPL-2.0", - "semver": { - "vulnerable": [">=0"] + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] }, - "id": "snyk:lic:npm:goof:GPL-2.0", - "type": "license", - "packageManager": "npm", - "language": "js", - "packageName": "goof", - "title": "GPL-2.0 license", - "description": "GPL-2.0 license", - "publicationTime": "2020-04-09T19:48:50.751Z", - "creationTime": "2020-04-09T19:48:50.751Z", - "patches": [], - "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", - "severity": "medium", - "from": ["goof@0.0.3"], - "upgradePath": [], - "isUpgradable": false, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "express-fileupload@0.0.5", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, "isPatchable": false, - "name": "goof", - "version": "0.0.3" + "name": "acorn", + "version": "5.7.3" } ], "ok": false, diff --git a/test/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license2.json b/test/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license2.json new file mode 100644 index 0000000..cb371e9 --- /dev/null +++ b/test/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license2.json @@ -0,0 +1,853 @@ +{ + "vulnerabilities": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": ["Peter van der Zee"], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-6chw-6frg-f759"], + "NSP": [1488] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": ["Peter van der Zee"], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-6chw-6frg-f759"], + "NSP": [1488] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "express-fileupload@0.0.5", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [">=0"] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": ["goof@0.0.3"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "goof", + "version": "0.0.3" + }, + { + "license": "Artistic-2.0", + "semver": { + "vulnerable": [">=1.3.6"] + }, + "id": "snyk:lic:npm:npm:Artistic-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "npm", + "title": "Artistic-2.0 license", + "description": "Artistic-2.0 license", + "publicationTime": "2021-04-04T06:00:13.541Z", + "creationTime": "2021-04-04T06:00:13.541Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Artistic-2.0.txt", + "severity": "medium", + "from": ["goof@1.0.1", "npm@7.12.0"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "name": "npm", + "version": "7.12.0" + } + ], + "ok": false, + "dependencyCount": 418, + "org": "playground", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.14.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n 'npm:ejs:20161128':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:ejs:20161130-1':\n - ejs-locals > ejs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:hoek:20180212':\n - tap > codecov.io > request > hawk > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > sntp > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n - tap > codecov.io > request > hawk > cryptiles > boom > hoek:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'npm:qs:20170213':\n - tap > codecov.io > request > qs:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:goof:GPL-2.0':\n - '':\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n 'snyk:lic:npm:symbol:MPL-2.0':\n - tap > nyc > yargs > pkg-conf > symbol:\n reason: None given\n expires: '2019-10-23T11:31:59.805Z'\n source: cli\n# patches apply the minimum changes required to fix a vulnerability\npatch:\n 'npm:negotiator:20160616':\n - errorhandler > accepts > negotiator:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:ms:20151024':\n - humanize-ms > ms:\n patched: '2019-09-23T21:21:17.183Z'\n 'npm:hawk:20160119':\n - tap > codecov.io > request > hawk:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:http-signature:20150122':\n - tap > codecov.io > request > http-signature:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:mime:20170907':\n - tap > codecov.io > request > form-data > mime:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:request:20160119':\n - tap > codecov.io > request:\n patched: '2019-09-23T11:31:09.532Z'\n 'npm:tunnel-agent:20170305':\n - tap > codecov.io > request > tunnel-agent:\n patched: '2019-09-23T11:31:09.532Z'\n", + "isPrivate": true, + "licensesPolicy": { + "severities": { + "AGPL-1.0": "high", + "AGPL-3.0": "high", + "CDDL-1.0": "medium", + "CPOL-1.02": "high", + "GPL-2.0": "medium", + "LGPL-2.0": "low", + "LGPL-2.1": "low", + "LGPL-2.1+": "medium", + "LGPL-3.0": "low", + "LGPL-3.0+": "medium", + "MPL-1.1": "medium", + "MPL-2.0": "medium", + "MS-RL": "medium", + "SimPL-2.0": "high" + }, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "jbvhgvg Test" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "low", + "instructions": "" + }, + "LGPL-2.1+": { + "licenseType": "LGPL-2.1+", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "low", + "instructions": "" + }, + "LGPL-3.0+": { + "licenseType": "LGPL-3.0+", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "npm", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "15 vulnerable dependency paths", + "remediation": { + "unresolved": [ + { + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": [], + "creationTime": "2020-03-07T00:18:41.509507Z", + "credit": ["Peter van der Zee"], + "cvssScore": 7.5, + "description": "## Overview\n\n[acorn](https://github.com/acornjs/acorn) is a tiny, fast JavaScript parser written in JavaScript.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nvia a regex in the form of `/[x-\\ud800]/u`, which causes the parser to enter an infinite loop. \r\n\r\nThis string is not a valid `UTF16` and is therefore not sanitized before reaching the parser. An application which processes untrusted input and passes it directly to `acorn`, will allow attackers to leverage the vulnerability leading to a Denial of Service.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `acorn` to version 5.7.4, 6.4.1, 7.1.1 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802)\n\n- [GitHub Issue 6.x Branch](https://github.com/acornjs/acorn/issues/929)\n\n- [NPM Security Advisory](https://www.npmjs.com/advisories/1488)\n", + "disclosureTime": "2020-03-02T19:21:25Z", + "exploit": "Not Defined", + "fixedIn": ["5.7.4", "6.4.1", "7.1.1"], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-ACORN-559469", + "identifiers": { + "CVE": [], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-6chw-6frg-f759"], + "NSP": [1488] + }, + "language": "js", + "modificationTime": "2020-03-10T10:19:13.616093Z", + "moduleName": "acorn", + "packageManager": "npm", + "packageName": "acorn", + "patches": [], + "publicationTime": "2020-03-07T00:19:23Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" + }, + { + "title": "GitHub Issue 6.x Branch", + "url": "https://github.com/acornjs/acorn/issues/929" + }, + { + "title": "NPM Security Advisory", + "url": "https://www.npmjs.com/advisories/1488" + } + ], + "semver": { + "vulnerable": [">=5.5.0 <5.7.4", ">=6.0.0 <6.4.1", ">=7.0.0 <7.1.1"] + }, + "severity": "high", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": [ + "goof@0.0.3", + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.3" + ], + "upgradePath": [ + false, + "@snyk/nodejs-runtime-agent@1.14.0", + "acorn@5.7.4" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "acorn", + "version": "5.7.3" + }, + { + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", + "alternativeIds": [], + "creationTime": "2020-03-11T08:25:47.093051Z", + "credit": ["Snyk Security Team"], + "cvssScore": 5.6, + "description": "## Overview\n\n[minimist](https://www.npmjs.com/package/minimist) is a parse argument options module.\n\n\nAffected versions of this package are vulnerable to Prototype Pollution.\nThe library could be tricked into adding or modifying properties of `Object.prototype` using a `constructor` or `__proto__` payload.\r\n\r\n## PoC by Snyk\r\n```\r\nrequire('minimist')('--__proto__.injected0 value0'.split(' '));\r\nconsole.log(({}).injected0 === 'value0'); // true\r\n\r\nrequire('minimist')('--constructor.prototype.injected1 value1'.split(' '));\r\nconsole.log(({}).injected1 === 'value1'); // true\r\n```\n\n## Details\nPrototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as `_proto_`, `constructor` and `prototype`. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the `Object.prototype` are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.\r\n\r\nThere are two main ways in which the pollution of prototypes occurs:\r\n\r\n- Unsafe `Object` recursive merge\r\n \r\n- Property definition by path\r\n \r\n\r\n### Unsafe Object recursive merge\r\n\r\nThe logic of a vulnerable recursive merge function follows the following high-level model:\r\n```\r\nmerge (target, source)\r\n\r\n foreach property of source\r\n\r\n if property exists and is an object on both the target and the source\r\n\r\n merge(target[property], source[property])\r\n\r\n else\r\n\r\n target[property] = source[property]\r\n```\r\n
\r\n\r\nWhen the source object contains a property named `_proto_` defined with `Object.defineProperty()` , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of `Object` and the source of `Object` as defined by the attacker. Properties are then copied on the `Object` prototype.\r\n\r\nClone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: `merge({},source)`.\r\n\r\n`lodash` and `Hoek` are examples of libraries susceptible to recursive merge attacks.\r\n\r\n### Property definition by path\r\n\r\nThere are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: `theFunction(object, path, value)`\r\n\r\nIf the attacker can control the value of “path”, they can set this value to `_proto_.myValue`. `myValue` is then assigned to the prototype of the class of the object.\r\n\r\n## Types of attacks\r\n\r\nThere are a few methods by which Prototype Pollution can be manipulated:\r\n\r\n| Type |Origin |Short description |\r\n|--|--|--|\r\n| **Denial of service (DoS)**|Client |This is the most likely attack.
DoS occurs when `Object` holds generic functions that are implicitly called for various operations (for example, `toString` and `valueOf`).
The attacker pollutes `Object.prototype.someattr` and alters its state to an unexpected value such as `Int` or `Object`. In this case, the code fails and is likely to cause a denial of service.
**For example:** if an attacker pollutes `Object.prototype.toString` by defining it as an integer, if the codebase at any point was reliant on `someobject.toString()` it would fail. |\r\n |**Remote Code Execution**|Client|Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
**For example:** `eval(someobject.someattr)`. In this case, if the attacker pollutes `Object.prototype.someattr` they are likely to be able to leverage this in order to execute code.|\r\n|**Property Injection**|Client|The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
**For example:** if a codebase checks privileges for `someuser.isAdmin`, then when the attacker pollutes `Object.prototype.isAdmin` and sets it to equal `true`, they can then achieve admin privileges.|\r\n\r\n## Affected environments\r\n\r\nThe following environments are susceptible to a Prototype Pollution attack:\r\n\r\n- Application server\r\n \r\n- Web server\r\n \r\n\r\n## How to prevent\r\n\r\n1. Freeze the prototype— use `Object.freeze (Object.prototype)`.\r\n \r\n2. Require schema validation of JSON input.\r\n \r\n3. Avoid using unsafe recursive merge functions.\r\n \r\n4. Consider using objects without prototypes (for example, `Object.create(null)`), breaking the prototype chain and preventing pollution.\r\n \r\n5. As a best practice use `Map` instead of `Object`.\r\n\r\n### For more information on this vulnerability type:\r\n\r\n[Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n\n## Remediation\n\nUpgrade `minimist` to version 0.2.1, 1.2.3 or higher.\n\n\n## References\n\n- [Command Injection PoC](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a)\n\n- [GitHub Fix Commit #1](https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94)\n\n- [GitHub Fix Commit #2](https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab)\n\n- [Snyk Research Blog](https://snyk.io/blog/prototype-pollution-minimist/)\n", + "disclosureTime": "2020-03-10T08:22:24Z", + "exploit": "Proof of Concept", + "fixedIn": ["0.2.1", "1.2.3"], + "functions": [], + "functions_new": [], + "id": "SNYK-JS-MINIMIST-559764", + "identifiers": { + "CVE": ["CVE-2020-7598"], + "CWE": ["CWE-400"], + "GHSA": ["GHSA-vh95-rmgr-6w4m"], + "NSP": [1179] + }, + "language": "js", + "modificationTime": "2020-03-18T10:21:38.800415Z", + "moduleName": "minimist", + "packageManager": "npm", + "packageName": "minimist", + "patches": [], + "publicationTime": "2020-03-11T08:22:19Z", + "references": [ + { + "title": "Command Injection PoC", + "url": "https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a" + }, + { + "title": "GitHub Fix Commit #1", + "url": "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + }, + { + "title": "GitHub Fix Commit #2", + "url": "https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" + }, + { + "title": "Snyk Research Blog", + "url": "https://snyk.io/blog/prototype-pollution-minimist/" + } + ], + "semver": { + "vulnerable": ["<0.2.1", ">=1.0.0 <1.2.3"] + }, + "severity": "medium", + "title": "Prototype Pollution", + "from": [ + "goof@0.0.3", + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.0" + ], + "upgradePath": [ + false, + "snyk@1.228.3", + "update-notifier@2.5.0", + "latest-version@3.1.0", + "package-json@4.0.1", + "registry-url@3.1.0", + "rc@1.2.8", + "minimist@1.2.3" + ], + "isUpgradable": true, + "isPatchable": false, + "isPinnable": false, + "name": "minimist", + "version": "1.2.0" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "alternativeIds": ["SNYK-JS-EJS-10218"], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": ["Snyk Security Research Team"], + "cvssScore": 8.1, + "description": "## Overview\r\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\r\nAffected versions of the package are vulnerable to _Remote Code Execution_ by letting the attacker under certain conditions control the source folder from which the engine renders include files.\r\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\r\n\r\nThere's also a [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour. \r\n\r\n## Details\r\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\r\n\r\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\r\n```js\r\nejs.render(str, data, options);\r\n\r\nejs.renderFile(filename, data, options, callback)\r\n```\r\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\r\n```js\r\nejs.render(str, dataAndOptions);\r\n\r\nejs.renderFile(filename, dataAndOptions, callback)\r\n```\r\n\r\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `root` option, which allows changing the project root for includes with an absolute path. \r\n\r\n```js\r\nejs.renderFile('my-template', {root:'/bad/root/'}, callback);\r\n```\r\n\r\nBy passing along the root directive in the line above, any includes would now be pulled from `/bad/root` instead of the path intended. This allows the attacker to take control of the root directory for included scripts and divert it to a library under his control, thus leading to remote code execution.\r\n\r\nThe [fix](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\r\n\r\n## Disclosure Timeline\r\n- November 27th, 2016 - Reported the issue to package owner.\r\n- November 27th, 2016 - Issue acknowledged by package owner.\r\n- November 28th, 2016 - Issue fixed and version `2.5.3` released.\r\n\r\n## Remediation\r\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\r\nOtherwise, Upgrade `ejs` to version `2.5.3` or higher.\r\n\r\n## References\r\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\r\n- [Fix commit](https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6)", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": ["2.5.3"], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": ["<2.2.1"] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": ["<2.2.1"] + }, + { + "functionId": { + "className": null, + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [">=2.2.1 <2.5.3"] + }, + { + "functionId": { + "className": null, + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [">=2.2.1 <2.5.3"] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.exports.render" + }, + "version": ["<2.2.1"] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "exports.render" + }, + "version": ["<2.2.1"] + }, + { + "functionId": { + "filePath": "ejs.js", + "functionName": "1.cpOptsInData" + }, + "version": [">=2.2.1 <2.5.3"] + }, + { + "functionId": { + "filePath": "lib/ejs.js", + "functionName": "cpOptsInData" + }, + "version": [">=2.2.1 <2.5.3"] + } + ], + "id": "npm:ejs:20161128", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-EJS-10218"], + "CVE": ["CVE-2017-1000228"], + "CWE": ["CWE-94"] + }, + "language": "js", + "modificationTime": "2019-03-05T14:14:20.921506Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [ + { + "comments": [], + "id": "patch:npm:ejs:20161128:0", + "modificationTime": "2019-12-03T11:40:45.851976Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch" + ], + "version": "<2.5.3 >=2.2.4" + } + ], + "publicationTime": "2016-11-28T18:44:12Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/3d447c5a335844b25faec04b1132dbc721f9c8f6" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": ["<2.5.3"] + }, + "severity": "high", + "title": "Arbitrary Code Execution", + "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "alternativeIds": ["SNYK-JS-EJS-10225"], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": ["Snyk Security Research Team"], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Cross-site Scripting_ by letting the attacker under certain conditions control and override the `filename` option causing it to render the value as is, without escaping it.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Denial of Service](https://snyk.io/vuln/npm:ejs:20161130-1) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `filename` option, which will be rendered as is when an error occurs during rendering. \n\n```js\nejs.renderFile('my-template', {filename:''}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": ["2.5.5"], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-EJS-10225"], + "CVE": ["CVE-2017-1000188"], + "CWE": ["CWE-79"] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.194966Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": ["<2.5.5"] + }, + "severity": "medium", + "title": "Cross-site Scripting (XSS)", + "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "alternativeIds": ["SNYK-JS-EJS-10226"], + "creationTime": "2016-11-28T18:44:12.405000Z", + "credit": ["Snyk Security Research Team"], + "cvssScore": 5.9, + "description": "## Overview\n[`ejs`](https://www.npmjs.com/package/ejs) is a popular JavaScript templating engine.\nAffected versions of the package are vulnerable to _Denial of Service_ by letting the attacker under certain conditions control and override the `localNames` option causing it to crash.\nYou can read more about this vulnerability on the [Snyk blog](https://snyk.io/blog/fixing-ejs-rce-vuln).\n\nThere's also a [Remote Code Execution](https://snyk.io/vuln/npm:ejs:20161128) & [Cross-site Scripting](https://snyk.io/vuln/npm:ejs:20161130) vulnerabilities caused by the same behaviour.\n\n## Details\n`ejs` provides a few different options for you to render a template, two being very similar: `ejs.render()` and `ejs.renderFile()`. The only difference being that `render` expects a string to be used for the template and `renderFile` expects a path to a template file.\n\nBoth functions can be invoked in two ways. The first is calling them with `template`, `data`, and `options`:\n```js\nejs.render(str, data, options);\n\nejs.renderFile(filename, data, options, callback)\n```\nThe second way would be by calling only the `template` and `data`, while `ejs` lets the `options` be passed as part of the `data`:\n```js\nejs.render(str, dataAndOptions);\n\nejs.renderFile(filename, dataAndOptions, callback)\n```\n\nIf used with a variable list supplied by the user (e.g. by reading it from the URI with `qs` or equivalent), an attacker can control `ejs` options. This includes the `localNames` option, which will cause the renderer to crash.\n\n```js\nejs.renderFile('my-template', {localNames:'try'}, callback);\n```\n\nThe [fix](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f) introduced in version `2.5.3` blacklisted `root` options from options passed via the `data` object.\n\n## Disclosure Timeline\n- November 28th, 2016 - Reported the issue to package owner.\n- November 28th, 2016 - Issue acknowledged by package owner.\n- December 06th, 2016 - Issue fixed and version `2.5.5` released.\n\n## Remediation\nThe vulnerability can be resolved by either using the GitHub integration to [generate a pull-request](https://snyk.io/org/projects) from your dashboard or by running `snyk wizard` from the command-line interface.\nOtherwise, Upgrade `ejs` to version `2.5.5` or higher.\n\n## References\n- [Snyk Blog](https://snyk.io/blog/fixing-ejs-rce-vuln)\n- [Fix commit](https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f)\n", + "disclosureTime": "2016-11-27T22:00:00Z", + "exploit": "Not Defined", + "fixedIn": ["2.5.5"], + "functions": [], + "functions_new": [], + "id": "npm:ejs:20161130-1", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-EJS-10226"], + "CVE": ["CVE-2017-1000189"], + "CWE": ["CWE-400"] + }, + "language": "js", + "modificationTime": "2019-02-18T08:31:22.206452Z", + "moduleName": "ejs", + "packageManager": "npm", + "packageName": "ejs", + "patches": [], + "publicationTime": "2016-12-06T15:00:00Z", + "references": [ + { + "title": "GitHub Commit", + "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" + }, + { + "title": "Snyk Blog", + "url": "https://snyk.io/blog/fixing-ejs-rce-vuln" + } + ], + "semver": { + "vulnerable": ["<2.5.5"] + }, + "severity": "medium", + "title": "Denial of Service (DoS)", + "from": ["goof@0.0.3", "ejs-locals@1.0.2", "ejs@0.8.8"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "ejs", + "version": "0.8.8" + }, + { + "license": "GPL-2.0", + "semver": { + "vulnerable": [">=0"] + }, + "id": "snyk:lic:npm:goof:GPL-2.0", + "type": "license", + "packageManager": "npm", + "language": "js", + "packageName": "goof", + "title": "GPL-2.0 license", + "description": "GPL-2.0 license", + "publicationTime": "2020-04-09T19:48:50.751Z", + "creationTime": "2020-04-09T19:48:50.751Z", + "patches": [], + "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/GPL-2.0.txt", + "severity": "medium", + "from": ["goof@0.0.3"], + "upgradePath": [], + "isUpgradable": false, + "isPatchable": false, + "isPinnable": false, + "name": "goof", + "version": "0.0.3" + } + ], + "upgrade": { + "express-fileupload@0.0.5": { + "upgradeTo": "express-fileupload@1.1.6", + "upgrades": ["express-fileupload@0.0.5"], + "vulns": ["SNYK-JS-EXPRESSFILEUPLOAD-473997"] + }, + "snyk@1.228.3": { + "upgradeTo": "snyk@1.290.1", + "upgrades": ["dot-prop@4.2.0"], + "vulns": ["SNYK-JS-DOTPROP-543489"] + } + }, + "patch": { + "SNYK-JS-HTTPSPROXYAGENT-469131": { + "paths": [ + { + "snyk > proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + }, + { + "snyk > proxy-agent > pac-proxy-agent > https-proxy-agent": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + }, + "SNYK-JS-TREEKILL-536781": { + "paths": [ + { + "snyk > snyk-sbt-plugin > tree-kill": { + "patched": "2020-04-09T21:29:35.234Z" + } + } + ] + } + }, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": true, + "filtered": { + "ignore": [], + "patch": [ + { + "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "alternativeIds": ["SNYK-JS-MS-10064"], + "creationTime": "2015-11-06T02:09:36.187000Z", + "credit": ["Adam Baldwin"], + "cvssScore": 5.3, + "description": "## Overview\n\n[ms](https://www.npmjs.com/package/ms) is a tiny milisecond conversion utility.\n\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)\nattack when converting a time period string (i.e. `\"2 days\"`, `\"1h\"`) into a milliseconds integer. A malicious user could pass extremely long strings to `ms()`, causing the server to take a long time to process, subsequently blocking the event loop for that extended period.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\r\n\r\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\r\n\r\nLet’s take the following regular expression as an example:\r\n```js\r\nregex = /A(B|C+)+D/\r\n```\r\n\r\nThis regular expression accomplishes the following:\r\n- `A` The string must start with the letter 'A'\r\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\r\n- `D` Finally, we ensure this section of the string ends with a 'D'\r\n\r\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\r\n\r\nIt most cases, it doesn't take very long for a regex engine to find a match:\r\n\r\n```bash\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\r\n0.04s user 0.01s system 95% cpu 0.052 total\r\n\r\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\r\n1.79s user 0.02s system 99% cpu 1.812 total\r\n```\r\n\r\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\r\n\r\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\r\n\r\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\r\n1. CCC\r\n2. CC+C\r\n3. C+CC\r\n4. C+C+C.\r\n\r\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\r\n\r\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\r\n\r\n| String | Number of C's | Number of steps |\r\n| -------|-------------:| -----:|\r\n| ACCCX | 3 | 38\r\n| ACCCCX | 4 | 71\r\n| ACCCCCX | 5 | 136\r\n| ACCCCCCCCCCCCCCX | 14 | 65,553\r\n\r\n\r\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\n\nUpgrade `ms` to version 0.7.1 or higher.\n\n\n## References\n\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2016/04/20/11)\n\n- [OWASP - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n\n- [Security Focus](https://www.securityfocus.com/bid/96389)\n", + "disclosureTime": "2015-10-24T20:39:59Z", + "exploit": "Not Defined", + "fixedIn": ["0.7.1"], + "functions": [ + { + "functionId": { + "className": null, + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [">0.1.0 <=0.3.0"] + }, + { + "functionId": { + "className": null, + "filePath": "index.js", + "functionName": "parse" + }, + "version": [">0.3.0 <0.7.1"] + } + ], + "functions_new": [ + { + "functionId": { + "filePath": "ms.js", + "functionName": "parse" + }, + "version": [">0.1.0 <=0.3.0"] + }, + { + "functionId": { + "filePath": "index.js", + "functionName": "parse" + }, + "version": [">0.3.0 <0.7.1"] + } + ], + "id": "npm:ms:20151024", + "identifiers": { + "ALTERNATIVE": ["SNYK-JS-MS-10064"], + "CVE": ["CVE-2015-8315"], + "CWE": ["CWE-400"], + "NSP": [46] + }, + "language": "js", + "modificationTime": "2019-05-23T07:46:17.408630Z", + "moduleName": "ms", + "packageManager": "npm", + "packageName": "ms", + "patches": [ + { + "comments": [], + "id": "patch:npm:ms:20151024:0", + "modificationTime": "2019-12-03T11:40:45.772009Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_0_0_48701f029417faf65e6f5e0b61a3cebe5436b07b.patch" + ], + "version": "=0.7.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:1", + "modificationTime": "2019-12-03T11:40:45.773094Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_1_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk.patch" + ], + "version": "<0.7.0 >=0.6.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:2", + "modificationTime": "2019-12-03T11:40:45.774221Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_2_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk2.patch" + ], + "version": "<0.6.0 >0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:3", + "modificationTime": "2019-12-03T11:40:45.775292Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_3_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk3.patch" + ], + "version": "=0.3.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:4", + "modificationTime": "2019-12-03T11:40:45.776329Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_4_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk4.patch" + ], + "version": "=0.2.0" + }, + { + "comments": [], + "id": "patch:npm:ms:20151024:5", + "modificationTime": "2019-12-03T11:40:45.777474Z", + "urls": [ + "https://snyk-patches.s3.amazonaws.com/npm/ms/20151024/ms_20151024_5_0_48701f029417faf65e6f5e0b61a3cebe5436b07b_snyk5.patch" + ], + "version": "=0.1.0" + } + ], + "publicationTime": "2015-11-06T02:09:36Z", + "references": [ + { + "title": "OSS security Advisory", + "url": "https://www.openwall.com/lists/oss-security/2016/04/20/11" + }, + { + "title": "OWASP - ReDoS", + "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "title": "Security Focus", + "url": "https://www.securityfocus.com/bid/96389" + } + ], + "semver": { + "vulnerable": ["<0.7.1"] + }, + "severity": "medium", + "title": "Regular Expression Denial of Service (ReDoS)", + "from": ["goof@0.0.3", "humanize-ms@1.0.1", "ms@0.6.2"], + "upgradePath": [false, "humanize-ms@1.0.2", "ms@0.7.1"], + "isUpgradable": true, + "isPatchable": true, + "name": "ms", + "version": "0.6.2", + "filtered": { + "patches": [ + { + "patched": "2019-09-23T21:21:17.183Z", + "path": ["humanize-ms", "ms"] + } + ] + } + } + ] + }, + "uniqueCount": 10, + "projectName": "goof", + "projectId": "09235fa4-c241-42c6-8c63-c053bd272789", + "displayTargetFile": "package-lock.json", + "path": "/home/antoine/Documents/SnykSB/goof" +} diff --git a/test/lib/index.test.ts b/test/lib/index.test.ts index cf858b0..1ea344e 100644 --- a/test/lib/index.test.ts +++ b/test/lib/index.test.ts @@ -16,14 +16,67 @@ beforeAll(() => { return fs.readFileSync( fixturesFolderPath + 'api-response-projects-all-projects.json', ); - case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786/issues': - return fs.readFileSync(fixturesFolderPath + 'apitest-gomod.json'); - case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272787/issues': - return fs.readFileSync(fixturesFolderPath + 'apitest-gomod.json'); - case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/issues': - return fs.readFileSync(fixturesFolderPath + 'api-response-goof.json'); - case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272790/issues': - return fs.readFileSync(fixturesFolderPath + 'api-response-goof.json'); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786/aggregated-issues': + return fs.readFileSync( + fixturesFolderPath + 'apitest-gomod-aggregated.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786/dep-graph': + return fs.readFileSync( + fixturesFolderPath + 'goof-depgraph-from-api.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272787/aggregated-issues': + return fs.readFileSync( + fixturesFolderPath + 'apitest-gomod-aggregated.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/aggregated-issues': + return fs.readFileSync( + fixturesFolderPath + + '/api-response/test-goof-aggregated-one-vuln-one-license.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272790/aggregated-issues': + return fs.readFileSync( + fixturesFolderPath + + '/api-response/test-goof-aggregated-one-vuln-one-license.json', + ); + default: + } + }) + .get(/^(?!.*xyz).*$/) + .reply(200, (uri) => { + switch (uri) { + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272786/dep-graph': + return fs.readFileSync( + fixturesFolderPath + 'goof-depgraph-from-api.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272787/dep-graph': + return fs.readFileSync( + fixturesFolderPath + 'goof-depgraph-from-api.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272790/dep-graph': + return fs.readFileSync( + fixturesFolderPath + 'goof-depgraph-from-api.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/dep-graph': + return fs.readFileSync( + fixturesFolderPath + 'goof-depgraph-from-api.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/issue/snyk:lic:npm:goof:GPL-2.0/paths?perPage=100&page=1': + return fs.readFileSync( + fixturesFolderPath + 'snyk-lic-npm-goof-GPL-2-0-issue-paths.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/issue/SNYK-JS-PACRESOLVER-1564857/paths?perPage=100&page=1': + return fs.readFileSync( + fixturesFolderPath + 'SNYK-JS-PACRESOLVER-1564857-issue-paths.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/issue/SNYK-JS-DOTPROP-543489/paths?perPage=100&page=1': + return fs.readFileSync( + fixturesFolderPath + + 'SNYK-JS-DOTPROP-543489-issue-paths-page1.json', + ); + case '/api/v1/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789/issue/SNYK-JS-ACORN-559469/paths?perPage=100&page=1': + return fs.readFileSync( + fixturesFolderPath + 'SNYK-JS-ACORN-559469-issue-paths.json', + ); default: } }); @@ -394,7 +447,7 @@ describe('Testing behaviors with issue(s)', () => { '', '', path.resolve(__dirname, '..') + - '/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license.json', + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', '123', '123', '123', @@ -409,8 +462,7 @@ describe('Testing behaviors with issue(s)', () => { description: 'New issue(s) found', state: 'failure', // eslint-disable-next-line - target_url: - 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789', + target_url: 'https://app.snyk.io/org/playground/projects', }, /* eslint-disable no-useless-escape */ prComment: { @@ -418,10 +470,10 @@ describe('Testing behaviors with issue(s)', () => { New Issues Introduced! ## Security 1 issue found -* 1/1: Regular Expression Denial of Service (ReDoS) [High Severity] -\t+ Via: goof@0.0.3 => express-fileupload@0.0.5 => @snyk/nodejs-runtime-agent@1.14.0 => acorn@5.7.3 -\t+ Fixed in: acorn, 5.7.4, 6.4.1, 7.1.1 -\t+ Fixable by upgrade: @snyk/nodejs-runtime-agent@1.14.0=>acorn@5.7.4 +* 1/1: Prototype Pollution [Medium Severity] +\t+ Via: goof@0.0.3 => snyk@1.228.3 => configstore@3.1.2 => dot-prop@4.2.0 +\t+ Fixed in: dot-prop, 5.1.1 +\t+ Fixable by upgrade: snyk@1.290.1 ## License 1 issue found 1/1: @@ -518,7 +570,7 @@ New Issue Introduced! '', '', path.resolve(__dirname, '..') + - '/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license.json', + '/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license2.json', '123', '123', '123', @@ -565,7 +617,7 @@ New Issues Introduced! '', '', path.resolve(__dirname, '..') + - '/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license.json', + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', '124', '124', '124', @@ -581,8 +633,7 @@ New Issues Introduced! description: 'New issue(s) found', state: 'failure', // eslint-disable-next-line - target_url: - 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789', + target_url: 'https://app.snyk.io/org/playground/projects', }, /* eslint-disable no-useless-escape */ prComment: { @@ -590,10 +641,10 @@ New Issues Introduced! New Issues Introduced! ## Security 1 issue found -* 1/1: Regular Expression Denial of Service (ReDoS) [High Severity] -\t+ Via: goof@0.0.3 => express-fileupload@0.0.5 => @snyk/nodejs-runtime-agent@1.14.0 => acorn@5.7.3 -\t+ Fixed in: acorn, 5.7.4, 6.4.1, 7.1.1 -\t+ Fixable by upgrade: @snyk/nodejs-runtime-agent@1.14.0=>acorn@5.7.4 +* 1/1: Prototype Pollution [Medium Severity] +\t+ Via: goof@0.0.3 => snyk@1.228.3 => configstore@3.1.2 => dot-prop@4.2.0 +\t+ Fixed in: dot-prop, 5.1.1 +\t+ Fixable by upgrade: snyk@1.290.1 ## License 1 issue found 1/1: @@ -733,7 +784,7 @@ New Issue Introduced! '', '', path.resolve(__dirname, '..') + - '/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license.json', + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', '123', '123', '123', @@ -749,8 +800,7 @@ New Issue Introduced! description: 'New issue(s) found', state: 'failure', // eslint-disable-next-line - target_url: - 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789', + target_url: 'https://app.snyk.io/org/playground/projects', }, /* eslint-disable no-useless-escape */ prComment: { @@ -758,10 +808,10 @@ New Issue Introduced! New Issues Introduced! ## Security 1 issue found -* 1/1: Regular Expression Denial of Service (ReDoS) [High Severity] -\t+ Via: goof@0.0.3 => express-fileupload@0.0.5 => @snyk/nodejs-runtime-agent@1.14.0 => acorn@5.7.3 -\t+ Fixed in: acorn, 5.7.4, 6.4.1, 7.1.1 -\t+ Fixable by upgrade: @snyk/nodejs-runtime-agent@1.14.0=>acorn@5.7.4 +* 1/1: Prototype Pollution [Medium Severity] +\t+ Via: goof@0.0.3 => snyk@1.228.3 => configstore@3.1.2 => dot-prop@4.2.0 +\t+ Fixed in: dot-prop, 5.1.1 +\t+ Fixable by upgrade: snyk@1.290.1 ## License 1 issue found 1/1: @@ -825,7 +875,7 @@ New Issues Introduced! '', '', path.resolve(__dirname, '..') + - '/fixtures/snyktest-goof-with-one-more-vuln-and-one-more-license.json', + '/fixtures/snykTestOutput/test-goof-two-vuln-two-license.json', '123', '123', '123', @@ -841,8 +891,7 @@ New Issues Introduced! description: 'New issue(s) found', state: 'failure', // eslint-disable-next-line - target_url: - 'https://app.snyk.io/org/playground/project/09235fa4-c241-42c6-8c63-c053bd272789', + target_url: 'https://app.snyk.io/org/playground/projects', }, /* eslint-disable no-useless-escape */ prComment: { @@ -850,10 +899,10 @@ New Issues Introduced! New Issues Introduced! ## Security 1 issue found -* 1/1: Regular Expression Denial of Service (ReDoS) [High Severity] -\t+ Via: goof@0.0.3 => express-fileupload@0.0.5 => @snyk/nodejs-runtime-agent@1.14.0 => acorn@5.7.3 -\t+ Fixed in: acorn, 5.7.4, 6.4.1, 7.1.1 -\t+ Fixable by upgrade: @snyk/nodejs-runtime-agent@1.14.0=>acorn@5.7.4 +* 1/1: Prototype Pollution [Medium Severity] +\t+ Via: goof@0.0.3 => snyk@1.228.3 => configstore@3.1.2 => dot-prop@4.2.0 +\t+ Fixed in: dot-prop, 5.1.1 +\t+ Fixable by upgrade: snyk@1.290.1 ## License 1 issue found 1/1: