[Snyk] Security upgrade sails from 0.12.14 to 1.4.2 #58
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ASYNC-2441827
|
Prototype PollutionClick here to find a Prototype Pollution training lab DescriptionThe problem lies with the manner in which JavaScript implements inheritance by using a prototype. What this means, in a nutshell, is that every object contains a reference to the prototype of its class. When a property is requested from a particular object, the runtime first checks if the instance has the aforementioned property; otherwise, it looks it up in the prototype chain, recursively. The reference to the prototype is available via the Read moreImpactThe impact of Prototype Pollution is ultimately determined by the sensitivity and criticality of the data ingested by the application. It is not a vulnerability that is dangerous per se; rather, it all depends on how the application uses such untrusted properties. In other words, it merely alters the program data and flow. Scenario 1The following example considers an object (in a JavaScript console): > o = {x: 123, __proto__: {toString: () => console.log('Triggered!')}}
{ x: 123 }
> o + ''
Triggered!
'undefined'We have created an object with its own prototype that redefines the While this is important, it is unlikely that some kind of injection (e.g., an injection via GET parameters, cookies, etc.) ends up creating a JavaScript function ( In this case, there is no direct code execution, and the impact is merely that of adding another property to the object; since we are already injecting Scenario 2In this case, however, the application allows the alteration of an existing prototype. Consider the following: const someObject = {};
const someOtherObject = {};
// ...
someObject[UNTRUSTED_NAME] = UNTRUSTED_VALUE;
// ...
if (someOtherObject.isAdminEnabled) {
// do some sensitive stuff
}Being able to control UNTRUSTED_NAME = '__proto__';
UNTRUSTED_VALUE = {isAdminEnabled: 'whatever'};PreventionThere are different approaches to preventing Prototype Pollution, the most trivial of which is to disallow untrusted data being assigned to arbitrary properties altogether. If this is not possible, developers might implement some filtering so that it is not possible to overwrite TestingVerify that the application protects against JavaScript injection attacks, including for eval attacks, remote JavaScript includes, DOM XSS, and JavaScript expression evaluation.
ReferencesMedium - What is Prototype Pollution and why is it such a big deal? |
Micro-Learning Topic: Injection attack (Detected by phrase)Matched on "injection attack"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try this challenge in Secure Code WarriorMicro-Learning Topic: DOM-based cross-site scripting (Detected by phrase)Matched on "DOM XSS"DOM-based cross-site scripting vulnerabilities occur when unescaped input is processed by client-side script and insecurely written into the page Document Object Model (DOM). This will result in immediate changes to the page, potentially without any call to the server. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "XSS"Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Denial of service (Detected by phrase)Matched on "denial of service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try this challenge in Secure Code Warrior |
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5
SNYK-JS-ASYNC-2441827
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: sails
The new version differs by 250 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution