You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
Robocop Report : 13 new vulnerabilities found
Name : Web Browser XSS Protection Not Enabled
Description : Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
Solution : Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Name : X-Content-Type-Options Header Missing
Description : The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Solution : Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
Name : X-Frame-Options Header Not Set
Description : X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
Solution : Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Name : Regular Expression Denial of Service (DoS)
Description : ## Overview hawk Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach edge cases that causes them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
An attacker can provide a long url, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
You can read more about Regular Expression Denial of Service (ReDoS) on our blog.
Name : Timing Attack
Description : ## Overview http-signature is a reference implementation of Joyent's HTTP Signature scheme.
Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. il.
The library implemented a character to character comparison, similar to the built-in string comparison mechanism, ===, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect.
An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.
You can read more about timing attacks in Node.js on the Snyk blog.
Remediation
Upgrade http-signature to version 1.0.0 or higher.
Name : Regular Expression Denial of Service (ReDoS)
Description : ## Overview mime is a comprehensive, compact MIME type module.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[\.\/\\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about Regular Expression Denial of Service (ReDoS) on our blog.
Name : Regular Expression Denial of Service (ReDoS)
Description : ## Overview mime is a comprehensive, compact MIME type module.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[\.\/\\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about Regular Expression Denial of Service (ReDoS) on our blog.
Name : Regular Expression Denial of Service (ReDoS)
Description : ## Overview mime is a comprehensive, compact MIME type module.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[\.\/\\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about Regular Expression Denial of Service (ReDoS) on our blog.
Name : Denial of Service (Memory Exhaustion)
Description : ## Overview qs is a querystring parser that supports nesting and arrays, with a depth limit.
During parsing, the qs module may create a sparse area (an array where not elements are filled), and grow that array to the necessary size based on the indices used on it. An attacker can specify a high index value in a query string, thus making the server allocate a respectively big array. Truly large values can cause the server to run out of memory and cause it to crash - thus enabling a Denial-of-Service attack.
Remediation
Upgrade qs to version 1.0.0 or greater. In these versions, qs introduced a low limit on the index value, preventing such an attack
Name : Denial of Service (Event Loop Blocking)
Description : ## Overview qs is a querystring parser that supports nesting and arrays, with a depth limit.
When parsing a string representing a deeply nested object, qs will block the event loop for long periods of time. Such a delay may hold up the server's resources, keeping it from processing other requests in the meantime, thus enabling a Denial-of-Service attack.
Remediation
Update qs to version 1.0.0 or higher. In these versions, qs enforces a max object depth (along with other limits), limiting the event loop length and thus preventing such an attack.
By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use plainObjects as mentioned above, or set allowPrototypes to true which will allow user input to overwrite those properties. WARNING It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten. Always be careful with this option.
Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more.
In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with [ or ]. e.g. qs.parse("]=toString") will return {toString = true}, as a result, calling toString() on the object will throw an exception.
Name : Remote Memory Exposure
Description : ## Overview request is a simplified http request client.
A potential remote memory exposure vulnerability exists in request. If a request uses a multipart attachment and the body type option is number with value X, then X bytes of uninitialized memory will be sent in the body of the request.
Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak.
Details
Constructing a Buffer class with integer N creates a Buffer
of length N with non zero-ed out memory. Example:
varx=newBuffer(100);// uninitialized Buffer of length 100// vsvarx=newBuffer('100');// initialized Buffer with value of '100'
Initializing a multipart body in such manner will cause uninitialized memory to be sent in the body of the request.
Proof of concept
varhttp=require('http')varrequest=require('request')http.createServer(function(req,res){vardata=''req.setEncoding('utf8')req.on('data',function(chunk){console.log('data')data+=chunk})req.on('end',function(){// this will print uninitialized memory from the clientconsole.log('Client sent:\n',data)})res.end()}).listen(8000)request({method: 'POST',uri: 'http://localhost:8000',multipart: [{body: 1000}]},function(err,res,body){if(err)returnconsole.error('upload failed:',err)console.log('sent')})
Remediation
Upgrade request to version 2.68.0 or higher.
If a direct dependency update is not possible, use snyk wizard to patch this vulnerability.
Name : Uninitialized Memory Exposure
Description : ## Overview tunnel-agent is HTTP proxy tunneling agent. Affected versions of the package are vulnerable to Uninitialized Memory Exposure.
A possible memory disclosure vulnerability exists when a value of type number is used to set the proxy.auth option of a request request and results in a possible uninitialized memory exposures in the request body.
Constructing a Buffer class with integer N creates a Buffer of length N with raw (not "zero-ed") memory.
In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":
// uninitialized Buffer of length 100x=newBuffer(100);// initialized Buffer with value of '100'x=newBuffer('100');
tunnel-agent's request construction uses the default Buffer constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous Heartbleed flaw in OpenSSL.
9165157
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Robocop Report : 13 new vulnerabilities found
Name : Web Browser XSS Protection Not Enabled
Description : Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server
Solution : Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.
Name : X-Content-Type-Options Header Missing
Description : The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Solution : Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
Name : X-Frame-Options Header Not Set
Description : X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
Solution : Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Name : Regular Expression Denial of Service (DoS)
Description : ## Overview
hawk
Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach edge cases that causes them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
An attacker can provide a long url, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).
You can read more about
Regular Expression Denial of Service (ReDoS)
on our blog.References
Name : Timing Attack
Description : ## Overview
http-signature
is a reference implementation of Joyent's HTTP Signature scheme.Affected versions of the package are vulnerable to Timing Attacks due to time-variable comparison of signatures. il.
The library implemented a character to character comparison, similar to the built-in string comparison mechanism,
===
, and not a time constant string comparison. As a result, the comparison will fail faster when the first characters in the signature are incorrect.An attacker can use this difference to perform a timing attack, essentially allowing them to guess the signature one character at a time.
You can read more about timing attacks in Node.js on the Snyk blog.
Remediation
Upgrade
http-signature
to version 1.0.0 or higher.References
Name : Regular Expression Denial of Service (ReDoS)
Description : ## Overview
mime
is a comprehensive, compact MIME type module.Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex
/.*[\.\/\\]/
in its lookup, which can cause a slowdown of 2 seconds for 50k characters.The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about
Regular Expression Denial of Service (ReDoS)
on our blog.Remediation
Upgrade
mime
to versions 1.4.1, 2.0.3 or higher.References
Name : Regular Expression Denial of Service (ReDoS)
Description : ## Overview
mime
is a comprehensive, compact MIME type module.Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex
/.*[\.\/\\]/
in its lookup, which can cause a slowdown of 2 seconds for 50k characters.The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about
Regular Expression Denial of Service (ReDoS)
on our blog.Remediation
Upgrade
mime
to versions 1.4.1, 2.0.3 or higher.References
Name : Regular Expression Denial of Service (ReDoS)
Description : ## Overview
mime
is a comprehensive, compact MIME type module.Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex
/.*[\.\/\\]/
in its lookup, which can cause a slowdown of 2 seconds for 50k characters.The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about
Regular Expression Denial of Service (ReDoS)
on our blog.Remediation
Upgrade
mime
to versions 1.4.1, 2.0.3 or higher.References
Name : Denial of Service (Memory Exhaustion)
Description : ## Overview
qs
is a querystring parser that supports nesting and arrays, with a depth limit.During parsing, the
qs
module may create a sparse area (an array where not elements are filled), and grow that array to the necessary size based on the indices used on it. An attacker can specify a high index value in a query string, thus making the server allocate a respectively big array. Truly large values can cause the server to run out of memory and cause it to crash - thus enabling a Denial-of-Service attack.Remediation
Upgrade qs to version 1.0.0 or greater. In these versions, qs introduced a low limit on the index value, preventing such an attack
References
Name : Denial of Service (Event Loop Blocking)
Description : ## Overview
qs
is a querystring parser that supports nesting and arrays, with a depth limit.When parsing a string representing a deeply nested object, qs will block the event loop for long periods of time. Such a delay may hold up the server's resources, keeping it from processing other requests in the meantime, thus enabling a Denial-of-Service attack.
Remediation
Update qs to version 1.0.0 or higher. In these versions, qs enforces a max object depth (along with other limits), limiting the event loop length and thus preventing such an attack.
References
Name : Prototype Override Protection Bypass
Description : ## Overview
qs
is a querystring parser that supports nesting and arrays, with a depth limit.By default
qs
protects against attacks that attempt to overwrite an object's existing prototype properties, such astoString()
,hasOwnProperty()
,etc.From
qs
documentation:Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more.
In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with
[
or]
. e.g.qs.parse("]=toString")
will return{toString = true}
, as a result, callingtoString()
on the object will throw an exception.Example:
For more information, you can check out our blog.
Disclosure Timeline
6.0.3
,6.1.1
,6.2.2
,6.3.1
.6.4.0
,6.3.2
,6.2.3
,6.1.2
and6.0.4
Remediation
Upgrade
qs
to version6.4.0
or higher.Note: The fix was backported to the following versions
6.3.2
,6.2.3
,6.1.2
,6.0.4
.References
Name : Remote Memory Exposure
Description : ## Overview
request
is a simplified http request client.A potential remote memory exposure vulnerability exists in
request
. If arequest
uses a multipart attachment and the body type option isnumber
with value X, then X bytes of uninitialized memory will be sent in the body of the request.Note that while the impact of this vulnerability is high (memory exposure), exploiting it is likely difficult, as the attacker needs to somehow control the body type of the request. One potential exploit scenario is when a request is composed based on JSON input, including the body type, allowing a malicious JSON to trigger the memory leak.
Details
Constructing a
Buffer
class with integerN
creates aBuffer
of length
N
with non zero-ed out memory.Example:
Initializing a multipart body in such manner will cause uninitialized memory to be sent in the body of the request.
Proof of concept
Remediation
Upgrade
request
to version 2.68.0 or higher.If a direct dependency update is not possible, use
snyk wizard
to patch this vulnerability.References
Name : Uninitialized Memory Exposure
Description : ## Overview
tunnel-agent
is HTTP proxy tunneling agent. Affected versions of the package are vulnerable to Uninitialized Memory Exposure.A possible memory disclosure vulnerability exists when a value of type
number
is used to set the proxy.auth option of a requestrequest
and results in a possible uninitialized memory exposures in the request body.This is a result of unobstructed use of the
Buffer
constructor, whose insecure default constructor increases the odds of memory leakage.Details
Constructing a
Buffer
class with integerN
creates aBuffer
of lengthN
with raw (not "zero-ed") memory.In the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string "100":
tunnel-agent
'srequest
construction uses the defaultBuffer
constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamousHeartbleed
flaw in OpenSSL.Proof of concept by ChALkeR
You can read more about the insecure
Buffer
behavior on our blog.Similar vulnerabilities were discovered in request, mongoose, ws and sequelize.
Remediation
Upgrade
tunnel-agent
to version 0.6.0 or higher.References