Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix xmldom vulnerability, used by passport-twitter #265

Closed
kdhttps opened this issue Apr 22, 2021 · 0 comments · Fixed by #298
Closed

Fix xmldom vulnerability, used by passport-twitter #265

kdhttps opened this issue Apr 22, 2021 · 0 comments · Fixed by #298
Assignees
@kdhttps @christian-hawk
Labels
security

Comments

@kdhttps
Copy link
Contributor

kdhttps commented Apr 22, 2021

xmldom lib has Misinterpretation of malicious XML input vulnerability which is used by passport-twitter

└─┬ passport-twitter@1.0.4
  └─┬ xtraverse@0.1.0
    └── xmldom@0.1.31

we have 2 actions on this,

christian-hawk
all the way I see this, we can split in 2 situations then.

1. XXE vulnerability mitigation, if it impacts passport
2. discuss passport-twitter replacement due non-maintanence

About number 1, if it does not impact passport, we don’t need further action.
The tree is
passport-twitter@1.0.4 › xtraverse@0.1.0 › xmldom@0.1.31
Xtraverse used by passport-twitter is also from jared.
xmldom mitigated the vulnerability already on version 0.5.0 so according to semver there is no breaking change.

About number 2:
I have to check the project, but maybe a simple fork and force updating xmldom should do it.
@kdhttps kdhttps changed the title Fix xmldom vulnerability used by passport-twitter Fix xmldom vulnerability, used by passport-twitter Apr 22, 2021
kdhttps added a commit that referenced this issue May 3, 2021
@kdhttps
test(twiiter-error-handler.test.js): add unit test for twitter error …
788294b 
…handler

test #265
kdhttps added a commit that referenced this issue May 3, 2021
@kdhttps
test(twitter-error-handler.spec.js): add integration test
ee86cd7 
test #265
kdhttps added a commit that referenced this issue May 3, 2021
@kdhttps
fix(twitter-error-handler.js): override twiiter error handler and mak…
aa1fab5 
…e custom handler

test #265
@kdhttps kdhttps mentioned this issue May 3, 2021
Closed
kdhttps added a commit that referenced this issue Jul 8, 2021
@kdhttps
fix(package.json): fix twitter volunerability
1812efd 
node-xtraverse fix and pr GluuFederation/node-xtraverse#1
passport-twitter fix and pr GluuFederation/passport-twitter#1

fix #265
@kdhttps kdhttps mentioned this issue Jul 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kdhttps kdhttps

@christian-hawk christian-hawk

Labels
security
Projects
None yet
Milestone
No milestone
2 participants
@kdhttps @christian-hawk