feat(a9-insecure-components): adding popular vulnerable package: marked #83
Conversation
…rked Adding a vulnerable package called marked for parsing and compiling Markdown syntax in JavaScript. This is a popular package that has several releases related to XSS issues one in less than a year ago, and a very recent one as well. * Adding a `/memos` section to add memos (notes) which allows free text that is compiled to markdown and uses the marked library * Adding documentation to A9 - Insecure Components section * Explaining how to exploit the vulnerable Marked package
|
I haven't tested this, but sounds like a good initiative. It's probably an idea to add a comment in the package.json around the fact that this dependency should not be updated due to the fact of A9, otherwise someone will think they're helping and update it. Was the development.js change intentional? "May" also want to mention that snyk although it may be good, is not free. Often this is a show stopper. |
|
Good comments.
|
|
{ Maybe snyk has just added the free tier? They seem to go up very fast after that though $49 vs NSP $1 for additional repos. |
|
@binarymist fixed both comments |
|
Hi @lirantal Could be worth specifying what exactly the purpose is with: Someone else may be maintaining this code in the future, even if it was you, you may not remember what the purpose was in 2 years time. Just adding a few more words to what the purpose is, could save significant time, by the time several people read the comment and try and work out what the purpose is? |
|
Agree, updated. |
|
@lirantal I loved the idea to add an example for A9. Can you please go over comments I added and let me know your thoughts. |
|
Great. Did you possibly not submit your review? I only saw comments for the other PR, not on this one. |
package.json
Outdated
| @@ -14,11 +14,17 @@ | |||
| "express-session": "^1.13.0", | |||
| "forever": "^0.15.1", | |||
| "helmet": "^2.0.0", | |||
| "marked": "^0.3.5", | |||
There was a problem hiding this comment.
The caret (^) sign in front of the version number installs newer minor or patch level versions. It appears that the vulnerability was fixed in marked 0.3.6 and this version would get pulled from npm due to the leading ^. We will need to specify absolute version here.
There was a problem hiding this comment.
Great catch, totally missed it. I updated it to match an exact 0.3.5 version.
app/views/tutorial/a9.html
Outdated
| </p> | ||
|
|
||
| <p> | ||
| This library is so popular that it has been downloaded almost <strong> 3 million </strong> times in the last month and received more than <strong> 11,000 </strong> stars on GitHub. |
There was a problem hiding this comment.
It is nitpicking but as the download numbers would change each month, would it be possible to rephrase it so that the statement stays true anytime users read it.
There was a problem hiding this comment.
yeah, would be a bit difficult to predict the future but I tried to make it generic, take a look now.
app/views/tutorial/a9.html
Outdated
| The <a href="https://nodesecurity.io/advisories">Node Security project </a> is a great initiative and resource to know about related vulnerabilities. | ||
| </li> | ||
| <li> | ||
| <a href="https://snyk.io/">Snyk.io </a> is another Node.js CLI tool and Platform to scan and detect vulnerable packages |
There was a problem hiding this comment.
Can we also add there additional popular tools here -
npm-check, david-dm,
requireSafe, and retire.js
There was a problem hiding this comment.
Definitely, will add.
There was a problem hiding this comment.
|
@lirantal You are right.. missed to submit the review earlier. Please check now. |
…it doesn't get updated automatically by npm
|
Pushed all changes. |
…and npm/yarn tools
|
@binarymist @ckarande updated the tutorial again with your comments. |
|
👍 @lirantal Thanks for the PR all the updates. @binarymist thanks for your review comments. |
|
Thank you both guys, much appreciate the feedback and collaboration here ;-) |
|
@lirantal can you please keep your commit comments shorter, aprx 80 characters, as it screws up the If you have long comments, please put line breaks in. Thanks.
|
|
I'm such a naughty boy |
|
Na, you're probably using one of those graphical editors that handle long lines better :-) |
|
damn it, caught me! :-) but seriously I actually tend to use changelog semantic commits, and thus have multilines when need to elaborate for a long commit message. I guess I just went free-style with this repo. Rest assured however that the problem is solved: |
|
There seems to be a bug moving from Memos view to Allocations. The user Id is lost. |
|
yep, definitely the case |
feat(a9-insecure-components): adding a popular vulnerable package: marked
Adding a vulnerable package called marked for parsing and compiling Markdown syntax in JavaScript.
This is a popular package that has several releases related to XSS issues one in less than a year ago, and a very recent one as well.
/memossection to add memos (notes) which allows free text that is compiled to markdown and uses the marked library