Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cache poisoning possible for package information #2

Closed
neocotic opened this issue Feb 19, 2017 · 0 comments
Closed

Cache poisoning possible for package information #2

neocotic opened this issue Feb 19, 2017 · 0 comments
Assignees
Labels
Milestone

Comments

@neocotic
Copy link
Member

neocotic commented Feb 19, 2017

As the package information is cached per file path and a reference to the cached object is included in the caller object that is returned, it is technically possible to change the package information stored against a file. This would most likely be done accidentally but it could, in theory, be done to mask the package origin of a file, to a degree.

The simplest solution is to simply change Finder._buildCaller to create a copy of the cached object (e.g. using Object.assign).

@neocotic neocotic self-assigned this Feb 19, 2017
@neocotic neocotic added the bug label Feb 19, 2017
@neocotic neocotic added this to the 0.1.1 milestone Feb 19, 2017
@neocotic neocotic mentioned this issue Feb 20, 2017
2 tasks
neocotic added a commit that referenced this issue Feb 21, 2017
* roll v0.1.0

* changed version for tmp devDependency to semver range

* resolves #3 by including "column" number in caller information

* fixes #2 by only including copy of package information in caller information

* roll v0.1.1

* start working on 0.2.0

* resolves #5 by adding new filterPackages option to compliment existing excludes option

* #5 documented that filterPackages is only called for packages that are not included in excludes option

* #5 add tests to cover modifications within filterPackages option

* resolves #6 by adding filterFiles option

* #6 corrected minor alignment issue for options table in README

* resolves #7 by returning information for all callers and adding limit option for control over number of callers returned

* resolves #9 by renaming references git repo references to node-knockknock

* resolves #10 by adding offset option to control initial call stack offset

* fixes #11 by excluding all calls from the start of the stack from within the originator module

* roll v0.2.0

* bumped devDependencies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant