Permalink
Show file tree
Hide file tree
6 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Address different method of prototype pollution (#32)
* remove ds_store file * Fix pototype pollution * Bump deps * Update docs * Update workflow to test against latest node versions * Ensure put returns true * Remove node v6,8,10 from testing
- Loading branch information
Showing
12 changed files
with
241 additions
and
191 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Empty file.
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
88f6186There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stramel - was the Prototype Pollution addressed as a result of the following report? Or does the commit address the vulnerability described in the report?
If so, could you let me know which version this issue was patched in, and I can update the report on your behalf :)
88f6186There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JamieSlome It was not addressed as a result of that specific report. I was contacted by another security testing company privately and fixed it as a result of that. I believe this was released in
v0.1.2. Unfortunately, I'm not able to relate it to the published vulnerability since I'm just a maintainer and not the admin for the repo. Seems that I forgot to bump the package.json though.This test covers the case described by your report test case
88f6186There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stramel - appreciate the in-depth response here👍
This helps massively, thank you.
88f6186There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stramel Is that report shared by https://github.com/zidingz who raised security concern and raised the issue 31 for security.md file(by huntr-helper at bottom of 1st comment)? He is also from huntr.dev only. You can check the same in our huntr report that raised a issue for security.md on the same date. Thank you.
88f6186There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ready-research The report was shared by @danielelkabes in issue #25. I was also contacted by @zidingz in issue #31 but never got an email from him.
88f6186There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stramel Thanks for the clarification.