[Snyk] Fix for 21 vulnerabilities

[ekmixon]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • components/automate-workflow-web/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	584/1000 Why? Has a fix available, CVSS 7.4	Directory Traversal SNYK-JS-ADMZIP-1065796	Yes	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	Yes	Proof of Concept
	579/1000 Why? Has a fix available, CVSS 7.3	Arbitrary File Overwrite SNYK-JS-FSTREAM-174725	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-HTMLMINIFIER-3091181	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-POSTCSS-1255640	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JS-POSTCSS-5926692	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	704/1000 Why? Has a fix available, CVSS 9.8	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-USERAGENT-174737	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	399/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:parsejson:20170908	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: browserstacktunnel-wrapper

The new version differs by 17 commits.

• b35d1ca version 2.0.4
• bdf8518 fix: use unzipper to fix graceful-fs issue
• 886cc95 version 2.0.3
• 8934db9 Updated dependencies to latest versions and added .idea project files to gitignore
• c6caa4d Add a Git .mailmap with mgol's new name
• 8675417 v2.0.2
• df20eef Cleanup.
• 0064896 Added support for the enable-logging-for-api flag
• 0d6cca5 2.0.1
• 5e8d958 only test recent node versions
• a8d2499 Merge pull request [Snyk] Security upgrade karma from 0.13.22 to 5.0.8 #28 from Eddman/master
• cc83a90 Use HTTP proxy when downloading tunnel binary.
• 8d8a426 version 2.0.0
• b788193 Merge pull request [Snyk] Security upgrade marked from 0.7.0 to 4.0.10 #27 from budde377/patch-1
• c8e25c8 feat: Use new arguments
• c5fbcc2 test latest version 4
• ab1f2d0 removing iojs and adding node 4 versions from travis config

See the full diff

Package name: compression-webpack-plugin

The new version differs by 34 commits.

• 54cc6d2 chore(release): 1.0.0
• e69a644 chore(release): 1.0.0-beta.1
• 328048a refactor: Drops optional Zopfli dependency ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1102.5 to 13.3.9 #65)
• c5f7a0f chore(release): 1.0.0-beta.0
• e0ea7ef chore: Tighten up peerDeps
• f6f8c6c refactor: apply webpack-defaults ([Snyk] Fix for 1 vulnerabilities #54)
• cc4524d docs(README): improve package description ([Snyk] Security upgrade chef from 12.22.5 to 12.22.5 #60)
• 894a96b chore(release): 0.4.0
• 677c310 docs(changelog): add changelog history
• a52d298 docs(changelog): Adds project changelog
• bc1fffd docs(readme): fix badge urls
• 46e0dfe chore: Add contrib release tooling ([Snyk] Fix for 1 vulnerabilities #53)
• fb7bd81 feat: add option to change the filename ([Snyk] Security upgrade sauce-connect-launcher from 0.12.0 to 1.0.0 #51)
• 793fe26 docs(readme): beautify regular expression ([Snyk] Security upgrade @angular-devkit/build-angular from 0.1102.5 to 0.1102.18 #38)
• 24f15f2 feat: add option to delete original assets ([Snyk] Security upgrade lodash from 4.17.19 to 4.17.20 #44)
• 31e9304 chore(license): update to JSF standard license
• 500fc7d docs(readme): updates for JSF maintainers
• 2d3dd44 chore(package): Update node-zopfli version
• 7e439c1 chore(release): 0.3.1
• 53ec8a9 fix: TypeError Invalid non-strig/buffer chunk
• d26fd7b chore(release): 0.3.0
• 437bdff fix: plugin options syntax
• 9d05172 feat: Add compression level option
• 1f3b595 fix: Correct zopfli options

See the full diff

Package name: css-loader

The new version differs by 191 commits.

• 634ab49 chore(release): 2.0.0
• 6ade2d0 refactor: remove unused file (postgres_test: require no error, not assert no error chef/automate#860)
• e7525c9 test: nested url ([automate-chef-server] Bump automate-cs package for core/curl rebuild chef/automate#859)
• 7259faa test: css hacks (CLI command to list disconnected services chef/automate#858)
• 5e6034c feat: allow to filter import at-rules (Consistency improvement and minor bug fixes for auth UI pages chef/automate#857)
• 5e702e7 feat: allow filtering urls (Fix fixing swagger copying chef/automate#856)
• 9642aa5 test: css stuff ([part of 832]/add db id to statements chef/automate#855)
• 3338656 fix: reduce number of require for url (IAM v2.1 Ingest mapping rules on projects chef/automate#854)
• 533abbe test: issue 636 (re-architect authz-service chef/automate#853)
• 08c551c refactor: better warning on invalid url resolution (Add RPC func and CLI cmd for disconnected services chef/automate#852)
• b0aa159 test: issue [A2-816] Expose ApplyRuleStatus API on gateway chef/automate#589 (Document how to configure external data stores. chef/automate#851)
• f599c70 fix: broken unucode characters (test IAM v2.1 permissions work after reset to IAM v1 chef/automate#850)
• 1e551f3 test: issue 286 (Revert DRY-ing up of datamigrations that introduced bug chef/automate#849)
• 419d27b docs: improve readme ([lib/cereal] manager.Stop() should close backend chef/automate#848)
• d94a698 refactor: webpack-default ([pg-gateway] Set server-fin timeout chef/automate#847)
• b97d997 feat: schema options
• 453248f fix: support module resolution in composes ([es-gateway] Remove unused bind on automate-elasticsearch ports chef/automate#845)
• 8a6ea10 refactor: postcss plugins (CIS profile fails on absent filesystem modules chef/automate#844)
• fdcf687 fix: url resolving logic (Update all chef-server pins to the latest chef/automate#843)
• 889dc7f feat: allow to disable css modules and disable their by default (automate-gateway: make unknown data cause an error chef/automate#842)
• ee2d253 test: importLoaders option ([chef-ui-library] Remove Habitat package chef/automate#841)
• 1dad1fb feat: reuse postcss ast from other loaders (i.e `postcss-loader`) ([CI/nightly] Build ALL components during nightly build chef/automate#840)
• fe94ebc test: icss reserved keywords (Add update strategy to the channel badge chef/automate#839)
• 9eaba66 refactor: migrate on message api for postcss-icss-plugin (Large node objects can make the UI unresponsive chef/automate#838)

See the full diff

Package name: html-webpack-plugin

The new version differs by 250 commits.

• 873d75b chore(release): 5.5.0
• ddeb774 chore: update examples
• 1e42625 feat: Support type=module via scriptLoading option
• 7d3645b Bump pretty-error to 4.0.0 to fix transitive vuln for ansi-regex CVE-2021-3807
• 79be779 [chore] changes actions to run on pull_requests
• b7e5859 [chore] fixes CI to avoid race conditions
• 48131d3 chore(release): 5.4.0
• 16a841a [chore] rebuild examples
• 3bb7c17 Update index.js
• e38ac97 Update index.js
• f08bd02 [chore] updates fixtures
• d62a10f [chore] upgrades html-minifier-terser@5.0.0 -> 6.0.2
• 2f5de7a Remove archived plugin
• 8f8f7c5 chore(release): 5.3.2
• 053c6e6 chore: update snapshot tests for webpack 5.4.0
• 9c7fba0 Fix security vulnerabilities
• b98fbeb Fix security vulnerabilities
• 25cdfc7 Added inject-body-webpack-plugin to readme
• 0e4c1fb Update README to document actual behavior
• 0a6568d chore(release): 5.3.1
• 82d0ee8 fix: remove loader-utils from plugin core
• 6f39192 chore(release): 5.3.0
• d654f5b feat: allow to modify the interpolation options in webpack config
• 41d7a50 feat: drop loader-utils dependency

See the full diff

Package name: karma

The new version differs by 250 commits.

• 1b48637 chore(release): 5.0.0 [skip ci]
• a5dbe89 Update issue templates ([infra-proxy-service] Add expanded run-list to Policyfile detail API chef/automate#3460)
• 1074f38 chore(ci): rely on karma-runnre/integration-tests for saucelabs config (<chef-markdown> stencile component gives errors in browser console chef/automate#3462)
• 4d45cf0 chore(ci): remove more old connection security stuffs ([Desktop UI] Visualize the check-in history of individual desktop chef/automate#3459)
• be76fcc chore(ci): use travis UI for sauce config ([automate-3332] clean up admin token generated for diagnostics chef/automate#3458)
• a04a542 chore(ci): remove secure encryption var ([automate-3060] Remove all unnecessary v2 references from authz-service chef/automate#3457)
• 1eaf35e fix: install semantic-release as a regular dev dependency (Squelch browser error regarding undefined pipe chef/automate#3455)
• 0647109 docs: Fix simple typo, overriden -> overridden (Sync swagger files for Automate docs. chef/automate#3453)
• ec1e69a fix(server): replace optimist on yargs lib (Bumps release version of builder to week of 4/20 chef/automate#3451)
• ffad7fa refactor(launcher): use class syntax (Error if membership_id isn't a GUID chef/automate#3437)
• 7166ce2 fix(server): detection new MS Edge Chromium (Fix up authz service to keep more connections around chef/automate#3440)
• b8b2ed8 fix(ci): echo travis env that gates release after_success (clean up left over token and policy from diagnostics chef/automate#3446)
• 33a069f refactor: use native Promise instead of Bluebird (Sync swagger files for Automate docs. chef/automate#3436)
• 131d154 refactor: drop safe-buffer dependency in favor of native Buffer (Move desktop dashboard to top-level route chef/automate#3438)
• cb1bcbf fix(server): cleanup import of the removed method (add sections to token assign policy dropdown chef/automate#3439)
• 5c334f5 fix(server): createPreprocessor was removed (Infra proxy environment details page view chef/automate#3435)
• d7128d4 refactor(server): remove PromiseContainer class (Only HTTPS on API chef/automate#3416)
• 057d527 feat(docs): document `DEFAULT_LISTEN_ADDR` constant (add compliance service to the universal access policy chef/automate#3443)
• a673aa8 ci: drop node 8, adopt node 12 (Environments list view tab on org details page  chef/automate#3430)
• 9eb6436 chore(server): Convert PromiseContainer to object and remove (Fix API docs URL paths chef/automate#3401)
• 0856234 chore(travis): release on node 10 success (move api docs styles to external stylesheet chef/automate#3428)
• 708ae13 feat(preprocessor): obey Pattern.isBinary when set (fix margin on chef automate logo in api docs chef/automate#3422)
• 00d536f chore(test): logLevel debug in proxy test ([Automate 2940] remove v1 annotations chef/automate#3427)
• da9d8bd chore(docs): delete PULL_REQUEST_TEMPLATE.md

See the full diff

Package name: karma-browserstack-launcher

The new version differs by 37 commits.

• 5826124 chore: release v1.3.0
• 9173964 chore: update contributors
• 6c719d2 feat(deps): update to the latest
• 4c9a2e9 chore(ci): run on compatible node versions
• 9617438 feat(deps): update to tunnel 2.0.1
• b0f8031 feat: add support for using BrowserStackReporter with a proxy
• b3cce6c feat: allow the user to disable browserstack video recording
• c94d6f9 chore: release v1.2.0
• e95858a chore: update contributors
• a24b3fc Merge pull request [Snyk] Security upgrade nginx from latest to 1.23.2 #97 from karma-runner/greenkeeper-eslint-3.14.1
• e0a0b88 Merge pull request [Snyk] Security upgrade express from 4.17.1 to 4.17.3 #95 from bafolts/use-forcelocal-flag
• c75ca68 chore(package): update eslint to version 3.14.1
• 693a4aa feat: pass forcelocal to tunnel
• 9c77a96 feat: permit overriding `name`, `build`, and `project` on a per-browser basis
• 110ecf2 Merge pull request [Snyk] Fix for 1 vulnerabilities #80 from karma-runner/revert-78-feat-update-browserstack-version
• 0e814a6 Revert "feat: Update browserstacktunnel wrapper"
• 384ffb0 Merge pull request [Snyk] Security upgrade @angular-devkit/build-angular from 0.1102.5 to 13.3.6 #78 from karma-runner/feat-update-browserstack-version
• 4519a37 feat: Update browserstacktunnel wrapper
• 4fd057b Merge pull request [Snyk] Fix for 1 vulnerabilities #77 from bengummer/patch-2
• 724d20f docs: fix reporter typo
• 0e81796 chore: release v1.1.1
• dcb393d chore: update contributors
• 8fd7e13 Merge pull request [Snyk] Security upgrade @angular-devkit/build-angular from 0.13.8 to 13.0.0 #76 from bengummer/patch-1
• 5cc2d9c fix: update incorrect launcher require path

See the full diff

Package name: karma-mocha-reporter

The new version differs by 23 commits.

• 5e062ed chore: Release v2.2.4
• 3a0650f chore: remove package lock file
• eaa5fa7 chore: fix missing chalk functions
• b0aac74 feat: use log-symbols package
• 31baf27 chore: update devDependencies
• 3692121 Merge pull request [Snyk] Security upgrade @angular-devkit/build-angular from 0.13.8 to 0.1100.0 #98 from EsrefDurna/master
• 85fee8b Merge pull request [Snyk] Security upgrade nginx from latest to 1.23.2 #97 from litixsoft/greenkeeper-chai-4.0.1
• e066c77 Merge branch 'master' into greenkeeper-chai-4.0.1
• 71bb47f Merge pull request [Snyk] Fix for 1 vulnerabilities #96 from litixsoft/greenkeeper-chai-4.0.0
• b10f6a3 updated package grunt-contrib-jshint from 1.0.0 to 1.1.0
• bc793ea chore(package): update chai to version 4.0.1
• 3edd613 chore(package): update chai to version 4.0.0
• f6d22d1 chore: Release v2.2.3
• 7122cc0 chore: add node.js 7 in travis
• 81d6de6 fix: allow to use reserved prototype names as name for describe or it blocks
• aa801c2 Merge pull request [Snyk] Security upgrade @angular-devkit/build-angular from 0.13.8 to 13.3.10 #91 from josephfrazier/patch-1
• c07a2f6 docs: fix typos in README.md
• 1d4c83a chore: update changelog
• f9e6c00 chore: Release v2.2.2
• 67a2af2 chore: remove old node.js version from travis testing
• 9e2f342 feat: add option printFirstSuccess\nCloses [Snyk] Security upgrade @angular-devkit/build-angular from 0.13.8 to 15.0.0 #87\n* useful when having conditional, browser specific tests
• 5fa89cf Merge pull request [Snyk] Security upgrade @angular-devkit/build-angular from 0.1102.5 to 0.1102.13 #85 from gkedge/master
• 3baec39 Print wall clock time when karma is finished. This is handy when 'watching' to have confidence that the most recent test report reflects a recent save.

See the full diff

Package name: node-sass

The new version differs by 97 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (UI Unknown desktop duration counts chef/automate#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (ignore status for chicklets chef/automate#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (Make ES gateway timeouts configurable chef/automate#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (applications left nav missing chef/automate#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (Remove v1/v2 vestiges in ui chef/automate#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (update cli docs chef/automate#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (need meaningful error message for scan job authentication error in Automate UI chef/automate#3149)
• e80d4af chore: Drop EOL Node 15 (compliance profiles list view ux improvements chef/automate#3122)
• d753397 feat: Add Node 17 support (Dan/top infra errors chef/automate#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: protractor

The new version differs by 250 commits.

• a0ffa9b release: 5.4.4
• 8b3ebf8 fix: security prototype pollution
• 162f9e5 ci: Log sauce connect proxy to stdout, remove travis_wait, upgrade proxy to 4.5.4
• eb1d0fc docs(release): Update release docs for 5.4 series.
• 6c46098 chore(release): Update changelog
• faf0895 fix(ci): Don't update webdriver in pretest
• d77731c fix(release): Pin CircleCI to Chrome v74
• efe7fdd chore(dependencies): Update natives, so we can continue to run Gulp on
• 0442e51 chore(release): Bugfix release 5.4.3
• 7999a08 fix(index.ts): Fix exports to unbreak TypeScript 3.7 build
• 5d29112 chore(release): bump version to 5.4.2 (Disclosure Panel and Banner across Automate chef/automate#5106)
• db1b638 feat(saucelabs): add sauceRegion support for eu datacenters (Sonarcloud file exclusion  chef/automate#5083)
• 3a5e413 chore(config): Update docs regarding proxies (Bump underscore from 1.9.1 to 1.13.1 in /components/chef-ui-library chef/automate#5048)
• 6064b69 chore(tests): clean up test suite for failures (Ohai plugins in the /ohai directory are not displayed in the cookbook view chef/automate#5097)
• f5dbe13 fix(deps): @ types/node is now a dev dependency
• d4fe1ca chore(config): Update sauceSeleniumAddress port to 443 (Add new credentials through Modal when on Scan Jobs page chef/automate#5041)
• 71e2cb8 chore(release): version bump and changelog for 5.4.1. (Date/Time Format: Global Time Settings - Backend chef/automate#4953)
• 39485ca fix(typo): fixed typo in EC expectation alias (There is a vulnerability in lodash 4.17.19 ,upgrade recommended chef/automate#4952)
• 07fefeb fix(browser): browser.navigate() return type. (Add the External Load Balancer chef/automate#4932)
• 2632bb6 deps(webdriver_js_extender): update webdriver_js_extender to 2.1 (Show Warning Banner on Login chef/automate#4934)
• 0b1820c fix(package-lock.json): update package-lock.json to match package.json. (Test the Managed AMI image for PG and ES (AWS and Azure)  chef/automate#4931)
• 7b08083 feat(driverProvider): Add useExistingWebDriver driver provider (Bad command in compile_all_protobuf_components chef/automate#4756)
• 249e657 feat(example): add examples of usage protractor framework with angular-material components; (Automate Throwing invalid FQDN error while adding Infra Server chef/automate#4891)
• 4534e20 chore(release): version bump and changelog for 5.4.0. (Bump y18n from 4.0.0 to 4.0.1 in /e2e chef/automate#4885)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 4be093d 2.2.0
• 2278469 2.2.0-rc.8
• b946eb4 Merge pull request [a1-upgrade] migrate infra server config chef/automate#3988 from malstoun/bug/2664
• 260e413 Merge pull request Updating the policy file term chef/automate#3986 from webpack/bugfix/revert_use_of_buffer_dot_from
• 0ec7de9 Fix regression with watch cli opt, add tests for this case
• 72226db add missing disable line
• 4d30675 build fresh yarn.lock file to remove buffer polyfill
• 91c1f35 fix(node): rollback changes of Buffer.from to new Buffer() and bump down travis to 4.3 min node v
• 0b47602 2.2.0-rc.7
• db6ccbc Merge pull request Updated toggle sort in Notification table. chef/automate#3978 from webpack/bugfix/conditional-reexports
• 82a5b03 Merge pull request Bump rack from 2.0.8 to 2.2.3 in /components/automate-workflow-ctl chef/automate#3977 from malstoun/bug/2664
• fc1a43b Merge pull request CDS download chef/automate#3976 from timse/rely-on-defaults
• a44694a hoist exports declarations too
• 682bde8 Fix lint
• c6d7d90 Add tests
• af8d49e remove defaults values to shave a few bytes
• 9796696 2.2.0-rc.6
• e9bdb05 Merge pull request #3971 from webpack/bugfix/fix_available_vars_in_fmtp
• bd45bdc add test case for global in harmony modules
• bfccb20 fix PR
• 5a3a23f fix(nmf): Fix exports for var injection to include free glob exports or arguments
• 437dce4 2.2.0-rc.5
• 91cb1df Merge pull request Sync swagger files for Automate docs. chef/automate#3970 from webpack/ci/appveyor
• 9fd55e5 Merge pull request Bump automate-compliance-profiles chef/automate#3969 from webpack/bugfix/issue-3964

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn

[secure-code-warrior-for-github]

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Directory traversal (Detected by phrase)

Matched on "Directory Traversal"

What is this? (2min video)

Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
• OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Race condition (Detected by phrase)

Matched on "race condition"

What is this? (2min video)

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior