[Snyk] Fix for 1 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • templates/AngularSpa/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	713/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.4	Prototype Pollution SNYK-JS-JSON5-3182856	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: css-loader

The new version differs by 250 commits.

• 7857d8f chore(release): 4.0.0
• 5604205 feat: support `file:` protocol
• 5303db2 chore(deps): update (React-Redux Issue with StaticRouter, serverside rendering and state.routing aspnet/JavaScriptServices#1131)
• 9aa0549 chore(deps): update
• a54c955 test: imports
• 5b45d87 test: support in `@ import` at-rule
• 83515fa refactor: code
• 1c20b1e fix: parsing
• 7f49a0a feat: `@ value` supports importing `url()` (shrinkwrap error with peerDependencies wp version aspnet/JavaScriptServices#1126)
• 791fff3 refactor: named export (Uncaught SyntaxError: missing ) after argument list  aspnet/JavaScriptServices#1125)
• 01e8c76 refactor: change function arguments of the `import` option ([Question] Why was babel used in React templates? aspnet/JavaScriptServices#1124)
• c153fe6 refactor: improve schema options (Prerender Parent component and all its children except one aspnet/JavaScriptServices#1123)
• 58b4b98 test: unresolved (Linter for templates aspnet/JavaScriptServices#1122)
• d2f6bd2 refactor: getLocalIdent function (UseWebpackDevMiddleware HMR not routing  aspnet/JavaScriptServices#1121)
• 069dbb0 refactor: the `modules.localsConvention` option was renamed to the `modules.exportLocalsConvention` option (Generated example publishing to the server - typescript errors aspnet/JavaScriptServices#1120)
• fc04401 refactor: the `modules.context` option was renamed to the `modules.localIdentContext` option (How to use Swagger and return 404 for unknown API urls aspnet/JavaScriptServices#1119)
• 3a96a3d refactor: the `hashPrefix` option was renamed to the `localIdentHashPrefix` option ([Angular] Server Side Rendering Issue with angular "^4.2.6" aspnet/JavaScriptServices#1118)
• 0080f88 refactor: default values `modules` and `module.auto` are true (Bootstrap not working in template aspnet/JavaScriptServices#1117)
• e1c55e4 refactor: rename the `onlyLocals` option (Version warning with webpack 3 aspnet/JavaScriptServices#1116)
• ac5f413 refactor: code
• a5c1b5f test: code coverange (Lazy loading: Webpack angular-router-loader error. aspnet/JavaScriptServices#1114)
• 908ecee refactor: `esModule` option is `true` by default (Complete the lstat patching for #1101 aspnet/JavaScriptServices#1111)
• 7cca035 test: coverange (Empty Solution in Visual Studio 2017 aspnet/JavaScriptServices#1112)
• bc19ddd feat: improve `url()` resolving algorithm

See the full diff

Package name: file-loader

The new version differs by 102 commits.

• e44eb73 chore(release): 6.0.0
• ad39022 chore(deps): update (Webpack ProviderPlugin not working while pre-rendering aspnet/JavaScriptServices#369)
• e1fe27c docs: update README.md (How to access params.data in react component or Redux store aspnet/JavaScriptServices#368)
• c2aded7 chore(release): 5.1.0
• cd8698b feat: support the `query` template for the `name` option (outdated readme.md aspnet/JavaScriptServices#366)
• 5703c58 chore(deps): update (Add EventSource polyfill so that webpack HMR can work on IE/Edge aspnet/JavaScriptServices#365)
• 521bff2 chore: remove duplicate prettier config file (Loosing connection to webpack aspnet/JavaScriptServices#357)
• 5ffac2e refactor: added description on esModule (Call to Node module failed with error: TypeError: Cannot read property 'filter' of undefined aspnet/JavaScriptServices#358)
• 190829e docs: fix the description of the `esModule` option (Support the contradictive "more than one page for the SPA" aspnet/JavaScriptServices#348)
• f1b071c chore(release): 5.0.2
• 6431101 chore: add the `funding` field in `package.json` (Support Aurelia aspnet/JavaScriptServices#347)
• 90302cd chore(release): 5.0.1
• 31d6589 fix: name of `esModule` option in source code (Move tsconfig.json files to template root folders aspnet/JavaScriptServices#346)
• 2a18cba chore(release): 5.0.0
• 98a6c1d refactor: next (Content security policy aspnet/JavaScriptServices#345)
• 0df6c8d chore(release): 4.3.0
• a2f5faf refactor: code (Unable to use "dotnet run" after running generator aspnet/JavaScriptServices#344)
• 9b9cd8d feat: new options flag to output ES2015 modules (Question about the new main-server file aspnet/JavaScriptServices#340)
• ba0fd4c chore(release): 4.2.0
• 642ee74 docs: improve readme (AutoMapper fails to install aspnet/JavaScriptServices#341)
• c136f44 feat: `postTransformPublicPath` option (Plans to have ES6 templates aspnet/JavaScriptServices#334)
• d441daa chore(release): 4.1.0
• 705eed4 feat: improved validation error messages ([QUESTION] ReactRedux Questions aspnet/JavaScriptServices#339)
• d016daa chore(release): 4.0.0

See the full diff

Package name: html-loader

The new version differs by 93 commits.

• d7cccfa chore(release): 1.0.0
• 3c9a1d8 refactor: `attributes` option (webpack-dashboard? aspnet/JavaScriptServices#265)
• 8c73761 feat: `preprocessor` option (Router 3.0.0-rc.1 aspnet/JavaScriptServices#263)
• f2ce5b1 feat: improve errors
• 9923244 chore(deps): update (Will not run aspnet/JavaScriptServices#260)
• 9835bde feat: supports `link:href` attribute for css (chore(typescript): Upgrade to 2.0 & Types aspnet/JavaScriptServices#258)
• 7af2eff refactor: improve schema (Update to Angular2 Final aspnet/JavaScriptServices#257)
• 98412f9 docs: `filter` sources (Update aspnet-webpack-react to React 15 aspnet/JavaScriptServices#256)
• ff0f44c feat: implement the `filter` option for filtering some of sources (Update to React 15 aspnet/JavaScriptServices#255)
• 1c24662 refactor: move the `root` option under the `attributes` option (Hotloading TSX files with interfaces does not seem to be working aspnet/JavaScriptServices#254)
• 888b8fe docs: add footnote for `-attributes` (Invalid provider error with CACHE_PRIMED_HTTP_PROVIDERS aspnet/JavaScriptServices#252)
• 3d2907e refactor: remove the `interpolate` option
• bd979e2 refactor: remove the `interpolate` option
• fcba4ec fix: handle only valid srcset tags (Accessing globals from pre-rendering aspnet/JavaScriptServices#253)
• 9e5ce56 perf: improve source parse (Duplicate <html> tag in markup for angular aspnet/JavaScriptServices#251)
• c9c8dad refactor: improve source parse (Angular2 server-side rendering not working with matrix-formatted URLs aspnet/JavaScriptServices#250)
• 079d623 fix: respect `#hash` in sources
• a17df49 fix: reduce `import`/`require` count
• d0b0150 fix: adding quotes when necessary for unquoted sources (Can't find aspnet-prerendering when using a node version manager aspnet/JavaScriptServices#247)
• e3727ab test: minifier
• 0bbe29c feat: migrate on `htmlparse2`
• b7af031 fix: escape `\u2028` and `\u2029` characters ("Cannot find module" error when pre-rendering is on. aspnet/JavaScriptServices#244)
• 24b0427 fix: parser tags and attributes according spec (Dockerfile best practices to speed up builds aspnet/JavaScriptServices#243)
• 3df909d feat: support `script:src` attributes

See the full diff

Package name: style-loader

The new version differs by 120 commits.

• 171a747 chore(release): 1.1.4
• af1b4a9 chore(deps): update
• a003f05 docs: add links for the options table (Error after upgrading to latest webpack 2.1 beta aspnet/JavaScriptServices#460)
• 2756e03 chore(release): 1.1.3
• 236b243 fix: injection algorithm (Microsoft.DotNet.Props was not found aspnet/JavaScriptServices#456)
• 36bd8f1 docs: fix typos (support VS2017rc aspnet/JavaScriptServices#453)
• de38c39 chore(release): 1.1.2
• 91ceaf2 fix: algorithm for importing modules (WILL NOT RUN - ASP.NET Core + Angular 2 template for Visual Studio aspnet/JavaScriptServices#449)
• 1138ed7 fix: checking that the list of modules is an array (Inaccurate errors returned by compiler aspnet/JavaScriptServices#448)
• aa418dd chore(release): 1.1.1
• 7ee8b04 fix: add empty default export for `linkTag` value
• c69ea6c chore(release): 1.1.0
• c7d6e3a fix: order of imported styles (Update README.md aspnet/JavaScriptServices#443)
• a283b30 test: more manual test (Update to Asp.Net Core 1.1 aspnet/JavaScriptServices#442)
• 3415266 feat: `esModule` option (Create a few 5 to 10 minute videos explaining how the template works for beginners. aspnet/JavaScriptServices#441)
• 907aed8 test: refactor (VS2017 support (e.g. new csproj format) aspnet/JavaScriptServices#440)
• 28e1628 refactor: code (ASP.NET Core Template Pack in the corporate environment - Proxy Authentication Required aspnet/JavaScriptServices#438)
• 5c51b90 refactor: cjs (Can't find TS files in chrome devtools aspnet/JavaScriptServices#437)
• 609263a test: refactor
• 7768fce chore(release): 1.0.2
• dcbfadb fix: support ES module syntax (Cannot use Observable.interval(x) in startup of Angular2 SPA aspnet/JavaScriptServices#435)
• d515edc chore(deps): update (~ aspnet/JavaScriptServices#434)
• 4c1e3f3 docs: fixed typo 'doom' to 'DOM' in README.md (SpaServices Webpack Dev Middleware - automatic insertion of "webpack-hot-middleware/client" aspnet/JavaScriptServices#432)
• c6164d5 chore(release): 1.0.1

See the full diff

Package name: url-loader

The new version differs by 69 commits.

• 8828d64 chore(release): 4.0.0
• fc8721f chore(deps): migrate on `mime-types` package (Could not load file or assembly 'Microsoft.DotNet.ProjectModel, Version=1.0.0.0 aspnet/JavaScriptServices#209)
• f13757a chore(deps): update ([Proposal] Add support for Aurelia RC (template/etc) aspnet/JavaScriptServices#208)
• a2f127d fix: description on the `esModule` option (Update dependencies aspnet/JavaScriptServices#204)
• 4301f87 chore(release): 3.0.0
• 3f0bbc5 refactor: next (Live updating server-side node code. aspnet/JavaScriptServices#198)
• 2451157 chore(release): 2.3.0
• 0ee2b99 feat: new `esModules` option to output ES modules
• cbd1950 chore(release): 2.2.0
• 196110e fix: yarn pnp support (webpack.config.vendor.js and Tree-Shaking aspnet/JavaScriptServices#195)
• 9431124 docs: improve documentation about `fallback` (Updating to AutoMapper 5.0 aspnet/JavaScriptServices#194)
• a251a23 chore(deps): update (All the sample as lucky why not together? Has been given aspnet/JavaScriptServices#193)
• 2bffcfd fix: limit must allow infinity and max value (Roadmap aspnet/JavaScriptServices#192)
• 1b9dbd1 chore(release): 2.1.0
• f3d4dd2 feat: improved validation error messages (Simple task like adding a new module aspnet/JavaScriptServices#187)
• 37c6acc chore(release): 2.0.1
• 4842f93 fix: allow using limit as string when you use loader with query string (Two issues on Windows - reflect-metadata missing and client app crash aspnet/JavaScriptServices#185)
• c0341da chore(defaults): update (Adding support for capturing the output of a node instance for custom… aspnet/JavaScriptServices#184)
• 78833ac chore(release): 2.0.0
• 4386b3e chore(deps): update ([Feature Request] - Add an SPA View Engine that gives the ability to render the entire page instead of using Razor aspnet/JavaScriptServices#182)
• 60d2cb3 feat: limit option can be boolean (Error adding Microsoft.AspNetCore.SpaServices.1.0.0-beta-000007 to net451 project aspnet/JavaScriptServices#181)
• d82e453 fix: `limit` should always be a number and 0 value handles as number (Unable to build project (Windows) aspnet/JavaScriptServices#180)
• 3c24545 fix: fallback loader will be used than limit is equal or greater (Upgraded to typings from tsd. Moved URL workaround and load it with typings aspnet/JavaScriptServices#179)
• a6705cc test: test svg scenario. Webpack's publicPath isn't used aspnet/JavaScriptServices#176 (Added OnBeforeStartExternalProcess callback  aspnet/JavaScriptServices#177)

See the full diff

Package name: webpack

The new version differs by 250 commits.

• 610f368 5.0.0
• 5ce65c1 update examples
• bbe1230 Merge pull request #11628 from webpack/bugfix/real-content-hash
• 75ecff2 5.0.0-rc.6
• bfc35d6 Merge pull request #11603 from MayaWolf/master
• 76e8cbd Merge pull request #11622 from webpack/dependabot/npm_and_yarn/types/node-13.13.25
• 9fd1be2 chore(deps-dev): bump @ types/node from 13.13.23 to 13.13.25
• 36bcfaa Merge pull request #11621 from webpack/bugfix/11619
• 9130d10 fix called variables with ProvidePlugin
• 3e42105 Merge pull request #11620 from webpack/bugfix/11617
• 4709719 skip connections copied to concatenated module
• 57b493f 5.0.0-rc.5
• 1658e2f Merge pull request #11618 from webpack/bugfix/11615
• a8fb45d fixes crash in SideEffectsFlagPlugin
• 84b196d emit error instead of crashing when unexpected problem occurs
• 5573fed Merge pull request #11601 from Hornwitser/improve-suggested-polyfill-config
• 9b5cce9 Merge pull request #11609 from snitin315/export-types
• 37c495c export type RuleSetUseItem
• 39faf34 export type RuleSetUse
• e5fd246 export type RuleSetConditionAbsolute
• 660baad export RuleSetCondition types
• 13e3ca5 Merge pull request #11602 from webpack/bugfix/shared-runtime-chunk
• 9c0587e Merge pull request #11606 from webpack/dependabot/npm_and_yarn/simple-git-2.21.0
• 502d166 Merge pull request #11607 from webpack/dependabot/npm_and_yarn/acorn-8.0.4

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[secureflag-knowledge-base]

Code Injection

Start Code Injection Lab

Description

Code Injection, also known as Remote Code Execution (RCE), is possible when unsafe user-supplied data is used to run server-side code. This is typically as a result of an application executing code without prior validation, thus allowing an attacker to execute arbitrary code within the context of the vulnerable application.

Not to be confused with OS Command Injection, Code Injection attacks allow the attacker to add their own code to be executed by the application, whereas OS Command Injection extends the preset functionality of the application to execute system commands, usually within the context of a shell.

Code Injection attacks are only limited by the functionality of the language the attacker has injected i.e. not very limited at all! If PHP code is the language chosen for the injection and is executed successfully, the attacker has every utility available in PHP at her/his disposal.

The Code Injection attack category encompasses multiple types of injection attacks, all of which are very prevalent and capable of extremely high levels of compromise. Indeed, OWASP has listed injection attacks as one of the most dangerous web application security risk since 2013.

Read more

Impact

Malicious attackers can leverage Code Injection vulnerabilities to gain a foothold in the hosting infrastructure, pivot to connected systems throughout the organization, execute unauthorized commands, and fully compromise the confidentiality, integrity, and availability of the application. Depending on the injection, this can usually lead to the complete compromise of the underlying operating system.

The list of devastating Code Injection attacks, both public and behind closed doors, is far too long to list. Hot off the press in 2020, this Code Injection discovery was shown to affect the default Mail application on stock iPhones and iPads, resulting in remote code execution.

In this particular instance, the vulnerability was identified by a security company which notified the vendor, Apple, of the issue. However, it is important as a developer to internalize the glaring reality that poorly written, unsecure code opens the way for attackers to potentially wreak havoc, which is why learning secure codeing skills from the beginning can potentially prevent an employer-destroying headline down the track.

Prevention

Code Injection attacks leveraging any language can be avoided by simply following some basic, yet essential, security practices. Overarching these general practices is the rule that a developer should treat all data as untrusted.

Developers must not dynamically generate code that can be interpreted or executed by the application using user-provided data. Evaluating code that contains user input should only be implemented if there is no other way of achieving the same result without code execution.

Testing

Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.

• OWASP ASVS: 5.2.4
• OWASP Testing Guide: Testing for Code Injection

View this in the SecureFlag Knowledge Base

[secure-code-warrior-for-github]

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "OS Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
• SEI CERT Oracle Coding Standard for Java - Prevent Code Injection - Carnegie Mellon University Software Engineering Institute guidance on preventing code injection vulnerabilities in Java.

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "Injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.