Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency ini to 1.3.6 [security] - autoclosed #337

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency ini to 1.3.6 [security] - autoclosed #337

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 31, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change
ini 1.3.5 -> 1.3.6

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Renovate configuration

馃搮 Schedule: "" (UTC).

馃殾 Automerge: Disabled by config. Please merge this manually once you are satisfied.

鈾伙笍 Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

馃敃 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/root/npm-ini-vulnerability branch from 768d0bc to 56faa16 Compare March 31, 2021 19:17
@codeclimate
Copy link

codeclimate bot commented Mar 31, 2021

Code Climate has analyzed commit 56faa16 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 100.0%.

View more on Code Climate.

@renovate renovate bot changed the title chore(deps): update dependency ini to 1.3.6 [security] chore(deps): update dependency ini to 1.3.6 [security] - autoclosed Mar 31, 2021
@renovate renovate bot closed this Mar 31, 2021
@renovate renovate bot deleted the renovate/root/npm-ini-vulnerability branch March 31, 2021 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@getsaf getsaf Awaiting requested review from getsaf

@ike18t ike18t Awaiting requested review from ike18t

@satanTime satanTime Awaiting requested review from satanTime satanTime is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@renovate-bot