Security issue

[vdeturckheim]

Hello,

As a member of the Node.js ecosystem security team I have been reported a security issue regarding this package.

I have contacted the person I identified as maintainer by email but did not get any answer. What is the best way to reach someone with commit rights over this repo do privately explain what is the issue?

Best
Vladimir de Turckheim

[ozomer]

Here is one security issue: https://github.com/joeferner/redis-commander/blob/master/lib/app.js#L57
Better to use: app.use(express.session({ secret: crypto.randomBytes(20).toString('hex') })); (or require users to set some secret in some environment variable).

However, I don't see any place where req.session is used, but maybe I missed something.

[sseide]

@ozomer express.session is not used in current version, this problem is gone now or something else?

@vdeturckheim yesterdays merge fixed multiple security issues, maybe yours is fixed too now....

[dev-trilobyte]

@vdeturckheim Security issue was fixed with my commit 1a483eb at september. These files are removed since them.
If its this one https://hackerone.com/reports/296377

just found about it via snyk and searching around a bit only by chance...

Best,
Stefan seide

[vdeturckheim]

Hey thanks for the ping. I will check back shortly!

[sseide]

Any feedback on this? If there is something else just contact me directly to discuss this any further as i can commit myself by now... Would like to close security related issues as soon as possible.

[sseide]

As there is no further feedback and we believe issue is fixed long ago i will close this.
Please reopen if not fixed.