Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2.30.4. #264

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

v2.30.4. #264

wants to merge 3 commits into from

Conversation

abernix
Copy link

@abernix abernix commented Dec 14, 2017
edited
Loading

Meteor Development Group has just published version v2.30.4 of meteorhacks:kadira on behalf of the package author. This PR serves to represent the changes which were included in that version. Most notably, 9d536d6, which is an important fix for any user of the meteorhacks:kadira package.

The other functional change included in this PR, 209c351, was already published in meteorhacks:kadira v2.30.3, but those changes were not reflected on the GitHub repository. This commit has been included for the sake of continuity, and aims to clearly indicate what we have published.

Whether or not this PR is merged, downstream package authors are advised to include this fix in their forks.

For more information: https://blog.meteor.com/denial-of-service-disclosure-for-meteor-apm-kadira-agent-c6c86abc0035

@abernix
Missing v2.30.3 change: Encapsulate error Strings within an Object.
209c351 
This change was not made by me. It was published to Atmosphere, but never
pushed to GitHub.  This resolves that discrepancy, for the sake of posterity.

The contents of this change were obtained by fetching the package
sources of v2.30.2 and v2.30.3 from the Meteor package server
(warehouse.meteor.com), and "diff"-ing them:

meteorhacks:kadira@2.30.2: http://bit.ly/2ys7h0U
meteorhacks:kadira@2.30.3: http://bit.ly/2C6JcyX
(links shortened for commit message)

As far as what this commit appears to do (based on my assessment):

This ensures that an error message which is purely a string (rather than
an `Error` object), is properly encapsulated in an `Error`-like object
so it can be properly transmitted to the APM server.
@abernix
Use Object.create(null) rather than initializer notation.
9d536d6
@abernix
v2.30.4
7762b23
@abernix
Copy link
Author

abernix commented Dec 14, 2017

FYI, The failing tests are unrelated to the change. Rather, they are failing because the Kadira account they are being tested against is no longer active.

@sebakerckhof
Copy link

Giving more information about this might increase the risk of it being abused, so I understand if what I'm asking for is not possible at the moment. But how is {} a DOS risk here while Object.create(null) isn't? I can only imagine it has something to do with changing the prototype of Object but I fail to connect the dots.

@abernix
Copy link
Author

abernix commented Dec 15, 2017

I can understand your inquisition! We do plan on elaborating on this at some point (not here, but in a blog post, most likely), but we feel it's in the best interest of the community to first publicize the importance of updating, and follow-up with additional information later on. I'm glad it's not immediately clear, but I'd probably encourage anyone who might figure it out to understand the impact that publicizing those details might have.

Sorry this isn't the answer you're looking for, but I hope you'll understand.

lmachens added a commit to lmachens/kadira that referenced this pull request Dec 15, 2017
@lmachens
merge changes from meteorhacks#264
095b699
@jasongrishkoff jasongrishkoff mentioned this pull request Dec 23, 2017
Closed
@abernix abernix mentioned this pull request Jun 11, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abernix @sebakerckhof