Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

thenify before 3.3.1 made use of unsafe calls to eval. #39076

Closed
gitstart-sourcegraph opened this issue Jul 19, 2022 · 3 comments
Closed

thenify before 3.3.1 made use of unsafe calls to eval. #39076

gitstart-sourcegraph opened this issue Jul 19, 2022 · 3 comments
Assignees
@gitstart-sourcegraph
Labels
frontend-platform Issues related to our frontend platform, owned collectively by our frontend crew. gitstart Contract partner
Projects
GitStart Work

Comments

@gitstart-sourcegraph
Copy link
Collaborator

gitstart-sourcegraph commented Jul 19, 2022
edited

Problem statement

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.

Success criteria

Update thenify to a non-vulnerable version

Implementation details

The latest possible version of thenify that can be installed is 3.3.0.
The earliest fixed version is 3.3.1.

  • Affected versions < 3.3.1

Ref

#35989
Link to dependabot alert

Time estimate

  • Pull requests with ~450 lines changed should take 3 hours at maximum. Ping the reviewer in the spec pull request if time-consuming changes are required.
  • Split the work into multiple pull requests if the total diff is bigger than 450 lines of code.
@gitstart-sourcegraph gitstart-sourcegraph added the gitstart Contract partner label Jul 19, 2022
@gitstart-sourcegraph gitstart-sourcegraph self-assigned this Jul 19, 2022
@gitstart-sourcegraph gitstart-sourcegraph added the frontend-platform Issues related to our frontend platform, owned collectively by our frontend crew. label Jul 19, 2022
@sourcegraph-bot-2
Copy link
Collaborator

Heads up @taylorsperry @jasongornall - the "team/frontend-platform" label was applied to this issue.

@gitstart-sourcegraph gitstart-sourcegraph added this to In progress in GitStart Work Jul 19, 2022
@gitstart-app
Copy link
Contributor

gitstart-app bot commented Jul 19, 2022

Here is the GitStart Ticket for this issue: https://app.gitstart.com/clients/sourcegraph/tickets/SG-39076

Closed
@gitstart-sourcegraph gitstart-sourcegraph linked a pull request Jul 21, 2022 that will close this issue
[SG-39076] thenify before 3.3.1 made use of unsafe calls to eval. #39212
Closed
@gitstart-sourcegraph gitstart-sourcegraph moved this from In progress to In review in GitStart Work Jul 21, 2022
@gitstart-sourcegraph
Copy link
Collaborator Author

Closing this: --> #39212 (comment)

GitStart Work automation moved this from In review to Done Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gitstart-sourcegraph gitstart-sourcegraph

Labels
frontend-platform Issues related to our frontend platform, owned collectively by our frontend crew. gitstart Contract partner
Projects
GitStart Work
Done
Frontend Platform
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SG-39076] thenify before 3.3.1 made use of unsafe calls to eval. sourcegraph/sourcegraph
2 participants
@sourcegraph-bot-2 @gitstart-sourcegraph