Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): disable reading query config #7697

Merged
merged 5 commits into from
Dec 9, 2021
Merged

fix(security): disable reading query config #7697

merged 5 commits into from
Dec 9, 2021
+30 −9

Conversation

char0n
Copy link
Member

@char0n char0n commented Dec 8, 2021

Refs #4872

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

@char0n char0n requested a review from ponelat December 8, 2021 16:38
@char0n char0n self-assigned this Dec 8, 2021
@char0n char0n added cat: security security fix Security fix generated by WhiteSource version: 4.x labels Dec 8, 2021
@char0n char0n merged commit 01a3e55 into master Dec 9, 2021
@bubbajoe bubbajoe mentioned this pull request Jan 24, 2022
Closed
@Gama11 Gama11 mentioned this pull request Apr 26, 2022
Open
@ghilainm
Copy link

ghilainm commented May 6, 2022

This is actually a breaking change.

@char0n
Copy link
Member Author

char0n commented May 9, 2022

@ghilainm without the further context we can say that is a breaking change . But this PR was done in security context - we were fixing an obvious security issue, which shouldn't be there in the first place. By fixing the security issue we changed the behavior of the software in non-compatible way, but we've also provided a way how to achieve the original behavior if one is willing to accept the security implications.

Active security advisory: GHSA-qrmm-w75w-3wpx

@ghilainm
Copy link

ghilainm commented May 9, 2022

I though I removed that comment I agree with you.

Sorry for troubles

This was referenced May 12, 2022
Open
Open
@speedlog speedlog mentioned this pull request Jan 2, 2023
Open
@char0n char0n deleted the char0n/disable-query-config branch March 8, 2023 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ponelat ponelat Awaiting requested review from ponelat

Assignees

@char0n char0n

Labels
cat: security security fix Security fix generated by WhiteSource version: 4.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@char0n @ghilainm