-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump up nodemailer version to v6.9.9 [SECURITY] #5780
Conversation
Codecov ReportAll modified and coverable lines are covered by tests β
Additional details and impacted files@@ Coverage Diff @@
## canary #5780 +/- ##
==========================================
- Coverage 64.66% 64.56% -0.10%
==========================================
Files 342 342
Lines 19373 19373
Branches 1645 1644 -1
==========================================
- Hits 12528 12509 -19
- Misses 6628 6647 +19
Partials 217 217
Flags with carried forward coverage won't be shown. Click here to find out more. β View full report in Codecov by Sentry. |
fa2ab2c
to
4e964e1
Compare
Merge activity
|
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [nodemailer](https://nodemailer.com/) ([source](https://togithub.com/nodemailer/nodemailer)) | [`6.9.7` -> `6.9.9`](https://renovatebot.com/diffs/npm/nodemailer/6.9.7/6.9.9) | [![age](https://developer.mend.io/api/mc/badges/age/npm/nodemailer/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/nodemailer/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/nodemailer/6.9.7/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/nodemailer/6.9.7/6.9.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-9h6g-pr28-7cqp](https://togithub.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp) ### Summary A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. ### Details Regex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/ Path: compile -> getAttachments -> _processDataUrl Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/ Path: _convertDataImages ### PoC https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6 https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698 ### Impact ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem. --- ### Release Notes <details> <summary>nodemailer/nodemailer (nodemailer)</summary> ### [`v6.9.9`](https://togithub.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#699-2024-02-01) [Compare Source](https://togithub.com/nodemailer/nodemailer/compare/v6.9.8...v6.9.9) ##### Bug Fixes - **security:** Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected ([dd8f5e8](https://togithub.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a)) - **tests:** Use native node test runner, added code coverage support, removed grunt ([#​1604](https://togithub.com/nodemailer/nodemailer/issues/1604)) ([be45c1b](https://togithub.com/nodemailer/nodemailer/commit/be45c1b299d012358d69247019391a02734d70af)) ### [`v6.9.8`](https://togithub.com/nodemailer/nodemailer/blob/HEAD/CHANGELOG.md#698-2023-12-30) [Compare Source](https://togithub.com/nodemailer/nodemailer/compare/v6.9.7...v6.9.8) ##### Bug Fixes - **punycode:** do not use native punycode module ([b4d0e0c](https://togithub.com/nodemailer/nodemailer/commit/b4d0e0c7cc4b15bc4d9e287f91d1bcaca87508b0)) </details> --- ### Configuration π **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
4e964e1
to
67ab814
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. β Warning: custom changes will be lost. |
This PR contains the following updates:
6.9.7
->6.9.9
GitHub Vulnerability Alerts
GHSA-9h6g-pr28-7cqp
Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter
attachDataUrls
set, causing the stuck of event loop.Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
Details
Regex: /^data:((?:[^;];)(?:[^,])),(.)$/
Path: compile -> getAttachments -> _processDataUrl
Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/
Path: _convertDataImages
PoC
https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
Impact
ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.
Release Notes
nodemailer/nodemailer (nodemailer)
v6.9.9
Compare Source
Bug Fixes
v6.9.8
Compare Source
Bug Fixes
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.