Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

RE DoS + Prototype pollution vulnerability #1587

Closed
4 of 10 tasks
Berkmann18 opened this issue Jul 23, 2018 · 5 comments · May be fixed by bizoton19/hdwih-hugo-cms#4
Closed
4 of 10 tasks

RE DoS + Prototype pollution vulnerability #1587

Berkmann18 opened this issue Jul 23, 2018 · 5 comments · May be fixed by bizoton19/hdwih-hugo-cms#4

Comments

@Berkmann18
Copy link

Berkmann18 commented Jul 23, 2018
edited
Loading

Issue details

NPM flagged a vulnerability regarding this package due to a Regular Expression Denial of Service found in its debug dependency as follows:

 Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > debug                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534

There's also an apparent Prototype Pollution in its lodash dependency as follows:

 Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > easy-extender > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577

Steps to reproduce/test case

# cd to a project that uses browser-sync as a dev dependency
npm audit #or nsp check

Please specify which version of Browsersync, node and npm you're running

  • Browsersync [2.24.6]
  • Node [10.7.0]
  • Npm [6.2.0]

Affected platforms

  • linux
  • windows
  • OS X
  • freebsd
  • solaris
  • other (please specify which)

Browsersync use-case

  • API
  • Gulp
  • Grunt
  • CLI

If CLI, please paste the entire command below

{cli command here}

for all other use-cases, (gulp, grunt etc), please show us exactly how you're using Browsersync

    if (app.get('browser') || process.env.BROWSER) {
      require('browser-sync')({
        proxy: `localhost:${port}`,
        files: ['public/**/*.{js,css}']
      });
    }
@Berkmann18 Berkmann18 mentioned this issue Jul 23, 2018
Closed
4 tasks
@shakyShane
Copy link
Contributor

I cannot address the localtunnel one localtunnel/localtunnel#272

@Berkmann18
Copy link
Author

@shakyShane How come? Aren't you the author and a contributor to that package including BrowserSync ?

@adamjaffeback
Copy link
Contributor

FYI, localtunnel updated their dependencies with localtunnel/localtunnel#256 and released to v1.9.1 to fix their end.

@Berkmann18
Copy link
Author

@adamjaffeback Thanks for info.

shakyShane added a commit that referenced this issue Sep 11, 2018
@shakyShane
Merge pull request #1602 from adamjaffeback/fix/localtunnelAudit#1587
58240c6 
deps: npm audit for localtunnel - fixes #1587
@jt2k
Copy link

jt2k commented Oct 4, 2018

@shakyShane Thanks for fixing this! I see the change is tagged with a 2.25.0 alpha release. When will the final version be released?

@snyk-bot snyk-bot mentioned this issue Mar 20, 2020
Closed
@snyk-bot snyk-bot mentioned this issue May 6, 2020
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@jt2k @shakyShane @adamjaffeback @Berkmann18