DannyDainton
commented
2 years ago I don't know what primsa is @priyaramu - can you provide more context here.
Open priyaramu opened 2 years ago
DannyDainton
commented
2 years ago I don't know what primsa is @priyaramu - can you provide more context here.
w4dd325
commented
2 years ago It sounds like it is this reported vulnerability with the NPM 'unset-value' package; https://snyk.io/vuln/npm:unset-value#:~:text=Direct%20Vulnerabilities,and%20provides%20fixes%20for%20free.
The full paper is here; https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
From the bits I have read, it appears a few of the dependencies used (eg; lodash/handlebars) would be vulnerable. The fix would be to ensure all dependencies are updated to the latest releases. (Which from a quick glance, they are).
priyaramu
commented
2 years ago I don't know what primsa is @priyaramu - can you provide more context here.
@DannyDainton Prisma tool is used to scan docker images and find the vulnerabilities if any -> https://prisma.pan.dev/docs/cloud/ https://prisma.pan.dev/docs/cloud/cwpp/twistcli_gs#scan-container-images-with-twistcli
ackris
commented
9 months ago @DannyDainton - this is still coming even after upgrading newman-reporter-htmlextra to 1.23.0. Is there any resolution to this?
unset-value is one of the transitive dependencies of newman-reporter-htmlextra.
=> Found "unset-value@1.0.0"
info Reasons this module exists
- "=> Found "unset-value@1.0.0"
info Reasons this module exists
- "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base" depends on it
- Hoisted from "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base#unset-value"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "236KB"
info Number of shared dependencies: 6
Done in 1.92s.#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base" depends on it
- Hoisted from "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base#unset-value"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "236KB"
info Number of shared dependencies: 6
Done in 1.92s.the above is the output yarn why unset-value.
Please let us know if a fix is planned for this. This is becoming a blocker of sorts in our organization.
DannyDainton
commented
9 months ago It's not something I'm working on, this project is not my day job and unfortunately those things will always take priority.
If this is some that you can fix or you want to contribute to the project - PRs are very welcome.
This goes without saying but your organisation has chosen to use a 3rd party tool that they basically have no control over, there is never any guarantees that it will continue to work forever...that's the nature of software.
Is There An Existing Issue
What Are You Seeing
There is a high vulnerability reported by prisma while using newmna-reporter-htmlextra. The vulnerability is in unset-value 1.0.0 package which is a transitive dependency of @budibase/handlebars-helpers in newman-reporter-htmlextra. This is fixed in the unset-value 2.0.1 version.
Impacted versions: <2.0.1 Discovered: less than an hour ago Published: 59 days ago unset-value package versions before 2.0.1 are vulnerable to Prototype Pollution. unset() function in index.js files allows for access to object prototype properties. An attacker can exploit this to override the behavior of object prototypes, resulting in a possible Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.
Steps To Reproduce The Issue
Run a prisma scan against a docker image which contains newman-reporter-htmlextra package (latest version)
Full Newman Command Or Node Script
HTMLEXTRA Version
1.22.8
Newman Version
5.3.2
Additional Context
No response