Dependabot Alert: NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks

GSA / smartpay-training

Prototype for new GSA SmartPay training quizzes

8 stars 4 forks source link

Dependabot Alert: NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #498

Open JennaySDavis opened 4 months ago

JennaySDavis commented 4 months ago

An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to distinguish between public and private IP addresses accurately.

JennaySDavis commented 3 months ago

#498 Acceptance Criteria

Pass/Fail	Description
Pass	Smoke Testing of Training app.

Comments/Additional Notes A Link checker was completed on the app. No broken links were found.

ADA Compliance (Automated scan via Chrome Lighthouse)	Criteria	Score
Performance	98
Accessibility	100
Best Practices	100

*average several scans were completed.

Passed 03/15/2024 - JSD

LoraBradford commented 3 months ago

Moving to Done, thank you!