boostsecurity-io[bot]
commented
9 months ago :warning: 1 New Security Finding
The latest commit contains 1 new security finding.
| Findings |
|---|
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Original Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or... |
| 📘 Learn More https://github.com/JupiterOne/graph-artifactory/blob/7d429aac9b37c189e0a865c5d3f1f0fc265c7e29/src/client.ts#L67 |
Not a finding? Ignore it by adding a comment on the line with just the word noboost.
Scanner: boostsecurity - BoostSecurity semgrep
socket-security[bot]
Description
Some on-prem instances of artifcatory do not use the cloud based url. This enabled those integrations to reach the correct url.