semgrep-code-mystenlabs[bot]
commented
1 week ago Semgrep found 1 ssc-5a557c33-4191-4714-a574-8efb44cf209b finding:
Risk: Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.
Fix: Upgrade this library to at least version 2.0.1 at sui/pnpm-lock.yaml:16885.
Reference(s): https://github.com/advisories/GHSA-4q6p-r6v2-jvc5, CVE-2023-43646
Ignore this finding from ssc-5a557c33-4191-4714-a574-8efb44cf209b.
#
Semgrep found 3 ssc-efa14576-9601-4ae6-939c-3da58aa25013 findings:
- examples/trading/frontend/pnpm-lock.yaml
- pnpm-lock.yaml
Risk: Affected versions of vite are vulnerable to Improper Handling Of Case Sensitivity / Exposure Of Sensitive Information To An Unauthorized Actor / Improper Access Control. The vulnerability arises when the Vite development server's option, server.fs.deny, can be circumvented on case-insensitive file systems through the utilization of case-augmented versions of filenames, as the matcher derived from config.server.fs.deny fails to prevent access to sensitive files when raw filesystem paths are requested with augmented casing.
Manual Review Advice: A vulnerability from this advisory is reachable if you host vite's development server on Windows, and you rely on server.fs.deny to deny access to certain files
Fix: Upgrade this library to at least version 4.5.2 at sui/examples/trading/frontend/pnpm-lock.yaml:4700.
Reference(s): https://github.com/advisories/GHSA-c24v-8rfc-w8vw, CVE-2023-34092, CVE-2024-23331
Ignore this finding from ssc-efa14576-9601-4ae6-939c-3da58aa25013.
#
Semgrep found 2 ssc-aff5e8de-c638-4356-8a93-120597e35ce9 findings:
Risk: Affected versions of @babel/traverse are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation.
Manual Review Advice: A vulnerability from this advisory is reachable if you use a 3rd party plugin that relies on the path.evaluate()or path.evaluateTruthy() internal Babel methods, or one of the known affected plugins (@babel/plugin-transform-runtime, Any 'polyfill provider' plugin that depends on @babel/helper-define-polyfill-provider, or @babel/preset-env when using its useBuiltIns option)
Fix: Upgrade this library to at least version 7.23.2 at sui/pnpm-lock.yaml:3938.
Reference(s): https://github.com/advisories/GHSA-67hx-6x53-jw92, CVE-2023-45133
Ignore this finding from ssc-aff5e8de-c638-4356-8a93-120597e35ce9.
The latest updates on your projects. Learn more about Vercel for Git ↗︎
3 Ignored Deployments
| Name | Status | Preview | Comments | Updated (UTC) | | :--- | :----- | :------ | :------- | :------ | | **multisig-toolkit** | ⬜️ Ignored ([Inspect](https://vercel.com/mysten-labs/multisig-toolkit/9L8fonoC5famxUPNUUJce1yP4Sag)) | [Visit Preview](https://multisig-toolkit-git-af-idx-patch-mysten-labs.vercel.app) | | Jun 21, 2024 8:24pm | | **sui-kiosk** | ⬜️ Ignored ([Inspect](https://vercel.com/mysten-labs/sui-kiosk/8jHC1Lux4kgwaKfkcKAdAd4RZGdu)) | [Visit Preview](https://sui-kiosk-git-af-idx-patch-mysten-labs.vercel.app) | | Jun 21, 2024 8:24pm | | **sui-typescript-docs** | ⬜️ Ignored ([Inspect](https://vercel.com/mysten-labs/sui-typescript-docs/64FUUoQrsM6BAefZkndyFCr2Va4G)) | [Visit Preview](https://sui-typescript-docs-git-af-idx-patch-mysten-labs.vercel.app) | | Jun 21, 2024 8:24pm |