search

ShaneK / Matador

Front-end web interface for Bull Job Manager
MIT License
98 stars 51 forks source link

Security issues #25

Closed tanqhnguyen closed 8 years ago

tanqhnguyen commented 8 years ago

We are using nsp to check for vulnerabilities and bull has 3 of them due to old version of express. Is there any plan to upgrade to a newer version of express?

> nsp check

(+) 3 vulnerabilities found

                Regular Expression Denial of Service                  

 Name           ms                                                    

 Installed      0.7.0                                                 

 Vulnerable     <=0.7.0                                               

 Patched        >0.7.0                                                

 Path            > bull-ui@1.0.3 > express@4.10.8 > d 

 More Info      https://nodesecurity.io/advisories/46                 

                Root Path Disclosure                                  

 Name           send                                                  

 Installed      0.10.1                                                

 Vulnerable     <0.11.1                                               

 Patched        >=0.11.1                                              

 Path            > bull-ui@1.0.3 > express@4.10.8 > s 

 More Info      https://nodesecurity.io/advisories/56                 

                Regular Expression Denial of Service                  

 Name           ms                                                    

 Installed      0.6.2                                                 

 Vulnerable     <=0.7.0                                               

 Patched        >0.7.0                                                

 Path            > bull-ui@1.0.3 > express@4.10.8 > s 

 More Info      https://nodesecurity.io/advisories/46
ShaneK commented 8 years ago

I left the company I was working at when I originally made (and needed) Matador, and so for a while I haven't really done anything with it. I don't even have an environment to test it with currently.

However, this weekend I will look into setting up an environment to play with locally and fixing certain things that seem to be outdated, I attempt to update the express version in this as well.

Thank you for letting me know about the security issues!

ShaneK commented 8 years ago

Fixed in #28