search

VandelaySecurity / NodeGoat

Apache License 2.0
0 stars 0 forks source link

[🐸 Frogbot] Update version of async to 2.6.4 #52

Open github-actions[bot] opened 3 months ago

github-actions[bot] commented 3 months ago
[![🚨 This automated pull request was created by Frogbot and fixes the below:](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesFixBannerPR.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

📦 Vulnerable Dependencies

✍️ Summary

| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES | | :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)
High | Not Applicable | async:2.6.1
grunt-contrib-watch:1.1.0
cypress:3.3.1
grunt-jsbeautifier:0.2.13
grunt-retire:0.3.12 | async 2.6.1 | [2.6.4]
[3.2.2] | CVE-2021-43138 |

🔬 Research Details

Description: async is a utility module which provides straight-forward, powerful functions for working with asynchronous JavaScript.

The function mapValues was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input

Example of code vulnerable to this issue - 

const async = require('async'); 
var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "polluted": true }}');

async.mapValues(input, (val, key, next) => {
    next(null, val)
}, (err, result) => {
    // result's prototype is now polluted
    console.log(result.polluted);
})

Note that the prototype pollution affects only the prototype of the newly created object (result in the example above) and as such is much less destructive than a normal prototype pollution

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
sonarcloud[bot] commented 3 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud