search

aliyun / oss-browser

OSS Browser 提供类似windows资源管理器功能。用户可以很方便的浏览文件,上传下载文件,支持断点续传等。
Other
3.15k stars 441 forks source link

[fix] nodemailer vulnerable version #429

Open CharlesArea opened 2 years ago

CharlesArea commented 2 years ago

nodemailer 4.0.1 有兩個比較嚴重的vulnerabilities, 1) Command Injection CVE-2020-7769 例如 - 

-bi@example.com (-bi Initialize the alias database.)
-d0.1a@example.com (The option -d0.1 prints the version of Sendmail and the options it was compiled with.)
-Dfilename@example.com (Debug output file)

2) HTTP Header Injection CVE-2021-23400 例如 - 

const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
await transporter.sendMail({
from: '...',
to: '...',
replyTo: {
name: 'Customer',
address: userEmail,
},
subject: 'My Subject',
text: message,
});

建議從 4.0.1 升級到 6.7.2 / 6.6.1 (暫時沒有發現相容性的問題)

CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.