search

auth0 / node-auth0

Node.js client library for the Auth0 platform.
MIT License
631 stars 309 forks source link

[SDK-4030] Add timeout and proxy settings #838

Closed adamjmcgrath closed 1 year ago

adamjmcgrath commented 1 year ago

Changes

Add ability to pass agent, timeoutDuration and headers to the api and jwks requests.

semgrep-app[bot] commented 1 year ago

Semgrep found 1 ssc-ee6f7d49-6c2e-4e70-ae96-e1f32647e936 finding:

Risk: vm2 versions before 3.9.17 are vulnerable to Improper Neutralization Of Special Elements In Output Used By A Downstream Component ('Injection'). An attacker can raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

Fix: Upgrade this library to at least version 3.9.17 at node-auth0/package-lock.json:24323.

Reference(s): https://github.com/advisories/GHSA-ch3r-j5x3-6q2m, CVE-2023-30547

Created by ssc-ee6f7d49-6c2e-4e70-ae96-e1f32647e936.

#

Semgrep found 1 ssc-1286f396-f1d3-46c6-9e68-74429d10c3c4 finding:

Risk: vm2 versions before 3.9.15 are vulnerable to Improper Control Of Dynamically-Managed Code Resources due to improper control of dynamically-managed code resources related to Error.prepareStackTrace in unhandled async errors. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Fix: Upgrade this library to at least version 3.9.15 at node-auth0/package-lock.json:24323.

Reference(s): https://github.com/advisories/GHSA-7jxr-cg7f-gpgv, CVE-2023-29017

Created by ssc-1286f396-f1d3-46c6-9e68-74429d10c3c4.