search

cnnlabs / cnn-hapi

CNN Hapi
10 stars 4 forks source link

HapiJs Security Alert #26

Closed adslaton closed 8 years ago

adslaton commented 8 years ago

Why

Hapi Security Alert

call does not validate empty parameters, which could result in invalid input bypassing the route validation rules. For example, in the routing scheme /api/{param}/{param2}/details, a request made to /api/// would match incorrectly.

Affected versions: 8.0.0-rc4 to 13.4.1
Fixed versions: 13.4.2
Solution: Upgrade to latest version.
Credit: Nicolas Morel
Sources: https://nodesecurity.io/advisories/121 
https://github.com/hapijs/hapi/issues/3228
adslaton commented 8 years ago

Closed as we updated to the hapi#13.5.0 in cnn-hapi#0.6.5