search

dannycoates / able

A/B testing service
http://dannycoates.github.io/able/
3 stars 4 forks source link

Potential CORS issue? #14

Closed pdehaan closed 8 years ago

pdehaan commented 8 years ago

Not sure if we're using CORS, but noticed this while running nsp against a related project:

$ nsp check
(+) 2 vulnerabilities found
┌───────────────┬──────────────────────────────────────────────────────────┐
│               │ Incorrect handling of CORS preflight request headers     │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Name          │ hapi                                                     │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Installed     │ 9.3.1                                                    │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Vulnerable    │ <11.0.0                                                  │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Patched       │ >=11.0.0                                                 │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Path          │ able > hapi                                              │
├───────────────┼──────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/45                    │
└───────────────┴──────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                     │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Name          │ uglify-js                                                │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Installed     │ 2.4.24                                                   │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Vulnerable    │ All                                                      │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Patched       │ None                                                     │
├───────────────┼──────────────────────────────────────────────────────────┤
│ Path          │ able > uglify-js                                         │
├───────────────┼──────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/48                    │
└───────────────┴──────────────────────────────────────────────────────────┘

I filed the Hapi issue upstream as https://github.com/hapijs/hapi/issues/2896. Not sure if there is anything super-actionable we can do with it currently, unless we migrate to hapi@11 (which I believe requires Node 4+).

pdehaan commented 8 years ago

Eran says:

"No. The 9.x implementation is reasonable and as long as you don't use per-route settings should be fine. If you have a specific issue, open a new one."

Closing for now.