search

danwrong / restler

REST client library for node.js
MIT License
1.99k stars 391 forks source link

Update qs module #186

Closed pdehaan closed 9 years ago

pdehaan commented 10 years ago

Re: https://blog.liftsecurity.io/2014/08/06/denial-of-service-in-qs https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking https://nodesecurity.io/advisories/qs_dos_memory_exhaustion

The hapijs/qs module should be updated to the latest 1.x (I believe the current latest is qs@1.2.0 already).

Steps to reproduce:

  1. Clone repo:

    $ git clone git@github.com:danwrong/restler.git .
Cloning into '.'...
remote: Counting objects: 887, done.
remote: Total 887 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (887/887), 388.74 KiB | 405.00 KiB/s, done.
Resolving deltas: 100% (356/356), done.
Checking connectivity... done.

  2. Install modules:

    $ npm i

  3. Create npm-shrinkwrap file, including devDependencies:

    $ npm shrinkwrap --dev
wrote npm-shrinkwrap.json

  4. Install the nsp module globally:

    $ sudo npm i nsp -g

  5. Check the newly generated npm-shrinkwrap.json file against the nodesecurity.io database:

    $ nsp audit-shrinkwrap
Name  Installed  Patched  Vulnerable Dependency
qs      0.6.6     >= 1.x  restler

And I was grabbing the latest versions of the modules in package.json using npm outdated:

$ npm outdated --depth 0 | sort
Package     Current  Wanted  Latest  Location
iconv-lite   0.2.11  0.2.11   0.4.4  iconv-lite
nodeunit      0.8.2   0.8.2   0.9.0  nodeunit
qs            0.6.6   0.6.6   1.2.0  qs
xml2js        0.4.0   0.4.0   0.4.4  xml2js
jbender commented 9 years ago

:+1:

Stono commented 9 years ago

Hi @pdehaan @jbender this vulnerability is breaking my pipeline as you've never pushed to npmjs.org since making the change.

Can I ask when you plan to do a version bump?

easternbloc commented 9 years ago

Hi I can bump next Tues when I'm back at work. Sorry it can't be sooner.

On Fri, Jun 26, 2015 at 11:14 AM, Karl Stoney notifications@github.com wrote:

Hi @pdehaan @jbender this vulnerability is breaking my pipeline as you've never pushed to npmjs.org since making the change.

Can I ask when you plan to do a version bump?

Reply to this email directly or view it on GitHub: https://github.com/danwrong/restler/issues/186#issuecomment-115596005

Stono commented 9 years ago

@easternbloc That'd be great, thanks! Please let me know when you've done it

Stono commented 9 years ago

@easternbloc polite ping/reminder :) We have a release tomorrow and would be great to get this in for that.

easternbloc commented 9 years ago

@Stono done :love_letter:

Stono commented 9 years ago

@easternbloc legend, thank you. You may wanna close #216 as completed