search

garlictech / yaha

Yet another hiking app
0 stars 0 forks source link

chore(deps): update dependency fast-xml-parser to v4.4.1 [security] #975

Open renovate[bot] opened 2 months ago

renovate[bot] commented 2 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fast-xml-parser 4.0.9 -> 4.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26920

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

CVE-2024-41818

Summary

A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team.

Details

https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex

PoC

pass the following string '\t'.repeat(13337) + '.'

Impact

Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library

https://gauss-security.com

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser) ### [`v4.4.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.4.0...v4.4.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.4.0...v4.4.1) ### [`v4.4.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.6...v4.4.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.6...v4.4.0) ### [`v4.3.6`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.5...v4.3.6) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.5...v4.3.6) ### [`v4.3.5`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.4...v4.3.5) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.3...v4.3.4) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.3...v4.3.4) ### [`v4.3.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.2...v4.3.3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.2...v4.3.3) ### [`v4.3.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.1...v4.3.2) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.1...v4.3.2) ### [`v4.3.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.0...v4.3.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.0...v4.3.1) ### [`v4.3.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.7...v4.3.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.7...v4.3.0) ### [`v4.2.7`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.6...v4.2.7) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.6...v4.2.7) ### [`v4.2.6`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.5...v4.2.6) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.5...v4.2.6) ### [`v4.2.5`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.4...v4.2.5) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.4...v4.2.5) ### [`v4.2.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.2.4): Security Fix [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.3...v4.2.4) Update to this release if you use entity parsing in Fast XML Parser. ### [`v4.2.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.2...v4.2.3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.2...v4.2.3) ### [`v4.2.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.1...4.2.2) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.1...4.2.2) ### [`v4.2.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.0...4.2.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.0...4.2.1) ### [`v4.2.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.4...v4.2.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.4...v4.2.0) ### [`v4.1.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.3...v4.1.4) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.3...v4.1.4) ### [`v4.1.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.2...v4.1.3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.2...v4.1.3) ### [`v4.1.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.1...v4.1.2) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.1...v4.1.2) ### [`v4.1.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.0...v4.1.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.0...v4.1.1) ### [`v4.1.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.15...v4.1.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.15...v4.1.0) ### [`v4.0.15`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.14...v4.0.15) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.14...v4.0.15) ### [`v4.0.14`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.13...v4.0.14) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.13...v4.0.14) ### [`v4.0.13`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.12...v4.0.13) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.12...v4.0.13) ### [`v4.0.12`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.11...v4.0.12) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.11...v4.0.12) ### [`v4.0.11`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.10...v4.0.11) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.10...v4.0.11) ### [`v4.0.10`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.9...v4.0.10) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.9...v4.0.10)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.