lightning-js / renderer

Lightning 3 Renderer
Apache License 2.0
57 stars 23 forks source link

Fix Snyk-Identified Security Issues #448

Closed tuncayyildirtanuk closed 1 week ago

tuncayyildirtanuk commented 1 week ago

Description:

Sky utilizes a static code analysis tool called Snyk to identify and manage potential security vulnerabilities. Recent scans have flagged the following security issues:

Screenshot 2024-11-14 at 15 56 12 Screenshot 2024-11-14 at 15 56 02 Screenshot 2024-11-14 at 15 55 51 Screenshot 2024-11-14 at 15 55 38 Screenshot 2024-11-14 at 15 55 24

Request: Could you review and address these security vulnerabilities? Ensuring that we’re using secure, up-to-date packages and implementing recommended fixes is critical for maintaining the integrity of our codebase.

Steps to Reproduce (if applicable):

1.  Run Snyk on the latest codebase.
2.  Review the identified issues and prioritize fixes based on severity.

Expected Outcome: All flagged security vulnerabilities are reviewed and addressed in accordance with Snyk’s recommendations.

elsassph commented 1 week ago

Not sure what validation could be done here: this is a low level library, src could be anything that makes sense for the app developer, so validation should be done at the app level.

wouterlucas commented 1 week ago

Fetch is a native browser API. This isn't a server side nodejs program as it gets executed on the browser, not on the server. They need to run Snyk with an appropriate profile as such that you do not get these messages for a browser app.

We can't do server side forgery from within JSC/V8/spidermonkey, else this would be a bug on the respective WebKit/Chromium/Mozilla. Which it aint.

If your security folks need an educational session about browsers, the difference between SSRF on a browser or a nodejs/deno/bun program and how SSRF's really work then feel free to reach out!