lodash Prototype Pollution Vulnerability

mmaelzer / mjpeg-camera

A node.js library and/or server for connecting to, recording from, and streaming mjpeg cameras.

70 stars 23 forks source link

lodash Prototype Pollution Vulnerability #10

Closed zavalyshyn closed 4 years ago

zavalyshyn commented 4 years ago

The Lodash library has been found to be vulnerable to Prototype Pollution attack. npm advises an update to the latest library version.

Do you think it will require a lot of effort?

I tried running 'npm audit fix' but apparently the patch causes breaking changes in mjpeg-camera code.

mmaelzer commented 4 years ago

Thanks for raising this issue! I'd be happy to take a pull request for this fix. It should only take 2 small changes to remove the lodash dependency:

Replace line 29 with

this.name = options.name || ('camera' + (Math.floor(Math.random() * 1000)));

Replace line 35 with

this.sendImmediately = 'sendImmediately' in options ? options.sendImmediately : true;

After those changes, you should be able to remove the dependency on lodash and this would no longer be an issue.

mmaelzer commented 4 years ago

I went ahead and fixed this as there was another issue in mjpeg-consumer that I wanted to bring into this library.

zavalyshyn commented 4 years ago

Wow, just when I wanted to contribute somehow :) Thanks a lot!

mmaelzer commented 4 years ago

If you run across issues in any of my other libraries, I'm always happy to take pull requests. Additionally, if you want to improve mjpeg-camera, it could certainly use some tests. The tests for mjpeg-consumer would be a great starting point for mjpeg-camera tests.