Security Vulnerabilities in Chutzpah 4.4.12

[MuthuramanL]

Issue 1 -

Description

• A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

  Location

  • Chutzpah.4.4.12/tools/Node/packages/node_modules/qs/package.json

  Recommendation

  • Upgrade to version qs - 6.8.1
  • If you are using NPM 6 or above, you can run npm audit fix on your local machine to fix vulnerabilities. For more info, please visit https://docs.npmjs.com/cli/audit

Issue 2 -

Description

- Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Location

• Chutzpah.4.4.12/tools/Node/packages/node_modules/minimist/package.json

  Recommendation

  • Upgrade minimist from 1.2.5 to 1.2.6 to fix the vulnerability.
  • If you are using NPM 6 or above, you can run npm audit fix on your local machine to fix vulnerabilities. For more info, please visit https://docs.npmjs.com/cli/audit

[Evangelink]

Hey @mmanela, we are wondering if you would accept a PR fixing the issue mentioned above?

Also, we are wondering if you are planning on working on future security vulnerabilities that would target this project? We are using your runner as part of our integration tests on vstest to ensure we maintain compatibility and so we receive these vulnerabilities alerts.

Thank you!

[mmanela]

@Evangelink I would accept PRs. But in general, these vulnerabilities are really not exploitable the way Chutzpah is run.