Closed MuthuramanL closed 2 years ago
Hey @mmanela, we are wondering if you would accept a PR fixing the issue mentioned above?
Also, we are wondering if you are planning on working on future security vulnerabilities that would target this project? We are using your runner as part of our integration tests on vstest to ensure we maintain compatibility and so we receive these vulnerabilities alerts.
Thank you!
@Evangelink I would accept PRs. But in general, these vulnerabilities are really not exploitable the way Chutzpah is run.
Issue 1 -
Description
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.
Location
Recommendation
Issue 2 -
Description
Location
Chutzpah.4.4.12/tools/Node/packages/node_modules/minimist/package.json
Recommendation