search

nestjs / nest

A progressive Node.js framework for building efficient, scalable, and enterprise-grade server-side applications with TypeScript/JavaScript 🚀
https://nestjs.com
MIT License
67.7k stars 7.63k forks source link

Fastify template has vulnerability in itself #10610

Closed I-Am-Anger closed 1 year ago

I-Am-Anger commented 1 year ago

Is there an existing issue for this?

Current behavior

Installing nestjs/sample/10-fastify packages with npm install doesn't work as expected - installation reports CSRF attack

report: fastify 4.0.0 - 4.10.1 Severity: high fastify vulnerable to denial of service via malicious Content-Type - https://github.com/advisories/GHSA-455w-c45v-86rg Fastify: Incorrect Content-Type parsing can lead to CSRF attack - https://github.com/advisories/GHSA-3fjj-p79j-c9hh fix available via npm audit fix --force Will install @nestjs/platform-fastify@9.2.0, which is outside the stated dependency range node_modules/fastify @nestjs/platform-fastify 9.0.0-next.1 - 9.1.4 Depends on vulnerable versions of fastify node_modules/@nestjs/platform-fastify

2 high severity vulnerabilities

Minimum reproduction code

https://github.com/nestjs/nest/tree/master/sample/10-fastify

Steps to reproduce

  1. degit https://github.com/nestjs/nest/sample/10-fastify project
  2. cd project
  3. npm install

Expected behavior

Installs node modules

Package

Other package

No response

NestJS version

9.0.1

Packages versions

{ "name": "nest-typescript-starter", "version": "1.0.0", "description": "Nest TypeScript starter repository", "license": "MIT", "scripts": { "prebuild": "rimraf dist", "build": "nest build", "format": "prettier --write \"src//*.ts\" \"test/*/.ts\"", "start": "nest start", "start:dev": "nest start --watch", "start:debug": "nest start --debug --watch", "start:prod": "node dist/main", "lint": "eslint '{src,apps,libs,test}//*.ts' --fix", "test": "jest", "test:watch": "jest --watch", "test:cov": "jest --coverage", "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand", "test:e2e": "echo 'No e2e tests implemented yet.'" }, "dependencies": { "@nestjs/common": "9.0.1", "@nestjs/core": "9.0.1", "@nestjs/platform-fastify": "9.0.1", "class-transformer": "0.5.1", "class-validator": "0.13.2", "reflect-metadata": "0.1.13", "rimraf": "3.0.2", "rxjs": "7.5.5" }, "devDependencies": { "@nestjs/cli": "9.0.0", "@nestjs/schematics": "9.0.1", "@nestjs/testing": "9.0.1", "@types/express": "4.17.13", "@types/node": "18.0.3", "@types/supertest": "2.0.12", "@typescript-eslint/eslint-plugin": "5.30.5", "@typescript-eslint/parser": "5.30.5", "eslint": "8.19.0", "eslint-config-prettier": "8.5.0", "eslint-plugin-import": "2.26.0", "jest": "28.1.2", "prettier": "2.7.1", "supertest": "6.2.4", "ts-jest": "28.0.5", "ts-loader": "9.3.1", "ts-node": "10.8.2", "tsconfig-paths": "4.0.0", "typescript": "4.7.4" } }

Node.js version

No response

In which operating systems have you tested?

Other

No response

micalevisk commented 1 year ago

I guess this will be fixed by #10583