guardrails[bot]
commented
1 year ago :warning: We detected 22 security issues in this pull request:
Hard-Coded Secrets (1)
Severity | Details | Docs :-: | :-- | :-: Medium | Title: **Secret Keyword**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/user/config/install/user.mail.yml#L34 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/general/hard-coded_secrets.html?utm_source=ghpr#SecretKeyword) More info on how to fix Hard-Coded Secrets in [General](https://docs.guardrails.io/docs/en/vulnerabilities/general/hard-coded_secrets.html?utm_source=ghpr). ---
Insecure Use of Regular Expressions (4)
Severity | Details | Docs :-: | :-- | :-: Medium | Title: **Regex DOS (ReDOS)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/misc/position.es6.js#L30 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) Medium | Title: **Regex DOS (ReDOS)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/misc/position.js#L13 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) Medium | Title: **Regex DOS (ReDOS)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/scripts/js/ckeditor5-types-documentation.js#L30 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) Medium | Title: **Regex DOS (ReDOS)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/scripts/js/vendor-update.js#L34 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr#security/detect-unsafe-regex) More info on how to fix Insecure Use of Regular Expressions in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_regular_expressions.html?utm_source=ghpr). ---
Information Disclosure (1)
Severity | Details | Docs :-: | :-- | :-: Medium | Title: **Use of phpinfo()**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/system/src/Controller/SystemInfoController.php#L62 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/php/information-disclosure.html?utm_source=ghpr#phpinfo-use) More info on how to fix Information Disclosure in [PHP](https://docs.guardrails.io/docs/en/vulnerabilities/php/information-disclosure.html?utm_source=ghpr). ---
Vulnerable Libraries (7)
Severity | Details :-: | :-- N/A | [pkg:npm/debug@2.6.9@2.6.9](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L2792) (t) upgrade to: *3.1.0* Medium | [pkg:npm/jquery-form@4.3.0@4.3.0](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L4168) (t) - **no patch available** High | [pkg:npm/minimatch@3.0.4@3.0.4](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L4649) (t) upgrade to: *3.0.5* Critical | [pkg:npm/vm2@3.9.12@3.9.12](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L6596) (t) upgrade to: *3.9.15* N/A | [pkg:npm/jake@10.8.5@10.8.5](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L4145) (t) - **no patch available** Medium | [pkg:npm/node-fetch@2.6.7@2.6.7](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L4822) (t) - **no patch available** High | [pkg:npm/webpack@5.75.0@5.75.0](https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/yarn.lock#L6678) (t) upgrade to: *5.76.0* More info on how to fix Vulnerable Libraries in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/using_vulnerable_libraries.html?utm_source=ghpr). ---
Insecure Use of Dangerous Function (6)
Severity | Details | Docs :-: | :-- | :-: Medium | Title: **Dynamic evaluation of untrusted input (Frontend)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/ckeditor5/js/ckeditor5.admin.es6.js#L328 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) Medium | Title: **Dynamic evaluation of untrusted input (Frontend)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/ckeditor5/js/ckeditor5.admin.es6.js#L737 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) Medium | Title: **Dynamic evaluation of untrusted input (Frontend)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/ckeditor5/js/ckeditor5.admin.js#L184 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) Medium | Title: **Dynamic evaluation of untrusted input (Frontend)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/ckeditor5/js/ckeditor5.admin.js#L386 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) Medium | Title: **Dynamic evaluation of untrusted input (Frontend)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/themes/olivero/js/second-level-navigation.es6.js#L81 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) Medium | Title: **Dynamic evaluation of untrusted input (Frontend)**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/themes/olivero/js/second-level-navigation.js#L38 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr#javascript.lang.eval-dom-frontend) More info on how to fix Insecure Use of Dangerous Function in [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_use_of_dangerous_function.html?utm_source=ghpr). ---
Insecure Processing of Data (3)
Severity | Details | Docs :-: | :-- | :-: Low | Title: **Insecure HTTP redirect**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/.ht.router.php#L29 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/php/insecure_processing_of_data.html?utm_source=ghpr#http-redirect-gr) Medium | Title: **Unescaped user input in HTML**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/ckeditor5/js/ckeditor5.es6.js#L652 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_processing_of_data.html?utm_source=ghpr#javascript.lang.taint-frontend-html-injection) Medium | Title: **Unescaped user input in HTML**
https://github.com/pantheon-systems/drops-8/blob/c36d836fed694523bcb53966409e5663210cd7b0/core/modules/ckeditor5/js/ckeditor5.js#L291 | [:books:](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_processing_of_data.html?utm_source=ghpr#javascript.lang.taint-frontend-html-injection) More info on how to fix Insecure Processing of Data in [PHP](https://docs.guardrails.io/docs/en/vulnerabilities/php/insecure_processing_of_data.html?utm_source=ghpr) and [JavaScript](https://docs.guardrails.io/docs/en/vulnerabilities/javascript/insecure_processing_of_data.html?utm_source=ghpr).
👉 Go to the dashboard for detailed results.
📥 Happy? Share your feedback with us.
pantheon-upstream
Update from Drupal 9.1.0 to Drupal 9.5.8.
This is experimental. Do not merge.