search

razorpay / razorpay-capacitor

Capacitor wrapper around Razorpay's Android and iOS SDKs
https://www.npmjs.com/package/com.razorpay.capacitor
12 stars 28 forks source link

Migration to capacitor v6 #88

Closed vivekshindhe closed 2 months ago

vivekshindhe commented 3 months ago

Capacitor-v6 migration

semgrep-app[bot] commented 3 months ago

Semgrep found 1 ssc-8abd6e57-5702-4914-9d9f-20b1230565eb finding:

Risk: terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.

Fix: Upgrade this library to at least version 4.8.1 at razorpay-capacitor/testPlugin/package-lock.json:15215.

Reference(s): https://github.com/advisories/GHSA-4wf5-vphf-c2xc, CVE-2022-25858

Ignore this finding from ssc-8abd6e57-5702-4914-9d9f-20b1230565eb.

#

Semgrep found 1 ssc-d818226f-1a1a-4ae3-831b-6a9c41b82268 finding:

Risk: Affected versions of browserify-sign are vulnerable to Improper Verification Of Cryptographic Signature. The vulnerability lies in the checkValue function incorrectly verifying the upper bounds of the r and s components in a signature, enabling attackers to manipulate the s component by setting it to the prime number q, thereby simulating a zero value for s and potentially resulting in the unauthorized acceptance of maliciously signed messages during signature verification.

Fix: Upgrade this library to at least version 4.2.2 at razorpay-capacitor/testPlugin/package-lock.json:3962.

Reference(s): https://github.com/advisories/GHSA-x9w5-v3q2-3rhw, CVE-2023-46234

Ignore this finding from ssc-d818226f-1a1a-4ae3-831b-6a9c41b82268.

#

Semgrep found 1 ssc-4e59e976-8886-47a3-9b32-abcb3212a6c1 finding:

Risk: http-cache-semantics versions before 4.1.1 are vulnerable to Inefficient Regular Expression Complexity leading to Denial of Service. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Fix: Upgrade this library to at least version 4.1.1 at razorpay-capacitor/testPlugin/package-lock.json:7757.

Reference(s): https://github.com/advisories/GHSA-rc47-6667-2j5j, CVE-2022-25881

Ignore this finding from ssc-4e59e976-8886-47a3-9b32-abcb3212a6c1.

#

Semgrep found 1 ssc-6edc0f2e-785a-4b5a-817c-b15be7c2dd50 finding:

Risk: engine.io versions 3.6.0 or 6.2.0 and earlier are vulnerable to an Uncaught Exception. A specially crafted HTTP request can trigger this uncaught exception and as a result will kill the Node.js process. The fix is available in versions 3.6.1 and 6.2.1

Manual Review Advice: A vulnerability from this advisory is reachable if you host a public-facing engine.io server

Fix: Upgrade this library to at least version 3.6.1 at razorpay-capacitor/testPlugin/package-lock.json:6146.

Reference(s): https://github.com/advisories/GHSA-r7qp-cfhv-p84w, CVE-2022-41940

Ignore this finding from ssc-6edc0f2e-785a-4b5a-817c-b15be7c2dd50.

#

Semgrep found 1 ssc-81a24017-d446-4018-a477-3c5a65306f7e finding:

Risk: karma 6.x before 6.3.14 is vulnerable to improper neutralization of input during web page generation ('cross-site scripting'). Karma does not enforce the HTTP protocol on the return_url query parameter which leads to reflected cross-site scripting when providing a URL like https://$KARMA_ROOT/?return_url=javascript:alert(document.domain). Upgrade to karma 6.3.14.

Manual Review Advice: A vulnerability from this advisory is reachable if you run the karma server locally or host a public-facing karma server

Fix: Upgrade this library to at least version 6.3.14 at razorpay-capacitor/testPlugin/package-lock.json:9147.

Reference(s): https://github.com/advisories/GHSA-7x7c-qm48-pq9c, CVE-2022-0437

Ignore this finding from ssc-81a24017-d446-4018-a477-3c5a65306f7e.

#

Semgrep found 1 ssc-aff5e8de-c638-4356-8a93-120597e35ce9 finding:

Risk: Affected versions of @babel/traverse are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use a 3rd party plugin that relies on the path.evaluate()or path.evaluateTruthy() internal Babel methods, or one of the known affected plugins (@babel/plugin-transform-runtime, Any 'polyfill provider' plugin that depends on @babel/helper-define-polyfill-provider, or @babel/preset-env when using its useBuiltIns option)

Fix: Upgrade this library to at least version 7.23.2 at razorpay-capacitor/testPlugin/package-lock.json:2341.

Reference(s): https://github.com/advisories/GHSA-67hx-6x53-jw92, CVE-2023-45133

Ignore this finding from ssc-aff5e8de-c638-4356-8a93-120597e35ce9.