search

sendinblue / APIv3-csharp-library

SendinBlue's C# library for API v3
MIT License
58 stars 26 forks source link

FubarCoder.RestSharp.Portable is deprecated and hasn't been updated since 2016 #72

Open philipborg opened 12 months ago

philipborg commented 12 months ago

The dependency was last updated 2016 and officially deprecated 2018. Especially as it's a networking library this is unacceptable from a security perspective. It also causes compatibility issues with modern code-bases.

https://github.com/FubarDevelopment/restsharp.portable

gabriel-ecegi commented 11 months ago

Yes, this library contains High Severity vulnerabilities

Issues with no direct upgrade or patch: ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Medium Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMIOCOMPRESSIONZIPFILE-174570] in System.IO.Compression.ZipFile@4.0.1 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.Core@4.0.8 > NETStandard.Library@1.6.0 > System.IO.Compression.ZipFile@4.0.1 and 1 other path(s) This issue was fixed in versions: 4.3.0 ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Improper Certificate Validation [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Privilege Escalation [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Authentication Bypass [Medium Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 4.1.2, 4.3.2 ✗ Information Exposure [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439] in System.Net.Http@4.1.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.HttpClient@4.0.8 > System.Net.Http@4.1.0 and 3 other path(s) This issue was fixed in versions: 2.0.20710, 4.0.1-beta-23225, 4.1.4, 4.3.4 ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708] in System.Text.RegularExpressions@4.3.0 introduced by sib_api_v3_sdk@4.0.2 > FubarCoder.RestSharp.Portable.Core@4.0.8 > NETStandard.Library@1.6.0 > System.Text.RegularExpressions@4.3.0 and 19 other path(s) This issue was fixed in versions: 4.3.1

anthonyvia commented 10 months ago

I am also running into incompatibility issues with modern code bases because of this dependency. FWIW the newest version of swagger codegen uses a different HTTP library. However, I couldn't get this generated code to compile. We are having to write our own implementation the Brevo/Sendinblue API due to this.

maftieu commented 5 months ago

Has this been changed in Brevo CSharp ? https://www.nuget.org/packages/brevo_csharp/

philipborg commented 5 months ago

Has this been changed in Brevo CSharp ? https://www.nuget.org/packages/brevo_csharp/

Nope, it still depends on FubarCoder.RestSharp.Portable.

Liandrel commented 1 month ago

Brevo respondend to my ticket in helpdesk that they tried to update sdk but encountered numerous errors. Therefore, they decided to maintain the current version for the time being. So if You wanna use it I think that you need to write your own sdk for security reasons