nblumhardt
commented
4 years ago Hi, thanks for the note!
It looks like Snyk might be inspecting the package dependency graph rather than the resolved versions in the context of your target framework. Tools might do this because the dependency graph is easy to walk, while the resolution logic is extremely tough to get right.
Under the Information Exposure heading above:
Note: The presence of System.Net.Http in the dependency graph of netcoreapp2.0 isn't the final determination of what is loaded at runtime. The version conflict resolution logic will prefer what is present in Microsoft.NETCore.App/2.1.5, or latest patch release. As such, is not considered to an issue.
This applies to all of these. They're showing up because Sprache allows targeting of .NET Standard 1.0. NETStandard.Library 1.6.1 is the most recent version for the 1.x platform. (Sprache also allows targeting of Silverlight, for whatever that's worth!)
If you're targeting a recent, supported version of .NET, you'll get whatever dependencies versions are present in that version of the platform.
You can find out more about Sprache's platform support in:
https://github.com/sprache/Sprache/blob/develop/src/Sprache/Sprache.csproj
The only way to "fix" this in Sprache itself would be to drop support for older framework versions, which has a wider negative impact on users and wouldn't improve anyone's security - so reconfiguring Snyk will be the best option, here.
Cheers!
rogusdev
When using https://app.snyk.io to monitor my project, Sprache displays some errors about security.
Denial of Service (DoS)
Affected module: System.Net.Http@4.3.0 Introduced through: Sprache.Signed@2.2.0 Detailed paths Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview system.net.http is an interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers. Affected versions of this package are vulnerable to Denial of Service (DoS) as ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc before 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.
Improper Certificate Validation
Affected module: System.Net.Http@4.3.0 Introduced through: Sprache.Signed@2.2.0 Detailed paths Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview system.net.http is an interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers. Affected versions of this package are vulnerable to Improper Certificate Validation. It allows an attacker to bypass Enhanced Security Usage tagging when they present a certificate that is invalid for a specific use.
Privilege Escalation
Affected module: System.Net.Http@4.3.0 Introduced through: Sprache.Signed@2.2.0 Detailed paths Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview system.net.http interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers. Affected versions of this package are vulnerable to Privilege Escalation due to failing to properly sanitize web requests.
Information Exposure
Affected module: System.Net.Http@4.3.0 Introduced through: Sprache.Signed@2.2.0 Detailed paths Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Net.Http@4.3.0
Overview system.net.http interface for modern HTTP applications, including HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers. Affected versions of this package are vulnerable to Information Exposure. When HTTP authentication information is inadvertently exposed in an outbound request that encounters an HTTP redirect. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application. Note: The presence of System.Net.Http in the dependency graph of netcoreapp2.0 isn't the final determination of what is loaded at runtime. The version conflict resolution logic will prefer what is present in Microsoft.NETCore.App/2.1.5, or latest patch release. As such, is not considered to an issue.
Regular Expression Denial of Service (ReDoS)
Affected module: System.Text.RegularExpressions@4.3.0 Introduced through: Sprache.Signed@2.2.0 Detailed paths Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Text.RegularExpressions@4.3.0 Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0 Sprache.Signed@2.2.0 > NETStandard.Library@1.6.1 > System.Xml.XDocument@4.3.0 > System.Xml.ReaderWriter@4.3.0 > System.Text.RegularExpressions@4.3.0
Overview System.Text.RegularExpressions is a regular expression engine. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improperly processing of RegEx strings.