secure-code-warrior-for-github[bot]
commented
1 year ago Micro-Learning Topic: Insufficient access control (Detected by phrase)
Matched on "Improper Authorization"
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Insecure authentication (Detected by phrase)
Matched on "Improper Authentication"
Improper authentication happens when mechanisms intended to identify the user are flawed (easily tamperable or insufficient). This would allow an attacker to bypass access controls or to easily impersonate a user.
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Improper Authentication prevention cheat sheet - This article is focused on providing clear, simple, actionable guidance for preventing improper authentication flaws in your applications.
Micro-Learning Topic: Regular expression denial of service (Detected by phrase)
Matched on "Regular Expression Denial of Service"
Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Weak input validation (Detected by phrase)
Matched on "Improper Input Validation"
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
- OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
- OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
- OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
- OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.
Micro-Learning Topic: Cross-site scripting (Detected by phrase)
Matched on "Cross-site Scripting"
Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.
Try a challenge in Secure Code Warrior
Helpful references
- Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
- OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
- OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "Denial of Service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Information disclosure (Detected by phrase)
Matched on "Information Exposure"
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Open redirect (Detected by phrase)
Matched on "Open Redirect"
This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Unvalidated Redirects and Forwards Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing redirection and forwarding flaws in your applications.
- Preventing Open Redirection Attacks (C#) - A detailed Microsoft article on how to prevent open redirection vulnerabilities in ASP.NET MVC.
Micro-Learning Topic: Prototype pollution (Detected by phrase)
Matched on "Prototype Pollution"
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
sonarcloud[bot]
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json - package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **696/1000****Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-ANSIREGEX-1583908](https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908) | No | Proof of Concept  | **554/1000**
**Why?** Has a fix available, CVSS 6.8 | Cross-site Scripting (XSS)
[SNYK-JS-AUTH0NEXTJSAUTH0-1314618](https://snyk.io/vuln/SNYK-JS-AUTH0NEXTJSAUTH0-1314618) | No | No Known Exploit  | **534/1000**
**Why?** Has a fix available, CVSS 6.4 | Information Exposure
[SNYK-JS-AUTH0NEXTJSAUTH0-2321384](https://snyk.io/vuln/SNYK-JS-AUTH0NEXTJSAUTH0-2321384) | No | No Known Exploit  | **696/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7.5 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-AXIOS-1579269](https://snyk.io/vuln/SNYK-JS-AXIOS-1579269) | No | Proof of Concept  | **586/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-BROWSERSLIST-1090194](https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194) | No | Proof of Concept  | **671/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 7 | Prototype Pollution
[SNYK-JS-MONGOOSE-2961688](https://snyk.io/vuln/SNYK-JS-MONGOOSE-2961688) | No | Proof of Concept  | **601/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 5.6 | Prototype Pollution
[SNYK-JS-MPATH-1577289](https://snyk.io/vuln/SNYK-JS-MPATH-1577289) | No | Proof of Concept  | **449/1000**
**Why?** Has a fix available, CVSS 4.7 | Open Redirect
[SNYK-JS-NEXT-1540422](https://snyk.io/vuln/SNYK-JS-NEXT-1540422) | Yes | No Known Exploit  | **484/1000**
**Why?** Has a fix available, CVSS 5.4 | Cross-site Scripting (XSS)
[SNYK-JS-NEXT-1577139](https://snyk.io/vuln/SNYK-JS-NEXT-1577139) | Yes | No Known Exploit  | **509/1000**
**Why?** Has a fix available, CVSS 5.9 | User Interface (UI) Misrepresentation of Critical Information
[SNYK-JS-NEXT-2405694](https://snyk.io/vuln/SNYK-JS-NEXT-2405694) | Yes | No Known Exploit  | **519/1000**
**Why?** Has a fix available, CVSS 6.1 | Open Redirect
[SNYK-JS-NEXTAUTH-2769574](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-2769574) | Yes | No Known Exploit  | **484/1000**
**Why?** Has a fix available, CVSS 5.4 | Open Redirect
[SNYK-JS-NEXTAUTH-2841457](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-2841457) | No | No Known Exploit  | **589/1000**
**Why?** Has a fix available, CVSS 7.5 | Denial of Service (DoS)
[SNYK-JS-NEXTAUTH-2933545](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-2933545) | No | No Known Exploit  | **731/1000**
**Why?** Proof of Concept exploit, Has a fix available, CVSS 8.2 | Improper Input Validation
[SNYK-JS-NEXTAUTH-2944244](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-2944244) | No | Proof of Concept  | **379/1000**
**Why?** Has a fix available, CVSS 3.3 | Information Exposure
[SNYK-JS-NEXTAUTH-2965597](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-2965597) | No | No Known Exploit  | **669/1000**
**Why?** Has a fix available, CVSS 9.1 | Improper Authorization
[SNYK-JS-NEXTAUTH-2968127](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-2968127) | No | No Known Exploit  | **626/1000**
**Why?** Recently disclosed, Has a fix available, CVSS 6.8 | Improper Authentication
[SNYK-JS-NEXTAUTH-3035577](https://snyk.io/vuln/SNYK-JS-NEXTAUTH-3035577) | Yes | No Known Exploit  | **539/1000**
**Why?** Has a fix available, CVSS 6.5 | Information Exposure
[SNYK-JS-NODEFETCH-2342118](https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118) | Yes | No Known Exploit  | **619/1000**
**Why?** Has a fix available, CVSS 8.1 | Remote Code Execution (RCE)
[SNYK-JS-SHELLQUOTE-1766506](https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-1766506) | Yes | No Known Exploit (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: @auth0/nextjs-auth0
The new version differs by 107 commits.- 762da1e Merge pull request #558 from auth0/release/v1.6.2
- 35f3f89 Release v1.6.2
- 0bbd9f8 Enforce configured host on user supplied returnTo (#557)
- 129650d Bump next from 11.1.2 to 11.1.3 (#556)
- c5d4fff fix: upgrade http-errors from 1.8.0 to 1.8.1 (#553)
- f7323d0 Merge pull request #543 from auth0/error-instanceof
- 1954087 Fix issue where error reporting wrong instanceof
- 3060c89 Merge pull request #531 from auth0/snyk-upgrade-fbe7e8fa031d12c55e1e6a76583750d5
- d1eea0d fix: upgrade openid-client from 4.9.0 to 4.9.1
- 994bd60 Merge pull request #530 from auth0/caching-readme
- cf07f2c Add README on caching and security
- a08d82f Merge pull request #519 from auth0/release/v1.6.1
- 967e4e7 Release v1.6.1
- 57e433a fix: upgrade openid-client from 4.8.0 to 4.9.0 (#518)
- e7fa509 Merge pull request #516 from auth0/release/v1.6.0
- b1c0b34 Release v1.6.0
- ffe5fd1 Merge pull request #513 from auth0/fix-coverage
- ce47cc2 Merge branch 'main' into fix-coverage
- 436595d Fix the coverage checker
- 5ef6a7b Fix #309 (#512)
- 3c2839b Merge pull request #511 from auth0/snyk-upgrade-981bb9f1395f8c0e4332a35364084bfd
- 16204ee fix: upgrade openid-client from 4.7.5 to 4.8.0
- a3b6fd1 Merge pull request #509 from auth0/deploy-docs
- 02daabe Highlight e2e testing and deployment in README
See the full diffPackage name: axios
The new version differs by 41 commits.- e367be5 [Releasing] 0.21.3
- 83ae383 Correctly add response interceptors to interceptor chain (#4013)
- c0c8761 [Updating] changelog to include links to issues and contributors
- 619bb46 [Releasing] v0.21.2
- 82c9455 Create SECURITY.md (#3981)
- 5b45711 Security fix for ReDoS (#3980)
- 5bc9ea2 Update ECOSYSTEM.md (#3817)
- e72813a Fixing README.md (#3818)
- e10a027 Fix README typo under Request Config (#3825)
- e091491 Update README.md (#3936)
- b42fbad Removed un-needed bracket
- 520c8dc Updating CI status badge (#3953)
- 4fbeecb Adding CI on Github Actions. (#3938)
- e9965bf Fixing the sauce labs tests (#3813)
- dbc634c Remove charset in tests (#3807)
- 3958e9f Add explanation of cancel token (#3803)
- 69949a6 Adding custom return type support to interceptor (#3783)
- 49509f6 Create FUNDING.yml (#3796)
- 199c8aa Adding parseInt to config.timeout (#3781)
- 94fc4ea Adding isAxiosError typeguard documentation (#3767)
- 0ece97c Fixing quadratic runtime when setting a maxContentLength (#3738)
- a18a0ec Updating `lib/core/README.md` about Dispatching requests (#3772)
- 59fa614 [Updated] follow-redirects to the latest version (#3771)
- 7821ed2 Feat/json improvements (#3763)
See the full diffPackage name: mongoose
The new version differs by 250 commits.- ca7996b chore: release 5.13.15
- e75732a Merge pull request #12307 from Automattic/vkarpov15/fix-5x-build
- a1144dc test: run node 7 tests with upgraded npm re: #12297
- dfc4ad7 test: try upgrading npm for node v4 tests re: #12297
- b9e985c test: more strict @ types/node version
- 4d813fa test: fix @ types/node version in tests re: #12297
- 99b4189 Merge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
- 5eb11dd made function non async
- 6a19731 fix(schema): disallow setting __proto__ when creating schema with dotted properties
- a2ec28d Merge pull request #11366 from laissonsilveira/5.x
- 05ce577 Fix broken link from findandmodify method deprecation
- d2b846f chore: release 5.13.14
- 69c1f6c docs(models): fix up nModified example for 5.x
- 4cfc4d6 fix(timestamps): avoid setting `createdAt` on documents that already exist but dont have createdAt
- a738440 chore: release 5.13.13
- 4d12a62 Merge pull request #10942 from jneal-afs/fix-query-set-ts-type
- c3463c4 Merge pull request #10916 from iovanom/gh-10902-v5
- ff5ddb5 fix: hardcode base 10 for nodeMajorVersion parseInt() call
- d205c4d make value optional
- c6fd7f7 Fix ts types for query set
- 22e9b3b [gh-10902 v5] Add node major version to utils
- 5468642 [gh-10902 v5] Emit end event in before close
- 271bc60 Merge pull request #10910 from lorand-horvath/patch-2
- b7ebeec Update mongodb driver to 3.7.3
See the full diffPackage name: next
The new version differs by 250 commits.- 8545fd1 v12.1.0
- 1605f30 v12.0.11-canary.21
- 69aedbd Fix typo (#34480)
- f0f322c Remove deprecation for relative URL usage in middlewares (#34461)
- d4d79b2 Fix chunk buffering for server components (#34474)
- 74fa4d4 update webpack (#34477)
- b70397e Revert "Allow reading request bodies in middlewares (#34294)" (#34479)
- 4202011 Update font-optimization test snapshot (#34478)
- 1edd851 Allow reading request bodies in middlewares (#34294)
- ba78437 fix: don't wrap `profile` in firebase example (#34457)
- f3c3810 Remove hello world RSC example. (#34456)
- 49da8c0 v12.0.11-canary.20
- 2264d35 Fix `.svg` image optimization with a `loader` prop (#34452)
- 59714db Update server-only changes HMR handling (#34298)
- d288d43 Update MDX Guide config example (#34405)
- 54dbeb3 update webpack (#34444)
- 9b38ffe Update 2.example_bug_report.yml
- 86aac3f Update 1.bug_report.yml
- 732b405 v12.0.11-canary.19
- 01524ef Revert swc css bump temporarily (#34440)
- 8a55612 Add image config for `dangerouslyAllowSVG` and `contentSecurityPolicy` (#34431)
- 9639fe7 Ensure we don't poll page in development when notFound: true is returned (#34352)
- 7e93a89 Update 2.example_bug_report.yml
- d88793d feat: improve opening a new issue flow (#34434)
See the full diff