secure-code-warrior-for-github[bot]
commented
3 years ago Micro-Learning Topic: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE 22)
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Try this challenge in Secure Code Warrior
Micro-Learning Topic: Path traversal (Detected by phrase)
Path traversal vulnerabilities occur when inputs that have not been sufficiently validated or sanitised are used to build directory or file paths. If an attacker can influence the path being accessed by the server, they may be able to gain unauthorised access to files or even execute arbitrary code on the server (when coupled with file upload functionality).
Vulnerabilities
DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):
Occurrences
q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):
• lerna:4.0.0 └─ @lerna/version:4.0.0 └─ @lerna/conventional-commits:4.0.0 └─ conventional-changelog-angular:5.0.12 └─ q:1.5.1 └─ conventional-changelog-core:4.2.2 └─ q:1.5.1 └─ conventional-recommended-bump:6.1.0 └─ q:1.5.1
• rollup-plugin-postcss:4.0.0 └─ cssnano:4.1.11 └─ cssnano-preset-default:4.0.8 └─ postcss-svgo:4.0.3 └─ svgo:1.3.2 └─ coa:2.0.2 └─ q:1.5.1
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.