secure-code-warrior-for-github[bot]
commented
6 months ago Micro-Learning Topic: Regular expression denial of service (Detected by phrase)
Matched on "Regular Expression Denial of Service"
Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Cross-site request forgery (Detected by phrase)
Matched on "CSRF"
Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.
Try a challenge in Secure Code Warrior
Helpful references
- Securing Rails Applications - Cross-Site Request Forgery (CSRF) - A Rails Guide that describes common security problems in web applications and how to avoid them with Rails.
- Spring Security - Cross Site Request Forgery (CSRF) - A Spring Security article that describes Spring support for protecting against Cross Site Request Forgery attacks.
- csurf Node.js CSRF protection middleware - Documentation on CSRF protection provided by the csurf middleware for Express.
- XSRF/CSRF Prevention in ASP.NET MVC and Web Pages - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC and Web Pages.
- Django Documentation - Cross Site Request Forgery protection - Documentation on CSRF protection provided by the Django framework.
- OWASP Cross-Site Request Forgery Prevention Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing cross-site request forgery flaws in your applications.
- Laravel Docs - CSRF Protection - Documentation on CSRF protection provided by the Laravel framework.
- OWASP Cross Site Request Forgery (CSRF) - OWASP community page with comprehensive information about cross-site request forgery, and links to various OWASP resources to help detect or prevent it.
- Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC.
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "Denial of Service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - packages/ui/clients/alfred/package.json - packages/ui/clients/alfred/package-lock.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **658/1000****Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 5.3 | Regular Expression Denial of Service (ReDoS)
[SNYK-JS-AXIOS-6124857](https://snyk.io/vuln/SNYK-JS-AXIOS-6124857) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: axios
The new version differs by 250 commits.- b15b918 chore(release): v1.6.3 (#6151)
- b76cce0 chore(ci): added branches filter for notify action; (#6084)
- 5e7ad38 fix: Regular Expression Denial of Service (ReDoS) (#6132)
- 8befb86 docs: update alloy link (#6145)
- d18f40d docs: add headline sponsors
- b3be365 chore(release): v1.6.2 (#6082)
- 8739acb chore(ci): removed redundant release action; (#6081)
- bfa9c30 chore(docs): fix outdated grunt to npm scripts (#6073)
- a2b0fb3 chore(docs): update README.md (#6048)
- b12a608 chore(ci): removed paths-ignore filter; (#6080)
- 0c9d886 chore(ci): reworked ignoring files logic; (#6079)
- 30873ee chore(ci): add paths-ignore config to testing action; (#6078)
- cff9967 feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; (#6046)
- 7009715 chore(ci): fixed release notification action; (#6064)
- 7144f10 chore(ci): fixed release notification action; (#6063)
- f6d2cf9 chore(ci): fix publish action content permission; (#6061)
- a22f4b9 chore(release): v1.6.1 (#6060)
- cb8bb2b chore(ci): Publish to NPM with provenance (#5835)
- 37cbf92 chore(ci): added labeling and notification for published PRs; (#6059)
- dd465ab fix(formdata): fixed content-type header normalization for non-standard browser environments; (#6056)
- 3dc8369 fix(platform): fixed emulated browser detection in node.js environment; (#6055)
- f7adacd chore(release): v1.6.0 (#6031)
- 9917e67 chore(ci): fix release-it arg; (#6032)
- 96ee232 fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)
See the full diffPackage name: contentful
The new version differs by 250 commits.- d497590 Merge pull request #1967 from contentful/chore/bump-axios-1.x
- 0c420a5 Merge branch 'master' into chore/bump-axios-1.x
- 5462ba0 build(deps): bump type-fest from 4.0.0 to 4.1.0 (#1976)
- f7386ab build(deps-dev): bump core-js from 3.31.1 to 3.32.0 (#1975)
- 0e6f33f build(deps-dev): bump eslint-config-prettier from 8.8.0 to 8.9.0 (#1974)
- 09af8f4 chore: increase max bundle size
- c48c5a9 all scripts working as expected
- 8caf835 feat: bump axios 1.x [NONE]
- 198333a build(deps-dev): bump tslib from 2.6.0 to 2.6.1 (#1971)
- 570804d build(deps): bump contentful-sdk-core from 7.1.0 to 8.1.0 (#1968)
- 0c33234 build(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 (#1966)
- 857d04a build(deps-dev): bump webpack from 5.88.1 to 5.88.2 (#1965)
- 31316a5 build(deps): bump type-fest from 3.13.0 to 4.0.0 (#1962)
- fc966fa Merge pull request #1949 from contentful/fix/validation-message-null-type
- e653e6a fix: allow null type for validation message
- c12397b build(deps-dev): bump nodemon from 2.0.22 to 3.0.1 (#1960)
- bd7e8ff build(deps): bump type-fest from 3.12.0 to 3.13.0 (#1959)
- 53cc6b4 build(deps): bump tough-cookie from 4.0.0 to 4.1.3 (#1958)
- a859a3e build(deps-dev): bump core-js from 3.31.0 to 3.31.1 (#1957)
- 62d476b build(deps-dev): bump semantic-release from 21.0.6 to 21.0.7 (#1954)
- c45fcff fix: downgrade browseslist to support old browsers [PHX-2717] (#1948)
- 03883b4 build(deps-dev): bump ts-loader from 9.4.3 to 9.4.4 (#1952)
- 9c9edd4 build(deps-dev): bump semantic-release from 21.0.5 to 21.0.6 (#1950)
- bd3a5ec build(deps-dev): bump webpack from 5.88.0 to 5.88.1 (#1951)
See the full diff