search

z0mt3c / hapi-swaggered-ui

An easy swagger-ui drop-in plugin for hapi (to be used with hapi-swaggered).
39 stars 31 forks source link

Reducing security vulnerabilities #142

Open Luketep opened 5 years ago

Luketep commented 5 years ago

Hey, we are using your tool and our audit procedures report unfixed vulnerabilites within your project. Since I don't want to fork it, I would like to submit a PR with the fixes. Please let me know if this is an option for you.

ermurri commented 4 years ago

@z0mt3c any chance you can address this issue?

Screen Shot 2020-02-26 at 16 01 10

Per the NPM referenced in the audit advisory:

Overview

All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the way up the stack. If no unhandled exception handler is available, the application will exist, allowing an attacker to shut down services.

Remediation

This package is deprecated and is now maintained as @hapi/ammo. Please update your dependencies to use @hapi/ammo.