Bump minimist from 1.2.5 to 1.2.6 in /web-widgets #4114
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6. - [Release notes](https://github.com/substack/minimist/releases) - [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
javascript
|
Prototype PollutionClick here to find a Prototype Pollution training lab DescriptionThe problem lies with the manner in which JavaScript implements inheritance by using a prototype. What this means, in a nutshell, is that every object contains a reference to the prototype of its class. When a property is requested from a particular object, the runtime first checks if the instance has the aforementioned property; otherwise, it looks it up in the prototype chain, recursively. The reference to the prototype is available via the Read moreImpactThe impact of Prototype Pollution is ultimately determined by the sensitivity and criticality of the data ingested by the application. It is not a vulnerability that is dangerous per se; rather, it all depends on how the application uses such untrusted properties. In other words, it merely alters the program data and flow. Scenario 1The following example considers an object (in a JavaScript console): > o = {x: 123, __proto__: {toString: () => console.log('Triggered!')}}
{ x: 123 }
> o + ''
Triggered!
'undefined'We have created an object with its own prototype that redefines the While this is important, it is unlikely that some kind of injection (e.g., an injection via GET parameters, cookies, etc.) ends up creating a JavaScript function ( In this case, there is no direct code execution, and the impact is merely that of adding another property to the object; since we are already injecting Scenario 2In this case, however, the application allows the alteration of an existing prototype. Consider the following: const someObject = {};
const someOtherObject = {};
// ...
someObject[UNTRUSTED_NAME] = UNTRUSTED_VALUE;
// ...
if (someOtherObject.isAdminEnabled) {
// do some sensitive stuff
}Being able to control UNTRUSTED_NAME = '__proto__';
UNTRUSTED_VALUE = {isAdminEnabled: 'whatever'};PreventionThere are different approaches to preventing Prototype Pollution, the most trivial of which is to disallow untrusted data being assigned to arbitrary properties altogether. If this is not possible, developers might implement some filtering so that it is not possible to overwrite TestingVerify that the application protects against JavaScript injection attacks, including for eval attacks, remote JavaScript includes, DOM XSS, and JavaScript expression evaluation.
ReferencesMedium - What is Prototype Pollution and why is it such a big deal? |
Micro-Learning Topic: Injection attack (Detected by phrase)Matched on "injection attack"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try this challenge in Secure Code WarriorMicro-Learning Topic: DOM-based cross-site scripting (Detected by phrase)Matched on "DOM XSS"DOM-based cross-site scripting vulnerabilities occur when unescaped input is processed by client-side script and insecurely written into the page Document Object Model (DOM). This will result in immediate changes to the page, potentially without any call to the server. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "XSS"Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Denial of service (Detected by phrase)Matched on "denial of service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try this challenge in Secure Code Warrior |
dependabot
bot
deleted the
dependabot/npm_and_yarn/web-widgets/minimist-1.2.6
branch
Bumps minimist from 1.2.5 to 1.2.6.
Commits
7efb22a1.2.6ef88b93security notice for additional prototype pollution issuec2b9819isConstructorOrProto adapted from PRbc8eceetest from prototype pollution PRDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.