-
-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of Service (DoS) Reported in SYNK #6
Comments
Have the same issue. |
FYI related GitHub advisory: GHSA-w573-4hg7-7wgq |
Hey I am also facing same issue. |
Same issue ! |
saw it on GHSA-w573-4hg7-7wgq |
We saw this today also.....fix is needed ASAP. https://nvd.nist.gov/vuln/detail/CVE-2022-38900 |
Same here! |
Any updates? |
|
Same issue here! |
If someone also faces this issue because of the |
This solves the issue of having outdated and potential insecure transitive dependencies. There are no known behavior changes, so this is considered a non-breaking change / fix. See: reworkcss/css#163 See: SamVerschueren/decode-uri-component#6
This solves the issue of having outdated and potential insecure transitive dependencies. There are no known behavior changes, so this is considered a non-breaking change / fix. See: reworkcss/css#163 See: SamVerschueren/decode-uri-component#6
This solves the issue of having outdated and potential insecure transitive dependencies. There are no known behavior changes, so this is considered a non-breaking change / fix. See: reworkcss/css#163 See: SamVerschueren/decode-uri-component#6
Just wondering, whether this repo is maintained actively. In the npm registry, It's been updated 5 years back. Not sure, is there any collaborator or maintainer for this package? I'm certain thousands of projects CI are prevented by this. FYI folks, I tried to contact @SamVerschueren on twitter but no reply yet. |
I'll try to take a look today and release a fix. |
Really appreciated. Thank you! |
I just released a fix under Thanks everyone for chiming in and sorry for the late replies 🙏 . |
Hey @SamVerschueren what is the bug still existing? Just wanted to understand that before having my engineering team update. :) |
The issue is that If the Snyk report is keeping you from installing or using the package, upgrading is definitely safe to do. |
Thanks @SamVerschueren, you saved my work |
Thanks, @SamVerschueren 😄 |
Just released version For instance
|
Thanks a lot @SamVerschueren |
v0.2.1 has a bug and v0.2.2 has the fix SamVerschueren/decode-uri-component#6 (comment)
Issue still exists in 0.2.2 |
I'll have a look first thing in the morning. I don't really know how to test these vulnerabilities myself. |
I think the fixed version needs to be reported to snyk. the github report is already updated maybe you also need to publish a security advisory inside this repo. 🤷♂️ |
So I looked at the security report for v0.2.2 and I don't know why they still report it but it's incorrect. The package handles that string correctly. I'll see what I can do for Snyk to pick up the patched version. |
I'm in contact with Snyk to see what can be done here. I'll try to follow this up as close as possible. |
I had a back-and-forth with someone from Snyk. He also saw that v0.2.2 doesn't get flagged anymore and suggested to wait until monday so I could run a new scan. |
Oh, this page also doesn't show vulnerabilities anymore https://security.snyk.io/package/npm/decode-uri-component/0.2.2. So I guess we're good now? 🤷 |
Hey there Sam, I think you did great work right there. Thank you for getting back to us! |
Can anyone explain how this is a CVE? This seems like a bug rather than a vulnerability. On certain inputs |
It wasn't a vulnerability, it was just a bug like you said. It was not flagged as ReDoS but as DoS in the sense that if you provided wrong input, you could make a server crash if the developer didn't have proper error handling. This is just the thing with Snyk. People get paid per "vulnerability" they can find. Then you end up in situations like these where people get mad because their CI cant build the app anymore because of a stupid fake vulnerability... |
I totally misread, every time I saw those "DoS" reports from snyk, it was always "ReDoS," so just assumed it was the same lame type of report. And wow, they are really stretching the definition of "Denial of Service." Thanks for releasing this new version. I really appreciate you helping with this, even (if I'm guessing) you probably haven't thought about this library much since you first released 5 years ago. |
This had been first attempted in 0abe66a but later reverted by 3b6c459 due to adobe/css-tools#77, reapplying since the issue is now fixed. --- This solves the issue of having outdated and potential insecure transitive dependencies. There are no known behavior changes, so this is considered a non-breaking change / fix. See: reworkcss/css#163 See: SamVerschueren/decode-uri-component#6
This had been first attempted in 0abe66a but later reverted by 3b6c459 due to adobe/css-tools#77, reapplying since the issue is now fixed. --- This solves the issue of having outdated and potential insecure transitive dependencies. There are no known behavior changes, so this is considered a non-breaking change / fix. See: reworkcss/css#163 See: SamVerschueren/decode-uri-component#6
Hey there, I found this issue while running security scan with SYNK. And, turned out there's a vulnerability. Hopefully there's a way to resolve this issue. Thank you.
Here's the error logs:
Issues with no direct upgrade or patch: ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-DECODEURICOMPONENT-3149970] in decode-uri-component@0.2.0 introduced by @testing-library/jest-dom@5.16.4 > css@3.0.0 > source-map-resolve@0.6.0 > decode-uri-component@0.2.0 and 2 other path(s) No upgrade or patch available
The text was updated successfully, but these errors were encountered: