Fix security issues in dependencies and Studio directly #979
Commits on Jan 9, 2023
-
Fix prototype pollution vulnerability in settings handling
URL parameters could be used to modify the root prototype, eg.: ?__proto__.toString=peter Fortunately, the assigned value is always a string, so it's not possible to overwrite functions with other functions. The example above just leads to a JS error which is caught by the application and an error is then displayed. It might be possible to add a new field to the prototype that then leads to other code checking `if ('foo' in obj)` to behave differently. But I couldn't find a spot that could be abused. I might very well have missed something, but my guess would be that this vulnerability is not really exploitable in a bad way. Note: I think only one of the `{}` needs to be replaced by `Object.create(null)`, but it doesn't hurt just replacing all of them. From a quick glance, I also didn't find any similar problems in the code base. -
-
This updates a ton of other dependencies. In particular, it also fixes a ton of security issues within the dependency tree.
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.