Updated axios #97

eyalk007 · 2024-10-13T11:37:44Z

Updated axios version without a vulnerability

github-actions · 2024-10-16T20:41:23Z

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	Not Applicable	ts-jest:29.2.5	ejs 3.1.10	-	CVE-2023-29827

🔬 Research Details

Description:
Embedded JavaScript templates, also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.

When rendering views using EJS, it is possible to bypass ejs' template injection restrictions, by abusing the closeDelimiter rendering option, in the case when -

The template itself can be partially controlled by the attacker
The template rendering options can be fully controlled by the attacker

The vulnerability was rightfully disputed due to the fact that a vulnerable configuration is extremely unlikely to exist in any real-world setup. As such, the maintainers will not provide a fix for this (non-)issue.

Example of a vulnerable application -

const express = require('express')
const app = express()
const port = 3000

app.set('view engine', 'ejs');

app.get('/page', (req,res) => {
    res.render('page', req.query); // OPTS (2nd parameter) IS ATTACKER-CONTROLLED
})

app.listen(port, () => {
  console.log("Example app listening on port ${port}")
})

Contents of page.ejs (very unlikely to be attacker controlled) -

%%1");process.mainModule.require('child_process').execSync('calc');//

In this case, sending closeDelimiter with the same malicious code that already exists at page.ejs will trigger the injection -
http://127.0.0.1:3000/page?settings[view%20options][closeDelimiter]=1")%3bprocess.mainModule.require('child_process').execSync('calc')%3b//

🐸 JFrog Frogbot

eyalk007 temporarily deployed to frogbot October 13, 2024 11:37 — with GitHub Actions Inactive

eyalk007 added dependencies Pull requests that update a dependency file safe to test Approve running integration tests on a pull request labels Oct 13, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 13, 2024

eyalk007 force-pushed the enhancement/updated-axios branch from 99c17de to 8b084e1 Compare October 13, 2024 11:40

eyalk007 had a problem deploying to frogbot October 13, 2024 11:40 — with GitHub Actions Failure

eyalk007 added the safe to test Approve running integration tests on a pull request label Oct 13, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 13, 2024

eyalk007 force-pushed the enhancement/updated-axios branch from 8b084e1 to 90ec1f2 Compare October 14, 2024 09:01

eyalk007 temporarily deployed to frogbot October 14, 2024 09:01 — with GitHub Actions Inactive

eyalk007 requested a review from attiasas October 14, 2024 09:03

eyalk007 self-assigned this Oct 14, 2024

eyalk007 added the safe to test Approve running integration tests on a pull request label Oct 14, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 14, 2024

eyalk007 force-pushed the enhancement/updated-axios branch from 90ec1f2 to 0dfe4c6 Compare October 14, 2024 09:05

eyalk007 had a problem deploying to frogbot October 14, 2024 09:05 — with GitHub Actions Failure

updated axios

9864fe0

eyalk007 force-pushed the enhancement/updated-axios branch from 0dfe4c6 to 9864fe0 Compare October 14, 2024 09:08

eyalk007 had a problem deploying to frogbot October 14, 2024 09:08 — with GitHub Actions Failure

eyalk007 added the safe to test Approve running integration tests on a pull request label Oct 14, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 14, 2024

eyalk007 had a problem deploying to frogbot October 16, 2024 20:33 — with GitHub Actions Failure

eyalk007 added the safe to test Approve running integration tests on a pull request label Oct 16, 2024