Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade axios from 0.12.0 to 0.16.1 #51

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
low severity 416/1000
Why? Recently disclosed, Has a fix available, CVSS 2.6
Information Exposure
SNYK-JS-FOLLOWREDIRECTS-2396346
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: axios The new version differs by 185 commits.
  • 5c8095e Releasing 0.16.1
  • 982183c Updating changelog
  • fa58223 Merge pull request #828 from mzabriskie/feature/return-last-request-in-redirects
  • a18f039 Merge pull request #829 from jcready/patch-3
  • df6b46c Add caret
  • 04982a2 Update follow-redirects dependency
  • 19644ba Adding documentation for Buffer data
  • 1883344 support node buffers less than 8192 bytes (#773)
  • bbfbeff Minor grammar/line length changes (#547)
  • a784774 Adding comment about header names (#778)
  • 88cc84c Adding documentation for response.request
  • 84d9a41 Adding code to assign the last request to axios response
  • e5beab0 Adding test checking the request in axios response is the last in a redirect
  • 08eb985 Merge pull request #818 from carlosromel/patch-1
  • 21b43ed Merge pull request #826 from mzabriskie/github-templates
  • 34b63f8 Adding additional instruction line
  • bb57daa Adding templates for issues and pull requests
  • 23c4dfc Update README.md
  • a8dab57 Merge pull request #741 from model3volution/Update/readme
  • 19b7948 Releasing 0.16.0
  • e6ffc52 Updating Upgrage Guide
  • 8d675bb Merge branch 'master' of github.com:mzabriskie/axios
  • 5b904d5 Updating changelog
  • efc1f11 Merge pull request #781 from TomyJaya/TomyJaya-patch-1

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

@secureflag-knowledge-base
Copy link

Open Redirect

Click here to find a Open Redirect training lab

Description

Open Redirects, otherwise known as Unvalidated Redirects and Forwards, are a class of vulnerability made possible when a web application, comprised of insufficient input-validation controls, is manipulated into redirecting unwitting users of the application to a malicious, attacker-controlled URL.

This type of exploit is popular with criminals involved in phishing and credential theft, unsurprising given the false layer of trust attributed to the fact that the modified link and the original site share the same server name.

Read more

Impact

There are many overlapping techniques criminals employ to dupe unwitting victims into handing over their hard-earned cash. One of these methods is undoubtedly betting on the misplaced trust many of us place in familiar server names. This write-up exemplifies how even the most arguably well-known URL of all, https://www.google.com, can be taken advantage of via its redirection facility.

In addition, Open Redirect vulnerabilities can:

  • Lead to Cross-Site Scripting (XSS) attacks if the redirect uses data: or javascript: protocols;
  • Potentially circumvent Server-Side Request Forgery (SSRF) filters;
  • Nullify allow list effectiveness in some cases to bypass Content Security Policy (CSP);
  • Lead to Carriage Return and Line Free (CRFL) attacks if line breaks are present in the destination parameter.

Scenarios

As outlined above, attackers often use this attack as it 'hijacks' the trust users place in a well-known URL.

Here's a topical example from 2021; if the target domain is www.covidvaccinations.com, an attacker might craft the following URL:

http://www.covidvaccinations.com/redirect.php?url=http://attackerwebsite.com

Attackers send links like the one above in phishing campaigns in the hopes that they will lure a victim into clicking on the link.

Prevention

The following measures can be applied to either eliminate or drastically reduce the potential for Open Redirect exploitation:

  • If they aren't necessary, don't use redirects and forwards!
  • In cases where they are required, do not allow the URL as user input for the destination;
  • When user input is unavoidable, validate the supplied value, its appropriateness for the application, and ensure it is authorized for the user:
    • This can be a fiddly task, so closely adhere to best practices and ensure continued maintenance.
  • If possible, force the user to provide an ID or token that is mapped server-side to a complete target URL;
  • Input sanitization should be implemented by creating an allow list of trusted URLs determined by host or regex.

Testing

Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content.

View this in the SecureFlag Knowledge Base

@secure-code-warrior-for-github

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try this challenge in Secure Code Warrior

@secure-code-warrior-for-github

Micro-Learning Topic: Unvalidated redirect (Detected by phrase)

Matched on "Unvalidated Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "Open Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "XSS"

What is this? (2min video)

Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-Side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try this challenge in Secure Code Warrior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant