Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade ejs from 2.3.4 to 3.1.7 #56

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

harunpehlivan
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 798/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.1
Remote Code Execution (RCE)
SNYK-JS-EJS-2803307
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-EJS-2803307
@secureflag-knowledge-base
Copy link

Code Injection

Click here to find a Code Injection training lab

Description

Code Injection, also known as Remote Code Execution (RCE), is possible when unsafe user-supplied data is used to run server-side code. This is typically as a result of an application executing code without prior validation, thus allowing an attacker to execute arbitrary code within the context of the vulnerable application.

Not to be confused with OS Command Injection, Code Injection attacks allow the attacker to add their own code to be executed by the application, whereas OS Command Injection extends the preset functionality of the application to execute system commands, usually within the context of a shell.

Code Injection attacks are only limited by the functionality of the language the attacker has injected i.e. not very limited at all! If PHP code is the language chosen for the injection and is executed successfully, the attacker has every utility available in PHP at her/his disposal.

The Code Injection attack category encompasses multiple types of injection attacks, all of which are very prevalent and capable of extremely high levels of compromise. Indeed, OWASP has listed injection attacks as the number 1 web application security risk since 2013.

Read more

Impact

Malicious attackers can leverage Code Injection vulnerabilities to gain a foothold in the hosting infrastructure, pivot to connected systems throughout the organization, execute unauthorized commands, and fully compromise the confidentiality, integrity, and availability of the application. Depending on the injection, this can usually lead to the complete compromise of the underlying operating system.

The list of devastating Code Injection attacks, both public and behind closed doors, is far too long to list. Hot off the press in 2020, this Code Injection discovery was shown to affect the default Mail application on stock iPhones and iPads, resulting in remote code execution.

In this particular instance, the vulnerability was identified by a security company which notified the vendor, Apple, of the issue. However, it is important as a developer to internalize the glaring reality that poorly written, unsecure code opens the way for attackers to potentially wreak havoc, which is why learning secure codeing skills from the beginning can potentially prevent an employer-destroying headline down the track.

Prevention

Code Injection attacks leveraging any language can be avoided by simply following some basic, yet essential, security practices. Overarching these general practices is the rule that a developer should treat all data as untrusted.

Developers must not dynamically generate code that can be interpreted or executed by the application using user-provided data. Evaluating code that contains user input should only be implemented if there is no other way of achieving the same result without code execution.

Testing

Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.

View this in the SecureFlag Knowledge Base

@secure-code-warrior-for-github

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "OS Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "Injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try this challenge in Secure Code Warrior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants