[Snyk] Fix for 81 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	Yes	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	Yes	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	Yes	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	Yes	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342073	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-2342082	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-451540	No	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Regular Expression Denial of Service (ReDoS) SNYK-JS-MARKED-584281	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	Yes	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	Yes	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Improper Certificate Validation SNYK-JS-NODESASS-1059081	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-NODESASS-535499	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-NODESASS-535501	Yes	Proof of Concept
	/1000 Why?	Uncontrolled Recursion SNYK-JS-NODESASS-535503	Yes	No Known Exploit
	/1000 Why?	Resource Exhaustion SNYK-JS-NODESASS-535504	Yes	Proof of Concept
	/1000 Why?	NULL Pointer Dereference SNYK-JS-NODESASS-535505	Yes	Proof of Concept
	/1000 Why?	Uncontrolled Recursion SNYK-JS-NODESASS-540960	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-NODESASS-540962	Yes	No Known Exploit
	/1000 Why?	Improper Input Validation SNYK-JS-NODESASS-540966	Yes	No Known Exploit
	/1000 Why?	Improper Input Validation SNYK-JS-NODESASS-540968	Yes	No Known Exploit
	/1000 Why?	Uncontrolled Recursion SNYK-JS-NODESASS-540970	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-NODESASS-540972	Yes	No Known Exploit
	/1000 Why?	NULL Pointer Dereference SNYK-JS-NODESASS-540974	Yes	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-NODESASS-540982	Yes	Proof of Concept
	/1000 Why?	Out-of-bounds Read SNYK-JS-NODESASS-540984	Yes	No Known Exploit
	/1000 Why?	Out-of-bounds Read SNYK-JS-NODESASS-540986	Yes	No Known Exploit
	/1000 Why?	Denial of Service (DoS) SNYK-JS-NODESASS-540988	Yes	No Known Exploit
	/1000 Why?	Denial of Service (DoS) SNYK-JS-NODESASS-542662	Yes	No Known Exploit
	454/1000 Why? Has a fix available, CVSS 4.8	Session Fixation SNYK-JS-PASSPORT-2840631	No	No Known Exploit
	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Prototype Poisoning SNYK-JS-QS-3153490	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-REDIS-1255645	Yes	No Known Exploit
	646/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-SAILS-2428337	Yes	Proof of Concept
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-SAILSHOOKSOCKETS-589929	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-SCSSTOKENIZER-2339884	Yes	No Known Exploit
	791/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 9.4	SQL Injection SNYK-JS-SEQUELIZE-2932027	Yes	Proof of Concept
	564/1000 Why? Has a fix available, CVSS 7	SQL Injection SNYK-JS-SEQUELIZE-2959225	Yes	No Known Exploit
	629/1000 Why? Has a fix available, CVSS 8.3	Improper Filtering of Special Elements SNYK-JS-SEQUELIZE-3324088	Yes	No Known Exploit
	/1000 Why?	Information Exposure SNYK-JS-SEQUELIZE-3324089	Yes	No Known Exploit
	/1000 Why?	Access of Resource Using Incompatible Type ('Type Confusion') SNYK-JS-SEQUELIZE-3324090	Yes	No Known Exploit
	/1000 Why?	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	Yes	No Known Exploit
	/1000 Why?	Insecure Defaults SNYK-JS-SOCKETIO-1024859	Yes	Proof of Concept
	/1000 Why?	Denial of Service (DoS) SNYK-JS-SOCKETIOPARSER-1056752	Yes	Proof of Concept
	/1000 Why?	Improper Input Validation SNYK-JS-SOCKETIOPARSER-3091012	Yes	No Known Exploit
	/1000 Why?	Cross-site Scripting (XSS) SNYK-JS-STRIPTAGS-1312310	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536528	Yes	No Known Exploit
	/1000 Why?	Arbitrary File Overwrite SNYK-JS-TAR-1536531	Yes	No Known Exploit
	410/1000 Why? Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) SNYK-JS-TAR-1536758	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579147	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579152	Yes	No Known Exploit
	639/1000 Why? Has a fix available, CVSS 8.5	Arbitrary File Write SNYK-JS-TAR-1579155	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-UGLIFYJS-1727251	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090599	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090600	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090601	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-VALIDATOR-1090602	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	Yes	Proof of Concept
	/1000 Why?	Arbitrary Code Injection SNYK-JS-XMLHTTPREQUESTSSL-1082936	Yes	Proof of Concept
	/1000 Why?	Access Restriction Bypass SNYK-JS-XMLHTTPREQUESTSSL-1255647	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:clean-css:20180306	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:debug:20170905	Yes	Proof of Concept
	/1000 Why?	Prototype Pollution npm:deep-extend:20180409	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:foreman:20180429	Yes	Mature
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	Yes	No Known Exploit
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	Yes	Proof of Concept
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:method-override:20170927	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	Yes	No Known Exploit
	/1000 Why?	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit
	375/1000 Why? CVSS 7.5	Prototype Override Protection Bypass npm:qs:20170213	Yes	No Known Exploit
	/1000 Why?	Command Injection npm:shell-quote:20160621	Yes	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Buffer Overflow npm:validator:20160218	Yes	No Known Exploit
	/1000 Why?	Denial of Service (DoS) npm:ws:20171108	Yes	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: connect-redis

The new version differs by 4 commits.

• c951850 v4.0.0
• 2df1368 Version 4
• 1d36eec Format code base and cleanup tests.
• a50fbcc Enabling Redis client error logging by default

See the full diff

Package name: dateformat

The new version differs by 9 commits.

• 8802071 2.0.0
• ba00ce7 update `contributors`
• 9222537 remove cli.js
• 85d577e removes CLI
• 6fb6e92 Merge pull request [Snyk] Security upgrade marked from 0.3.19 to 4.0.10 #49 from thejameskyle/patch-1
• fbc280f Create .npmignore
• 261aec5 Merge pull request [Snyk] Fix for 1 vulnerabilities #47 from samt/master
• dd04e87 Fix code-block intent
• 5cd7114 Add mask options and named formats to Readme.md

See the full diff

Package name: foreman

The new version differs by 63 commits.

• 1924217 3.0.1
• 680ad40 remove unnecessary use of regex
• cba7276 Merge pull request Optimize trends page datacamp/rdocumentation-app#121 from leebradley/leebradley-fix-readme
• 2620f2d Merge pull request fixed small selected tab issue datacamp/rdocumentation-app#115 from strongloop/silent-env
• 78c20db Merge pull request should solve #131 datacamp/rdocumentation-app#133 from cemaleker/patch-1
• e4d9e43 3.0.0
• df71df1 Merge pull request Datacamp light still loaded in Rstudio datacamp/rdocumentation-app#155 from strongloop/update
• 0719242 Update outdated dependencies to latest
• bcd3b23 Fix error "Unknown signal: null"
• a2c183d Update supported Node.js versions
• 474ef44 Fixed typo on forward proxy
• 008f162 2.0.0
• a084c73 Update URLs in CONTRIBUTING.md (issue 122: fixed dcl issue datacamp/rdocumentation-app#123)
• f701b76 Fixed typo
• 3cc38e3 don't log warning if env file doesn't exist
• 760df08 update copyright statements
• eb15a11 Merge pull request issue112 solved datacamp/rdocumentation-app#116 from strongloop/node-6-support
• 8848def replace mu2 with mustache
• 3aca810 enable node v6 on CI
• 984f2c2 2.0.0-1
• 75da44c output environment varialbes in predicatable order
• a0c3cf7 Allow loading multiple ENV files.
• 1d8e8a3 add --raw option to suppress log decorations
• 423b090 Changed handler name to error instead of proxyError

See the full diff

Package name: grunt-contrib-uglify

The new version differs by 142 commits.

• f65dbb9 v4.0.1. (#535)
• b33a071 upgrade devDependencies (#536)
• 1e40037 upgrade to uglify-js 3.5.0 (#534)
• 33724cd update links to uglifyJS documentation (#530)
• 5cdebda v4.0.0. ([COMM-5586] Add safe guard if maintainer is undefined datacamp/rdocumentation-app#527)
• 7b4ecb5 v3.4.0.
• f6f834b v3.4.0.
• e7915ce v3.3.0.
• bf23f0b Lock grunt-contrib-internal to v1.3.0.
• 6db68bd upgrade to uglify-js 3.3.0
• 04494d9 Update docs/uglify-options.md.
• 263196c Add a Git .mailmap with my new name (chore: check api deploy datacamp/rdocumentation-app#497)
• 3105f8d v3.2.1.
• 602ced4 Update uglify-js to v3.2.0
• 5251b6f decouple `sourceMapIn` from `sourceMap.url`
• 2edfe0b Update uglify-js to v3.1.0.
• 2773e7e v3.0.1.
• 85a1ac3 fix typo
• 755360b Move `require()` up
• 0f45e4e v3.0.0.
• ccd7ad0 Upgrade to uglify-js 3.0.4. (Bump marked from 0.3.12 to 4.0.10 datacamp/rdocumentation-app#472)
• f3086c1 v2.3.0.
• 7dc5e1d Log fixes. (Page navigation missing for Functions side of search results datacamp/rdocumentation-app#454) r=vladikoff
• 48fab36 v2.2.1.

See the full diff

Package name: grunt-sass

The new version differs by 12 commits.

• 2b662db 3.0.0
• 64f6444 Add support for Dart Sass (Workspace should be shared between code blocks in community examples datacamp/rdocumentation-app#283)
• 683ad07 Meta tweaks
• 12138d1 Fix linting
• 26c31c0 Require Node.js 8
• 276257e 2.1.0
• cfb6b53 Force the latest verison of node-sass
• b7087c6 Travis CI: Add Node.js 7 (Remove ability to submit placeholder example datacamp/rdocumentation-app#270)
• e9187e2 Lock the XO dependency
• c0486d9 2.0.0
• ef34efe ⬆️ node-sass@4
• f8015a3 Make XO happy

See the full diff

Package name: grunt-sync

The new version differs by 17 commits.

• ca10eb6 Bumping deps
• ab914cb Merge pull request [Snyk] Fix for 1 vulnerabilities #46 from tomusdrw/fix-28
• 1152ae9 Bumping version. Fixing convert when string given
• 3be053b Merge branch 'master' of github.com:victoriauniversity/grunt-sync into fix-28
• ca3cb3f [HOTFIX] Adds missing callback function 'return'.
• 9ea3b7f Converts destination paths in expanded mode safely and independently on user's OS.
• 9ec3d10 Bumping grunt-sync version
• 72862aa Bumping lodash to newest version
• 845643c Merge pull request [Snyk] Fix for 3 vulnerabilities #43 from tomusdrw/rmdir-sync
• 1e979b3 Synchronous removal of directories. Fixes [Snyk] Fix for 2 vulnerabilities #41
• 79415ee Fixing issue with system specific path starting with /
• 4b3f9b6 Adding better support for ignoreInDest patterns.
• b80ffe9 Updating readme for newest version. Added contributors
• eb6d407 Merge pull request [Snyk] Fix for 1 vulnerabilities #34 from janeklb/compareUsing-md5
• 5e90d32 Can compare using md5 hash instead, via compareUsing option
• 7606c38 Fixing readme. Closes [Snyk] Fix for 2 vulnerabilities #30
• 65782f8 Convert expanded desination path to system specific. [Snyk] Fix for 1 vulnerabilities #28

See the full diff

Package name: marked

The new version differs by 250 commits.

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @ babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• 41990a5 🗜️ build [skip ci]
• a9696e2 fix: retain line breaks in tokens properly (#2341)
• 6aacd13 chore(deps-dev): Bump jasmine from 3.10.0 to 4.0.0 (#2343)
• 55e5df9 chore(deps-dev): Bump @ babel/core from 7.16.5 to 7.16.7 (#2344)
• 4f4cab4 chore(deps-dev): Bump eslint-plugin-import from 2.25.3 to 2.25.4 (#2345)
• 97ea9f2 chore(deps-dev): Bump eslint from 8.5.0 to 8.6.0 (#2346)
• 4c3b853 chore(deps-dev): Bump rollup-plugin-license from 2.6.0 to 2.6.1 (#2347)
• 9396896 chore(deps-dev): Bump rollup from 2.61.1 to 2.62.0 (#2338)
• 103a56c chore(deps-dev): Bump @ babel/preset-env from 7.16.4 to 7.16.5 (#2333)
• be771c9 chore(deps-dev): Bump eslint from 8.4.1 to 8.5.0 (#2334)
• 67d5a65 chore(deps-dev): Bump @ babel/core from 7.16.0 to 7.16.5 (#2335)
• 991493a chore(deps-dev): Bump eslint-plugin-promise from 5.2.0 to 6.0.0 (#2336)
• 59375fb chore(release): 4.0.8 [skip ci]
• 4734c82 🗜️ build [skip ci]

See the full diff

Package name: node-sass

The new version differs by 250 commits.

• 3b556c1 7.0.2
• c716359 Bump sass-graph@^4.0.1 (#3292)
• 24741b3 docs(readme): fix docpad plugin link
• 1523330 feat: Drop Node 12
• 365d357 update https://registry.npm.taobao.org to https://registry.npmmirror.com
• 1456114 build(deps): bump actions/upload-artifact from 2 to 3
• b465b69 chore: bump GitHub Actions to Windows 2019 (#3254)
• e6194b1 build(deps): bump make-fetch-happen from 9.1.0 to 10.0.4
• 4edf594 build(deps): bump node-gyp from 8.4.1 to 9.0.0
• 29e2344 build(deps): bump actions/checkout from 2 to 3
• 85b0d22 build(deps): bump actions/setup-node from 2 to 3
• 3bb51da Use make-fetch-happen instead of request (#3193)
• adc2f8b build(deps): bump true-case-path from 1.0.3 to 2.2.1 (#3000)
• 77d12f0 chore: disable Apline for Node 16/17 builds
• 308d533 ci: use Python 3 for Node 12
• c818907 ci: unpin actions/setup-node to v2
• 99242d7 7.0.1
• 77049d1 build(deps): bump sass-graph from 2.2.5 to 4.0.0 (#3224)
• c929f25 build(deps): bump node-gyp from 7.1.2 to 8.4.1 (#3209)
• 918dcb3 Lint fix
• 0a21792 Set rejectUnauthorized to true by default (#3149)
• e80d4af chore: Drop EOL Node 15 (#3122)
• d753397 feat: Add Node 17 support (#3195)
• dcf2e75 build(deps-dev): bump eslint from 7.32.0 to 8.0.0

See the full diff

Package name: passport

The new version differs by 160 commits.

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request #900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• 17111d7 Add option to keep session data on logout.
• a349c2b Add option to keep session data.
• e69834e Add optional options to login and logout.
• 8825a9a Add tests.
• c1991cf Add tests.
• 294f22c Better session detection and exceptions.
• 80cc4e3 Add tests.
• 3001654 Add tests.
• b395106 Clean up tests.
• cfa8259 Add tests.
• ee0bf81 Add tests.
• cc7606c Add tests.
• 71c54f6 Add test.
• 88c1f1b Handle logout without session manager.

See the full diff

Package name: rc

The new version differs by 56 commits.

• 9d21a3f 1.2.7
• b633779 update deep-extend
• 4c5afda 1.2.6
• 3e1a5c6 Merge pull request issue84: improved queries for dependencies datacamp/rdocumentation-app#109 from anselanza/master
• a8ee451 docs: string representations
• 6c0e1aa note on using parse-strings-in-object
• 5cac462 1.2.5
• 4d03c13 example of nested command line arguments
• 383266e 1.2.4
• 1742d0c clear example of usage and notice about file extensions, in README
• c5345c1 1.2.3
• 1037247 Merge pull request Readme for rdocumentation-app datacamp/rdocumentation-app#94 from tommytroylin/seperateCLIAndNodeAPI
• acc9203 1.2.2
• 00a6776 Uses the standard browser field instead of the browserify field.
• 035462d feat: separate cli and nodeAPI
• 41251ff 1.2.1
• 5619b62 ignore case in prefix
• 71d7d15 1.2.0
• b6c3d22 do not trust regexp, if possible
• 874c2e3 Merge branch 'feature/env-uppercase' of https://github.com/nw/rc
• 13bca12 1.1.7
• eb6666d Merge pull request Issue56 datacamp/rdocumentation-app#89 from ysangkok/patch-1
• fa24f2a Update strip-json-comments dependency
• c4d83bf added test for ignore case of env key prefix

See the full diff

Package name: redis

The new version differs by 142 commits.

• fc28860 Bump version to 3.1.1 (#1597)
• 2d11b6d fix #1569 - improve monitor_regex (#1595)
• 7e77de8 Add Chat (#1594)
• 5d3e995 Merge branch 'master' of https://github.com/NodeRedis/node-redis
• b797cf2 add user to README.md
• 79f34c2 Bump version to 3.1.0 (#1590)
• 7fdc54e fix for 428e1c8a7b2322c2650294638cb1663ac5692728 - fix auth retry when redis is in loading state
• 09f0fe8 "fix" tests
• 428e1c8 Add support for Redis 6 `auth pass [user]` (#1508)
• bb208d0 Add codeclimate badge (#1572)
• 47e2e38 Exclude examples from deepsource (#1579)
• fbca5cd Upgrade node and dependencies (#1578)
• 2188744 Create codeql-analysis.yml (#1577)
• 32861b5 Create .deepsource.toml (#1574)
• 2a34d41 Add LGTM badge (#1571)
• 69b7094 Workflows fixes (#1570)
• 49c4131 Merge pull request #1531 from marnikvde/improve-docs
• 3c8ff5c Merge branch 'master' into improve-docs
• 685a72d Merge pull request #1277 from dcharbonnier/patch-1
• 055f5c5 Merge branch 'master' into patch-1
• c78b6d5 Merge pull request #1527 from heynikhil/patch-1
• 53f1468 Merge branch 'master' into patch-1
• 232f191 Merge pull request #1563 from lebseu/patch-1
• e4cb073 Update README.md

See the full diff

Package name: sails

The new version differs by 250 commits.

• bdd7a1c 1.5.3
• 6f875c0 upgrade ejs to 3.1.7 (#7243)
• e4184a5 Add heading about the __Host- prefix (#7245)
• d666ada bump async to 2.6.4 (#7244)

[secureflag-knowledge-base]

Code Injection

Play Labs on this vulnerability with SecureFlag!

Start Code Injection Lab

Description

Code Injection, also known as Remote Code Execution (RCE), is possible when unsafe user-supplied data is used to run server-side code. This is typically as a result of an application executing code without prior validation, thus allowing an attacker to execute arbitrary code within the context of the vulnerable application.

Not to be confused with OS Command Injection, Code Injection attacks allow the attacker to add their own code to be executed by the application, whereas OS Command Injection extends the preset functionality of the application to execute system commands, usually within the context of a shell.

Code Injection attacks are only limited by the functionality of the language the attacker has injected i.e. not very limited at all! If PHP code is the language chosen for the injection and is executed successfully, the attacker has every utility available in PHP at her/his disposal.

The Code Injection attack category encompasses multiple types of injection attacks, all of which are very prevalent and capable of extremely high levels of compromise. Indeed, OWASP has listed injection attacks as one of the most dangerous web application security risk since 2013.

Read more

Impact

Malicious attackers can leverage Code Injection vulnerabilities to gain a foothold in the hosting infrastructure, pivot to connected systems throughout the organization, execute unauthorized commands, and fully compromise the confidentiality, integrity, and availability of the application. Depending on the injection, this can usually lead to the complete compromise of the underlying operating system.

The list of devastating Code Injection attacks, both public and behind closed doors, is far too long to list. Hot off the press in 2020, this Code Injection discovery was shown to affect the default Mail application on stock iPhones and iPads, resulting in remote code execution.

In this particular instance, the vulnerability was identified by a security company which notified the vendor, Apple, of the issue. However, it is important as a developer to internalize the glaring reality that poorly written, unsecure code opens the way for attackers to potentially wreak havoc, which is why learning secure codeing skills from the beginning can potentially prevent an employer-destroying headline down the track.

Prevention

Code Injection attacks leveraging any language can be avoided by simply following some basic, yet essential, security practices. Overarching these general practices is the rule that a developer should treat all data as untrusted.

Developers must not dynamically generate code that can be interpreted or executed by the application using user-provided data. Evaluating code that contains user input should only be implemented if there is no other way of achieving the same result without code execution.

Testing

Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed.

• OWASP ASVS: 5.2.4
• OWASP Testing Guide: Testing for Code Injection

View this in the SecureFlag Knowledge Base

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Weak input validation (Detected by phrase)

Matched on "Improper Input Validation"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.

Micro-Learning Topic: Buffer overflow (Detected by phrase)

Matched on "Buffer Overflow"

What is this? (2min video)

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
• SEI CERT Oracle Coding Standard for Java - Prevent Code Injection - Carnegie Mellon University Software Engineering Institute guidance on preventing code injection vulnerabilities in Java.

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross-site Scripting"

What is this? (2min video)

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Exposure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "Prototype Pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Resource exhaustion (Detected by phrase)

Matched on "Resource Exhaustion"

What is this? (2min video)

Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "SQL Injection"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

• PHP SQL Injection Page - A detailed page on SQL injection in the online PHP manual.
• OWASP SQL Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications.
• OWASP SQL Injection - OWASP community page with comprehensive information about SQL injection, and links to various OWASP resources to help detect or prevent it.
• OWASP Query Parameterization Cheat Sheet - A derivative work of the OWASP SQL Injection Prevention Cheat Sheet focused on SQL query parameterization.
• Preventing SQL Injection Attacks With Python - A tutorial on crafting parameterized queries, SQL composition and safe query execution in Python.

Micro-Learning Topic: Type confusion (Detected by phrase)

Matched on "Type Confusion"

What is this? (2min video)

When attackers are able to manipulate the memory reserved for objects directly, they can then pass a reference to a crafted block of memory to be used in the place of a valid object type. This triggers the run time engine to execute arbitrary code which is under the control of the attacker due to the induced type confusion.

Try a challenge in Secure Code Warrior

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "OS Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Code injection (Detected by phrase)

Matched on "Code Injection"

What is this? (2min video)

Code injection happens when an application insecurely accepts input that is subsequently used in a dynamic code evaluation call. If insufficient validation or sanitisation is performed on the input, specially crafted inputs may be able to alter the syntax of the evaluated code and thus alter execution. In a worst case scenario, an attacker could run arbitrary code in the server context and thus perform almost any action on the application server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about Code Injection, and links to various OWASP resources to help detect or prevent it.
• SEI CERT Oracle Coding Standard for Java - Prevent Code Injection - Carnegie Mellon University Software Engineering Institute guidance on preventing code injection vulnerabilities in Java.

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "Injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Top Ten 2021 A03: Injection - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
• OWASP Injection Prevention Cheat Sheet in Java - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your Java applications.
• OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications.
• OWASP Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing injection flaws in your applications.
• OWASP Top Ten Proactive Controls 2018 C5: Validate All Inputs - Detailed article on input validation as a programming technique for ensuring that only properly formatted data may enter a software system component.