Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security issues in dependencies and Studio directly #979

Merged
merged 4 commits into from
Jan 9, 2023
Merged

Fix security issues in dependencies and Studio directly #979

merged 4 commits into from
Jan 9, 2023

Conversation

LukasKalbertodt
Copy link
Member

@LukasKalbertodt LukasKalbertodt commented Nov 9, 2022
edited
Loading

PR is mainly for the first commit which fixes a prototype pollution issue in Studio. As the commit message says, we couldn't find a way to actually exploit it, so we don't think this is a high impact security issue. It's scary though, so it needs to be fixed for sure. We only found ways to break Studio (but that's not particularly useful to an attacker): https://studio.opencast.org/?__proto__.toString=peter

The other commits are about updating dependencies to get rid of security issues in those.

@github-actions

This comment was marked as resolved.

Sign in to view
@github-actions github-actions bot added the status:conflicts Conflicts with another pull request or issue label Dec 23, 2022
narickmann
narickmann approved these changes Jan 4, 2023
View reviewed changes
Copy link
Contributor

@narickmann narickmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@LukasKalbertodt
Fix prototype pollution vulnerability in settings handling
2c09ced 
URL parameters could be used to modify the root prototype, eg.:
   ?__proto__.toString=peter

Fortunately, the assigned value is always a string, so it's not possible
to overwrite functions with other functions. The example above just
leads to a JS error which is caught by the application and an error is
then displayed. It might be possible to add a new field to the prototype
that then leads to other code checking `if ('foo' in obj)` to behave
differently. But I couldn't find a spot that could be abused. I might
very well have missed something, but my guess would be that this
vulnerability is not really exploitable in a bad way.

Note: I think only one of the `{}` needs to be replaced by
`Object.create(null)`, but it doesn't hurt just replacing all of them.
From a quick glance, I also didn't find any similar problems in the
code base.
@LukasKalbertodt
Run npm audit fix
4fd278f
@LukasKalbertodt
Update react-scripts to 5.0.1
52d7e48 
This updates a ton of other dependencies. In particular, it also fixes
a ton of security issues within the dependency tree.
@LukasKalbertodt
Update a few dependencies (just minor bumps)
a65572c
@LukasKalbertodt LukasKalbertodt force-pushed the fix-prototype-pollution branch from 431623c to a65572c Compare January 9, 2023 11:01
@github-actions github-actions bot removed the status:conflicts Conflicts with another pull request or issue label Jan 9, 2023
@LukasKalbertodt LukasKalbertodt merged commit 1df9501 into elan-ev:master Jan 9, 2023
@LukasKalbertodt LukasKalbertodt deleted the fix-prototype-pollution branch January 9, 2023 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@narickmann narickmann narickmann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LukasKalbertodt @narickmann