Restore A9 Insecure Components vulnerability

Question

Restore A9 Insecure Components vulnerability

rcowsill opened this issue 4 years ago · 6 comments

The A9: Insecure Components vulnerability tutorial refers to the use of an insecure version of the Marked library, making the memos page vulnerable to XSS.

It appears that the project was upgraded to use marked 0.3.9, which fixed this vulnerability. This means none of the example exploit strings in the tutorial result in a successful XSS attack.

I think the package.json needs to specify marked 0.3.5, as that is the last version with the XSS vulnerability.

Note that this is also relevant to PR #169, which currently specifies the 0.3.9 version instead of 0.3.5.

Answer 1 · 2020-06-09T19:48:01.000Z

@rcowsill Thanks for reporting the issue. 👍

You are right about it. Will will add it in our backlog. In case you have bandwidth, we will be happy to merge a PR with the required fix.

Answer 2 · 2020-06-12T10:56:30.000Z

Would you want that PR from a feature branch in a fork of master?

Answer 3 · 2020-06-13T09:56:56.000Z

Yes @rcowsill from and against feature/187 as we are implementing Lerna #187 (PR pending: #189)

Answer 4 · 2020-08-08T18:28:40.000Z

As discussed in #206, I'm going to add a test to confirm this vulnerability is present and functioning as expected. PR for that to follow...

Answer 5 · 2020-08-10T11:11:35.000Z

PR #208 containing the A9 test has been merged into feature/187. Should this issue be closed now, or should it be kept around until #187 is merged into master?

Answer 6 · 2020-08-10T11:25:38.000Z

ahh, I didn't even notice it's not PRed to the master branch
@UlisesGascon can you advise?