node-restify icon indicating copy to clipboard operation
node-restify copied to clipboard
verified publisher icon restify

[Snyk] Security upgrade formidable from 1.2.6 to 3.2.4

Open hekike opened this issue 3 years ago • 2 comments

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
critical severity 776/1000
Why? Recently disclosed, Has a fix available, CVSS 9.8		 Arbitrary File Upload
SNYK-JS-FORMIDABLE-2838956		 Yes No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: formidable The new version differs by 250 commits.
  • 143e473 chore: prepare release
  • 2f553b4 docs: use slugify in the example
  • 9969c25 refactor: code style
  • 5103d09 feat: stop extension from being '.'
  • 67c6a3f feat: allow numbers in file extensions
  • 78de849 feat: stop at first invalid char
  • 5fdb2d0 fix: replace regex with reliable filtering
  • d2bd18d tests: add a test case that proves that the regex was always bad
  • 703bec4 tests: add comment
  • 15afa8a docs: add comment
  • d3a05e9 add failing test case
  • 971e3a7 chore: publish
  • 92df3c8 fix: IncomingForm end event emitted twice (#852)
  • 21efa7d chore(deps): bump istanbul-reports from 3.0.2 to 3.1.4 (#844)
  • 8009584 chore(kodiak): always update PRs
  • d6c17f1 chore: fix dependabot error
  • 7ea655e chore: do not add reviewers to dep update prs (#845)
  • 635b4f8 chore: add Dependabot settings (#837)
  • a93060c chore: fix kodiak config (#838)
  • 7fbf974 chore: add KodiakHQ service (#836)
  • 786f2e1 chore(deps): bump ansi-regex from 4.1.0 to 4.1.1 (#835)
  • 4718b78 chore(security): meta, add CodeQL action (#832)
  • db22330 chore: remove auto-comment bot (#833)
  • ab698ff chore(meta): remove LabelSponsors Action (#834)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

hekike avatar May 19 '22 19:05 hekike

Do you check your pull requests, before opening?!

formidable 3.2.4 is an ESM module and for this it won't work without changing code in restify plugins.

And the more important is... is there a need for updating because of this snyk report, which doesn't seem to say much, and the CVE also. Air of importance. This comes from an anonymous guy who thinks it would be a problem if there are filenames with html-tags.
Well the problem is if you as developer put these filenames unchecked on a website, but not if you send these files e.g. per mail. So can you trust the filename of an uploaded file per webform, of course not. Like you can't trust any data put in any form field.

There is a need for updating formidable, because version 1 isn't supported any longer. But as started, this needs more than updating a version number.

kolbma avatar May 27 '22 12:05 kolbma

Btw. version 1.2.6 filters the extension with .[a-z0-9]* and cuts off anything behind.
So this problem starts with v2 and the "fix" in v3.2.4 is far more dangerous. Uploads of .txt files with "right" filenames would be saved as .bat or .exe files and if you provide these files to your users of the web apps they might get executed, although you have blocked these extension by a filter. But the "magic" rename happens after the custom filter checks.

kolbma avatar May 27 '22 17:05 kolbma