Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability issue #173

Closed
alejandro-serrano opened this issue Aug 11, 2022 · 3 comments · Fixed by #177
Closed

Security Vulnerability issue #173

alejandro-serrano opened this issue Aug 11, 2022 · 3 comments · Fixed by #177
Assignees
@Aleksey28
Labels
vulnerability

Comments

@alejandro-serrano
Copy link

Hi,

We are getting the following security vulnerability issue in the plugin when performing a yarn audit:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Infinite loop in jpeg-js                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jpeg-js                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.4.4                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ testcafe-browser-provider-browserstack                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ testcafe-browser-provider-browserstack > jimp > @jimp/types  │
│               │ > @jimp/jpeg > jpeg-js                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1075625                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Further information can be found here:
GHSA-xvf7-4v9q-58w6

Thanks!
@AlexKamaev
Copy link
Contributor

Thank you for pointing this out to us. It looks like the jimp module is not under active development, so the maintainer cannot merge the PRs that fix the issue:
jimp-dev/jimp#1090
jimp-dev/jimp#1093
We'll take a look at this problem as soon as possible and will find an appropriate solution.

@kukhariev
Copy link
Contributor

kukhariev commented Aug 24, 2022
edited

testcafe-browser-provider-browserstack/src/backends/js-testing.js

Lines 114 to 119 in 9cfdb6f

async takeScreenshot (id, screenshotPath) {
var buffer = await requestApi(BROWSERSTACK_API_PATHS.screenshot(this.workers[id].id));
var image = await jimp.read(buffer);
await image.writeAsync(screenshotPath);
}

What is the purpose of the jimp used here ?

! ok . sorted

@Aleksey28
Copy link
Contributor

It reads and writes images. We are already working on this issue and we will resolve it as soon as possible.

@Aleksey28 Aleksey28 mentioned this issue Aug 26, 2022
Merged
kukhariev added a commit to kukhariev/testcafe-browser-provider-browserstack that referenced this issue Aug 26, 2022
@kukhariev
fix: replace jimp with sharp
5ab4813 
closes  DevExpress#173
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Aleksey28 Aleksey28

Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: resolved vulnerability Aleksey28/testcafe-browser-provider-browserstack
4 participants
@AlexKamaev @alejandro-serrano @kukhariev @Aleksey28