Skip to content
This repository has been archived by the owner on Mar 26, 2022. It is now read-only.

Update dependency ini to 1.3.6 [SECURITY] #303

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency ini to 1.3.6 [SECURITY] #303

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 3, 2021
edited

WhiteSource Renovate

This PR contains the following updates:

Package Change
ini 1.3.5 -> 1.3.6

GitHub Vulnerability Alerts

CVE-2020-7788

Overview

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches

This has been patched in 1.3.6

Steps to reproduce

payload.ini

[__proto__]
polluted = "polluted"

poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled due to failing status checks.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 21 times, most recently from 89a6c3f to 54457b9 Compare March 8, 2021 23:30
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 3 times, most recently from 8c08dfc to f5820e5 Compare March 19, 2021 04:37
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 4 times, most recently from 59a23c6 to e4d1741 Compare March 30, 2021 09:04
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch from e4d1741 to 078b77c Compare April 19, 2021 20:03
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 078b77c to a8ee34a Compare May 4, 2021 23:42
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 9 times, most recently from f9689e7 to 8c2935c Compare May 7, 2021 22:15
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 4 times, most recently from c353130 to c9ae7ef Compare May 29, 2021 02:30
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 4 times, most recently from d7b05fc to 272336e Compare June 15, 2021 16:40
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 3 times, most recently from a806d2b to 36905c0 Compare August 11, 2021 01:30
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch from 36905c0 to 1b72602 Compare October 8, 2021 01:09
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch 2 times, most recently from d9cd97b to e1a534d Compare October 26, 2021 04:38
@renovate renovate bot force-pushed the renovate/npm-ini-vulnerability branch from e1a534d to 70c4cc1 Compare October 26, 2021 05:01
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@renovate-bot