fix: critical vulnerabilities reported by snyk and trivy #1373
Comments
pedrosodre
added
status: needs triage
|
I know this topic has already been addressed in other issues, but would be cool to keep it open until someone maintain this library or a PR with a fix is openned. I also recommend to keep your eyes on https://github.com/nestjs/class-validator |
|
@NoNameProvided , are you or is someone else maintaining this project? |
|
For anyone interested in resolving this issue, change to the recently forked (and patched) @nestjs/class-validator package. Update your import references too, and you should be good to go 👍 |
|
does it fix ? |
Yep. But you have to tune See nestjs/nest#8562 (comment) for details. |
|
Closing this. Let's track this in #1422 |
braaar
added
status: duplicate
|
Hi all! Sorry for the long overdue update, I would like to chime in to clarify a few things. First of all, as mentioned before in other threads the reported issue is not a security vulnerability in the sense that you can defend against it by specifying the I still think this was opened by mistake and it's the same as if I would open a vulnerability report on NodeJS saying "if I turn off the server the NodeJS application crashes". The valid (and fixed) problem was in the A second problem is that for this vulnerability I was never provided a reproducible test case officially, saying: this is what failing and needs to be fixed. The closest to an official example is from the issue in this repository that is linked in the security reports: #438. Running that example code shows the issue is fixed for almost a year now. Code snippet from #438import { validate, IsInt, Length, IsEmail, IsFQDN, IsDate, Min, Max } from "class-validator";
import { plainToClass } from "class-transformer";
class Post {
@Length(10, 20)
title: string;
@IsInt()
@Min(0)
@Max(10)
rating: number;
@IsEmail()
email: string;
@IsFQDN()
site: string;
@IsDate()
createDate: Date;
}
let userJson = JSON.parse('{"title":1233, "proto":{}}'); // a malformed input
let users = plainToClass(Post, userJson);
validate(users, { forbidUnknownValues: true }).then(errors => { // errors is an array of validation errors
if (errors.length > 0) {
console.log("validation failed. errors: ", errors);
} else {
console.log("validation succeed");
}
});This code fails with validation errors as expected. So you may ask why the security advisory is still open? That's the million-dollar question, and the answer is that when you try to write to someone they will redirect to someone else who will redirect to someone else who will redirect to the first org. It's a circle and everybody says: "sorry I just source my data from someone else", I cannot do anything for you. Another contributor tried to write to them, and I have tried to write to them. No success. The mistake I made was that after a while I stopped trying. I knew the issue don't exist so I am using it without worrying, but I see how an open critical advisory is scary for others. To sum up my plan for going at it again:
Also, it is worth noting that the other package under the NestJS org doesn't fix any issues. The security warning is not present there because it has a different name, not because the "problem is fixed". PS: As @braaar mentioned, this is tracked in another issue now, please subscribe to that for future changes. |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
When we scan any code that uses class-validator as dependency on trivy (or others, as snyk), these tools reports that class-validator has some vulnerabilities related with Cross-site Scripting and SQL Injection.
Minimal code-snippet showcasing the problem
Check the scans on both platforms:
Expected behavior
Library should not have critical vulnerabilities.
Actual behavior
Is these vulnerabilities something that class-validator's team is looking to fix?
Cheers
The text was updated successfully, but these errors were encountered: