WS-2018-0588 (High severity) detected in querystringify

[eKristensen]

• Operating System: Windows 10
• Node Version: 10.15.3
• NPM Version: 6.4.1
• webpack Version: 4.33.0
• webpack-dev-server Version: 3.7.1

• This is a bug
• This is a modification request

Code

No code, see unshiftio/querystringify#19

Expected Behavior

To be secure

Actual Behavior

A vulnerability was found in querystringify before 2.0.0.

For Bugs; How can we reproduce the behavior?

A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

For Features; What is the motivation and/or use-case for the feature?

Security. See more here: unshiftio/querystringify#19

[hiroppy]

npm ls querystringify

└─┬ webpack-dev-server@3.7.1
  └─┬ sockjs-client@1.3.0
    └─┬ url-parse@1.4.7
      └── querystringify@2.1.1 

querystringify in webpack-dev-server is the latest version.
https://github.com/unshiftio/querystringify/releases

I think that is a bug on the github side.

[eKristensen]

@hiroppy it may be a issue on my side. I'll get back to you later. The GitHub security check claims something is wrong, but I'm away from my computer right now. Thank you for your time, have a great day :)

[crstnmac]

Same with my gatsby project repos ,I did a yarn audit... No vulnerabilities found

[alexander-akait]

Please open issue in url-parse package, we can't do nothing here on our side.

Also all security problems better report in DM (gitter, slack) or email. Also we use querystringify@2.1.1

[eKristensen]

Thank you for your patience. The issue was on my side. I cannot reproduce any problems locally or find the old version that Github claims I have.

I'm sorry i wasted your time and wrongly accused you of using outdated packages. Thank you for your helpful responses. Have a wonderful day! :)

[hiroppy]

no problem, thank you for the reporting.

[C451]

Thank you for your patience. The issue was on my side. I cannot reproduce any problems locally or find the old version that Github claims I have.

I'm sorry i wasted your time and wrongly accused you of using outdated packages. Thank you for your helpful responses. Have a wonderful day! :)

Have you solved this?

[eKristensen]

@C451 No. I'm not sure where to report errors with the GitHub "Security Alerts". I think Microsoft will resolve that issue eventually. It fails to create an automated "security fix" pull request

Dependabot cannot update to the required version .

[C451]

It seems strange that only a few people experience this bug, considering how many people use webpack. I will try to contact the support.

[hiroppy]

Yesterday, I saw this security alert at this repo, but now I cannot see this alert. So, this problem was fixed.

[C451]

Hmmm, I still see the alert. Anyways, it is better to send them a letter.

Edit: the alert just magically disappeared. Probably the support team has the ability to read our minds.

[eKristensen]

Its partially gone for me now. Its not in my repo, nor in the Security Alerts overview, but there is a message about it that i can't read under notifications. Seams like Microsoft is fixing it.