npm - node-forge - Versions diffs - 0.8.4 → 0.9.2 - Mend

node-forge 0.8.4 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,47 @@
 Forge ChangeLog
 ===============
+## 0.9.2 - 2019-09-01
+### Changed
+- Added `util.setPath` security note to function docs and to README.
+### Notes
+- **SECURITY**: The `util.setPath` function has the potential to cause
+  prototype pollution if used with unsafe input.
+  - This function is **not** used internally by `forge`.
+  - The rest of the library is unaffected by this issue.
+  - **Do not** use unsafe input with this function.
+  - Usage with known input should function as expected. (Including input
+    intentionally using potentially problematic keys.)
+  - No code changes will be made to address this issue in 0.9.x. The current
+    behavior *could* be considered a feature rather than a security issue.
+    0.10.0 will be released that removes `util.getPath` and `util.setPath`.
+    Consider `get` and `set` from [lodash](https://lodash.com/) if you need
+    replacements. But also consider the potential similar security issues with
+    those APIs.
+  - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
+## 0.9.1 - 2019-09-26
+### Fixed
+- Ensure DES-CBC given IV is long enough for block size.
+## 0.9.0 - 2019-09-04
+### Added
+- Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
+- A few OIDs used in EV certs.
+### Fixed
+- Improve ed25519 NativeBuffer check.
+## 0.8.5 - 2019-06-18
+### Fixed
+- Remove use of `const`.
 ## 0.8.4 - 2019-05-22
 ### Changed

package/README.md CHANGED Viewed

@@ -1409,15 +1409,17 @@ var privateKeyInfo = pki.wrapRsaPrivateKey(rsaPrivateKey);
 // convert a PKCS#8 ASN.1 PrivateKeyInfo to PEM
 var pem = pki.privateKeyInfoToPem(privateKeyInfo);
-// encrypts a PrivateKeyInfo and outputs an EncryptedPrivateKeyInfo
+// encrypts a PrivateKeyInfo using a custom password and
+// outputs an EncryptedPrivateKeyInfo
 var encryptedPrivateKeyInfo = pki.encryptPrivateKeyInfo(
-  privateKeyInfo, 'password', {
+  privateKeyInfo, 'myCustomPasswordHere', {
     algorithm: 'aes256', // 'aes128', 'aes192', 'aes256', '3des'
   });
-// decrypts an ASN.1 EncryptedPrivateKeyInfo
+// decrypts an ASN.1 EncryptedPrivateKeyInfo that was encrypted
+// with a custom password
 var privateKeyInfo = pki.decryptPrivateKeyInfo(
-  encryptedPrivateKeyInfo, 'password');
+  encryptedPrivateKeyInfo, 'myCustomPasswordHere');
 // converts an EncryptedPrivateKeyInfo to PEM
 var pem = pki.encryptedPrivateKeyToPem(encryptedPrivateKeyInfo);
@@ -2033,6 +2035,8 @@ When using this code please keep the following in mind:
 - Certain features in this library are less susceptible to attacks depending on
   usage. This primarily includes features that deal with data format
   manipulation or those that are not involved in communication.
+- Do not pass unsafe inputs to `util.setPath`. Doing so could expose a
+  prototype pollution security issue.
 Library Background
 ------------------