node-forge 0.9.1 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -0
- package/README.md +2 -0
- package/lib/util.js +3 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,28 @@
|
|
|
1
1
|
Forge ChangeLog
|
|
2
2
|
===============
|
|
3
3
|
|
|
4
|
+
## 0.9.2 - 2019-09-01
|
|
5
|
+
|
|
6
|
+
### Changed
|
|
7
|
+
- Added `util.setPath` security note to function docs and to README.
|
|
8
|
+
|
|
9
|
+
### Notes
|
|
10
|
+
- **SECURITY**: The `util.setPath` function has the potential to cause
|
|
11
|
+
prototype pollution if used with unsafe input.
|
|
12
|
+
- This function is **not** used internally by `forge`.
|
|
13
|
+
- The rest of the library is unaffected by this issue.
|
|
14
|
+
- **Do not** use unsafe input with this function.
|
|
15
|
+
- Usage with known input should function as expected. (Including input
|
|
16
|
+
intentionally using potentially problematic keys.)
|
|
17
|
+
- No code changes will be made to address this issue in 0.9.x. The current
|
|
18
|
+
behavior *could* be considered a feature rather than a security issue.
|
|
19
|
+
0.10.0 will be released that removes `util.getPath` and `util.setPath`.
|
|
20
|
+
Consider `get` and `set` from [lodash](https://lodash.com/) if you need
|
|
21
|
+
replacements. But also consider the potential similar security issues with
|
|
22
|
+
those APIs.
|
|
23
|
+
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
|
|
24
|
+
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
|
|
25
|
+
|
|
4
26
|
## 0.9.1 - 2019-09-26
|
|
5
27
|
|
|
6
28
|
### Fixed
|
package/README.md
CHANGED
|
@@ -2035,6 +2035,8 @@ When using this code please keep the following in mind:
|
|
|
2035
2035
|
- Certain features in this library are less susceptible to attacks depending on
|
|
2036
2036
|
usage. This primarily includes features that deal with data format
|
|
2037
2037
|
manipulation or those that are not involved in communication.
|
|
2038
|
+
- Do not pass unsafe inputs to `util.setPath`. Doing so could expose a
|
|
2039
|
+
prototype pollution security issue.
|
|
2038
2040
|
|
|
2039
2041
|
Library Background
|
|
2040
2042
|
------------------
|
package/lib/util.js
CHANGED
|
@@ -2520,6 +2520,9 @@ util.makeLink = function(path, query, fragment) {
|
|
|
2520
2520
|
* leaf nodes are given as non-final path keys.
|
|
2521
2521
|
* Used to avoid exceptions from missing parts of the path.
|
|
2522
2522
|
*
|
|
2523
|
+
* SECURITY NOTE: Do not use unsafe inputs. Doing so could expose a prototype
|
|
2524
|
+
* pollution security issue.
|
|
2525
|
+
*
|
|
2523
2526
|
* @param object the starting object.
|
|
2524
2527
|
* @param keys an array of string keys.
|
|
2525
2528
|
* @param value the value to set.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "node-forge",
|
|
3
|
-
"version": "0.9.
|
|
3
|
+
"version": "0.9.2",
|
|
4
4
|
"description": "JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.",
|
|
5
5
|
"homepage": "https://github.com/digitalbazaar/forge",
|
|
6
6
|
"author": {
|