github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/master/argocd-test.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="8 known vulnerabilities found in 28 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:21:20 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">/argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)</li> 496 <li class="paths">/argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)</li> 497 <li class="paths">/argo-cd/ui/yarn.lock (yarn)</li> 498 </ul> 499 </div> 500 501 <div class="meta-counts"> 502 <div class="meta-count"><span>8</span> <span>known vulnerabilities</span></div> 503 <div class="meta-count"><span>28 vulnerable dependency paths</span></div> 504 <div class="meta-count"><span>2115</span> <span>dependencies</span></div> 505 </div><!-- .meta-counts --> 506 </div><!-- .layout-container--short --> 507 </header><!-- .project__header --> 508 </div><!-- .layout-stacked__header --> 509 510 <div class="layout-container" style="padding-top: 35px;"> 511 <div class="cards--vuln filter--patch filter--ignore"> 512 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 513 <h2 class="card__title">MPL-2.0 license</h2> 514 <div class="card__section"> 515 516 <div class="card__labels"> 517 <div class="label label--medium"> 518 <span class="label__text">medium severity</span> 519 </div> 520 </div> 521 522 <hr/> 523 524 <ul class="card__meta"> 525 <li class="card__meta__item"> 526 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 527 </li> 528 <li class="card__meta__item"> 529 Package Manager: golang 530 </li> 531 <li class="card__meta__item"> 532 Module: 533 534 github.com/r3labs/diff/v3 535 </li> 536 537 <li class="card__meta__item">Introduced through: 538 539 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.2 540 541 </li> 542 </ul> 543 544 <hr/> 545 546 547 <h3 class="card__section__title">Detailed paths</h3> 548 549 <ul class="card__meta__paths"> 550 <li> 551 <span class="list-paths__item__introduced"><em>Introduced through</em>: 552 github.com/argoproj/argo-cd/v3@0.0.0 553 <span class="list-paths__item__arrow">›</span> 554 github.com/r3labs/diff/v3@3.0.2 555 556 </span> 557 558 </li> 559 </ul><!-- .list-paths --> 560 561 </div><!-- .card__section --> 562 563 <hr/> 564 <!-- Overview --> 565 <p>MPL-2.0 license</p> 566 567 <hr/> 568 569 <div class="cta card__cta"> 570 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:v3:MPL-2.0">More about this vulnerability</a></p> 571 </div> 572 573 </div><!-- .card --> 574 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 575 <h2 class="card__title">MPL-2.0 license</h2> 576 <div class="card__section"> 577 578 <div class="card__labels"> 579 <div class="label label--medium"> 580 <span class="label__text">medium severity</span> 581 </div> 582 </div> 583 584 <hr/> 585 586 <ul class="card__meta"> 587 <li class="card__meta__item"> 588 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 589 </li> 590 <li class="card__meta__item"> 591 Package Manager: golang 592 </li> 593 <li class="card__meta__item"> 594 Module: 595 596 github.com/hashicorp/go-version 597 </li> 598 599 <li class="card__meta__item">Introduced through: 600 601 602 github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.22.0 and others 603 </li> 604 </ul> 605 606 <hr/> 607 608 609 <h3 class="card__section__title">Detailed paths</h3> 610 611 <ul class="card__meta__paths"> 612 <li> 613 <span class="list-paths__item__introduced"><em>Introduced through</em>: 614 github.com/argoproj/argo-cd/v3@0.0.0 615 <span class="list-paths__item__arrow">›</span> 616 code.gitea.io/sdk/gitea@0.22.0 617 <span class="list-paths__item__arrow">›</span> 618 github.com/hashicorp/go-version@1.7.0 619 620 </span> 621 622 </li> 623 </ul><!-- .list-paths --> 624 625 </div><!-- .card__section --> 626 627 <hr/> 628 <!-- Overview --> 629 <p>MPL-2.0 license</p> 630 631 <hr/> 632 633 <div class="cta card__cta"> 634 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 635 </div> 636 637 </div><!-- .card --> 638 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 639 <h2 class="card__title">MPL-2.0 license</h2> 640 <div class="card__section"> 641 642 <div class="card__labels"> 643 <div class="label label--medium"> 644 <span class="label__text">medium severity</span> 645 </div> 646 </div> 647 648 <hr/> 649 650 <ul class="card__meta"> 651 <li class="card__meta__item"> 652 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 653 </li> 654 <li class="card__meta__item"> 655 Package Manager: golang 656 </li> 657 <li class="card__meta__item"> 658 Module: 659 660 github.com/hashicorp/go-retryablehttp 661 </li> 662 663 <li class="card__meta__item">Introduced through: 664 665 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.8 666 667 </li> 668 </ul> 669 670 <hr/> 671 672 673 <h3 class="card__section__title">Detailed paths</h3> 674 675 <ul class="card__meta__paths"> 676 <li> 677 <span class="list-paths__item__introduced"><em>Introduced through</em>: 678 github.com/argoproj/argo-cd/v3@0.0.0 679 <span class="list-paths__item__arrow">›</span> 680 github.com/hashicorp/go-retryablehttp@0.7.8 681 682 </span> 683 684 </li> 685 <li> 686 <span class="list-paths__item__introduced"><em>Introduced through</em>: 687 github.com/argoproj/argo-cd/v3@0.0.0 688 <span class="list-paths__item__arrow">›</span> 689 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 690 <span class="list-paths__item__arrow">›</span> 691 github.com/hashicorp/go-retryablehttp@0.7.8 692 693 </span> 694 695 </li> 696 <li> 697 <span class="list-paths__item__introduced"><em>Introduced through</em>: 698 github.com/argoproj/argo-cd/v3@0.0.0 699 <span class="list-paths__item__arrow">›</span> 700 gitlab.com/gitlab-org/api/client-go@0.142.6 701 <span class="list-paths__item__arrow">›</span> 702 github.com/hashicorp/go-retryablehttp@0.7.8 703 704 </span> 705 706 </li> 707 <li> 708 <span class="list-paths__item__introduced"><em>Introduced through</em>: 709 github.com/argoproj/argo-cd/v3@0.0.0 710 <span class="list-paths__item__arrow">›</span> 711 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 712 <span class="list-paths__item__arrow">›</span> 713 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 714 <span class="list-paths__item__arrow">›</span> 715 github.com/hashicorp/go-retryablehttp@0.7.8 716 717 </span> 718 719 </li> 720 <li> 721 <span class="list-paths__item__introduced"><em>Introduced through</em>: 722 github.com/argoproj/argo-cd/v3@0.0.0 723 <span class="list-paths__item__arrow">›</span> 724 github.com/argoproj/notifications-engine/pkg/cmd@#da04400446ff 725 <span class="list-paths__item__arrow">›</span> 726 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 727 <span class="list-paths__item__arrow">›</span> 728 github.com/hashicorp/go-retryablehttp@0.7.8 729 730 </span> 731 732 </li> 733 <li> 734 <span class="list-paths__item__introduced"><em>Introduced through</em>: 735 github.com/argoproj/argo-cd/v3@0.0.0 736 <span class="list-paths__item__arrow">›</span> 737 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 738 <span class="list-paths__item__arrow">›</span> 739 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 740 <span class="list-paths__item__arrow">›</span> 741 github.com/hashicorp/go-retryablehttp@0.7.8 742 743 </span> 744 745 </li> 746 <li> 747 <span class="list-paths__item__introduced"><em>Introduced through</em>: 748 github.com/argoproj/argo-cd/v3@0.0.0 749 <span class="list-paths__item__arrow">›</span> 750 github.com/argoproj/notifications-engine/pkg/api@#da04400446ff 751 <span class="list-paths__item__arrow">›</span> 752 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 753 <span class="list-paths__item__arrow">›</span> 754 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 755 <span class="list-paths__item__arrow">›</span> 756 github.com/hashicorp/go-retryablehttp@0.7.8 757 758 </span> 759 760 </li> 761 <li> 762 <span class="list-paths__item__introduced"><em>Introduced through</em>: 763 github.com/argoproj/argo-cd/v3@0.0.0 764 <span class="list-paths__item__arrow">›</span> 765 github.com/argoproj/notifications-engine/pkg/controller@#da04400446ff 766 <span class="list-paths__item__arrow">›</span> 767 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 768 <span class="list-paths__item__arrow">›</span> 769 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 770 <span class="list-paths__item__arrow">›</span> 771 github.com/hashicorp/go-retryablehttp@0.7.8 772 773 </span> 774 775 </li> 776 <li> 777 <span class="list-paths__item__introduced"><em>Introduced through</em>: 778 github.com/argoproj/argo-cd/v3@0.0.0 779 <span class="list-paths__item__arrow">›</span> 780 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 781 <span class="list-paths__item__arrow">›</span> 782 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 783 <span class="list-paths__item__arrow">›</span> 784 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 785 <span class="list-paths__item__arrow">›</span> 786 github.com/hashicorp/go-retryablehttp@0.7.8 787 788 </span> 789 790 </li> 791 <li> 792 <span class="list-paths__item__introduced"><em>Introduced through</em>: 793 github.com/argoproj/argo-cd/v3@0.0.0 794 <span class="list-paths__item__arrow">›</span> 795 github.com/argoproj/notifications-engine/pkg/cmd@#da04400446ff 796 <span class="list-paths__item__arrow">›</span> 797 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 798 <span class="list-paths__item__arrow">›</span> 799 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 800 <span class="list-paths__item__arrow">›</span> 801 github.com/hashicorp/go-retryablehttp@0.7.8 802 803 </span> 804 805 </li> 806 <li> 807 <span class="list-paths__item__introduced"><em>Introduced through</em>: 808 github.com/argoproj/argo-cd/v3@0.0.0 809 <span class="list-paths__item__arrow">›</span> 810 github.com/argoproj/notifications-engine/pkg/api@#da04400446ff 811 <span class="list-paths__item__arrow">›</span> 812 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 813 <span class="list-paths__item__arrow">›</span> 814 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 815 <span class="list-paths__item__arrow">›</span> 816 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 817 <span class="list-paths__item__arrow">›</span> 818 github.com/hashicorp/go-retryablehttp@0.7.8 819 820 </span> 821 822 </li> 823 <li> 824 <span class="list-paths__item__introduced"><em>Introduced through</em>: 825 github.com/argoproj/argo-cd/v3@0.0.0 826 <span class="list-paths__item__arrow">›</span> 827 github.com/argoproj/notifications-engine/pkg/controller@#da04400446ff 828 <span class="list-paths__item__arrow">›</span> 829 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 830 <span class="list-paths__item__arrow">›</span> 831 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 832 <span class="list-paths__item__arrow">›</span> 833 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 834 <span class="list-paths__item__arrow">›</span> 835 github.com/hashicorp/go-retryablehttp@0.7.8 836 837 </span> 838 839 </li> 840 </ul><!-- .list-paths --> 841 842 </div><!-- .card__section --> 843 844 <hr/> 845 <!-- Overview --> 846 <p>MPL-2.0 license</p> 847 848 <hr/> 849 850 <div class="cta card__cta"> 851 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 852 </div> 853 854 </div><!-- .card --> 855 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 856 <h2 class="card__title">MPL-2.0 license</h2> 857 <div class="card__section"> 858 859 <div class="card__labels"> 860 <div class="label label--medium"> 861 <span class="label__text">medium severity</span> 862 </div> 863 </div> 864 865 <hr/> 866 867 <ul class="card__meta"> 868 <li class="card__meta__item"> 869 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 870 </li> 871 <li class="card__meta__item"> 872 Package Manager: golang 873 </li> 874 <li class="card__meta__item"> 875 Module: 876 877 github.com/hashicorp/go-cleanhttp 878 </li> 879 880 <li class="card__meta__item">Introduced through: 881 882 883 github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.8 and others 884 </li> 885 </ul> 886 887 <hr/> 888 889 890 <h3 class="card__section__title">Detailed paths</h3> 891 892 <ul class="card__meta__paths"> 893 <li> 894 <span class="list-paths__item__introduced"><em>Introduced through</em>: 895 github.com/argoproj/argo-cd/v3@0.0.0 896 <span class="list-paths__item__arrow">›</span> 897 github.com/hashicorp/go-retryablehttp@0.7.8 898 <span class="list-paths__item__arrow">›</span> 899 github.com/hashicorp/go-cleanhttp@0.5.2 900 901 </span> 902 903 </li> 904 <li> 905 <span class="list-paths__item__introduced"><em>Introduced through</em>: 906 github.com/argoproj/argo-cd/v3@0.0.0 907 <span class="list-paths__item__arrow">›</span> 908 gitlab.com/gitlab-org/api/client-go@0.142.6 909 <span class="list-paths__item__arrow">›</span> 910 github.com/hashicorp/go-cleanhttp@0.5.2 911 912 </span> 913 914 </li> 915 <li> 916 <span class="list-paths__item__introduced"><em>Introduced through</em>: 917 github.com/argoproj/argo-cd/v3@0.0.0 918 <span class="list-paths__item__arrow">›</span> 919 gitlab.com/gitlab-org/api/client-go@0.142.6 920 <span class="list-paths__item__arrow">›</span> 921 github.com/hashicorp/go-retryablehttp@0.7.8 922 <span class="list-paths__item__arrow">›</span> 923 github.com/hashicorp/go-cleanhttp@0.5.2 924 925 </span> 926 927 </li> 928 <li> 929 <span class="list-paths__item__introduced"><em>Introduced through</em>: 930 github.com/argoproj/argo-cd/v3@0.0.0 931 <span class="list-paths__item__arrow">›</span> 932 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 933 <span class="list-paths__item__arrow">›</span> 934 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 935 <span class="list-paths__item__arrow">›</span> 936 github.com/hashicorp/go-retryablehttp@0.7.8 937 <span class="list-paths__item__arrow">›</span> 938 github.com/hashicorp/go-cleanhttp@0.5.2 939 940 </span> 941 942 </li> 943 <li> 944 <span class="list-paths__item__introduced"><em>Introduced through</em>: 945 github.com/argoproj/argo-cd/v3@0.0.0 946 <span class="list-paths__item__arrow">›</span> 947 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 948 <span class="list-paths__item__arrow">›</span> 949 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 950 <span class="list-paths__item__arrow">›</span> 951 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 952 <span class="list-paths__item__arrow">›</span> 953 github.com/hashicorp/go-retryablehttp@0.7.8 954 <span class="list-paths__item__arrow">›</span> 955 github.com/hashicorp/go-cleanhttp@0.5.2 956 957 </span> 958 959 </li> 960 <li> 961 <span class="list-paths__item__introduced"><em>Introduced through</em>: 962 github.com/argoproj/argo-cd/v3@0.0.0 963 <span class="list-paths__item__arrow">›</span> 964 github.com/argoproj/notifications-engine/pkg/cmd@#da04400446ff 965 <span class="list-paths__item__arrow">›</span> 966 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 967 <span class="list-paths__item__arrow">›</span> 968 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 969 <span class="list-paths__item__arrow">›</span> 970 github.com/hashicorp/go-retryablehttp@0.7.8 971 <span class="list-paths__item__arrow">›</span> 972 github.com/hashicorp/go-cleanhttp@0.5.2 973 974 </span> 975 976 </li> 977 <li> 978 <span class="list-paths__item__introduced"><em>Introduced through</em>: 979 github.com/argoproj/argo-cd/v3@0.0.0 980 <span class="list-paths__item__arrow">›</span> 981 github.com/argoproj/notifications-engine/pkg/api@#da04400446ff 982 <span class="list-paths__item__arrow">›</span> 983 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 984 <span class="list-paths__item__arrow">›</span> 985 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 986 <span class="list-paths__item__arrow">›</span> 987 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 988 <span class="list-paths__item__arrow">›</span> 989 github.com/hashicorp/go-retryablehttp@0.7.8 990 <span class="list-paths__item__arrow">›</span> 991 github.com/hashicorp/go-cleanhttp@0.5.2 992 993 </span> 994 995 </li> 996 <li> 997 <span class="list-paths__item__introduced"><em>Introduced through</em>: 998 github.com/argoproj/argo-cd/v3@0.0.0 999 <span class="list-paths__item__arrow">›</span> 1000 github.com/argoproj/notifications-engine/pkg/controller@#da04400446ff 1001 <span class="list-paths__item__arrow">›</span> 1002 github.com/argoproj/notifications-engine/pkg/subscriptions@#da04400446ff 1003 <span class="list-paths__item__arrow">›</span> 1004 github.com/argoproj/notifications-engine/pkg/services@#da04400446ff 1005 <span class="list-paths__item__arrow">›</span> 1006 github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 1007 <span class="list-paths__item__arrow">›</span> 1008 github.com/hashicorp/go-retryablehttp@0.7.8 1009 <span class="list-paths__item__arrow">›</span> 1010 github.com/hashicorp/go-cleanhttp@0.5.2 1011 1012 </span> 1013 1014 </li> 1015 </ul><!-- .list-paths --> 1016 1017 </div><!-- .card__section --> 1018 1019 <hr/> 1020 <!-- Overview --> 1021 <p>MPL-2.0 license</p> 1022 1023 <hr/> 1024 1025 <div class="cta card__cta"> 1026 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1027 </div> 1028 1029 </div><!-- .card --> 1030 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1031 <h2 class="card__title">MPL-2.0 license</h2> 1032 <div class="card__section"> 1033 1034 <div class="card__labels"> 1035 <div class="label label--medium"> 1036 <span class="label__text">medium severity</span> 1037 </div> 1038 </div> 1039 1040 <hr/> 1041 1042 <ul class="card__meta"> 1043 <li class="card__meta__item"> 1044 Manifest file: /argo-cd/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> go.mod 1045 </li> 1046 <li class="card__meta__item"> 1047 Package Manager: golang 1048 </li> 1049 <li class="card__meta__item"> 1050 Module: 1051 1052 github.com/gosimple/slug 1053 </li> 1054 1055 <li class="card__meta__item">Introduced through: 1056 1057 github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 1058 1059 </li> 1060 </ul> 1061 1062 <hr/> 1063 1064 1065 <h3 class="card__section__title">Detailed paths</h3> 1066 1067 <ul class="card__meta__paths"> 1068 <li> 1069 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1070 github.com/argoproj/argo-cd/v3@0.0.0 1071 <span class="list-paths__item__arrow">›</span> 1072 github.com/gosimple/slug@1.15.0 1073 1074 </span> 1075 1076 </li> 1077 </ul><!-- .list-paths --> 1078 1079 </div><!-- .card__section --> 1080 1081 <hr/> 1082 <!-- Overview --> 1083 <p>MPL-2.0 license</p> 1084 1085 <hr/> 1086 1087 <div class="cta card__cta"> 1088 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1089 </div> 1090 1091 </div><!-- .card --> 1092 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1093 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 1094 <div class="card__section"> 1095 1096 <div class="card__labels"> 1097 <div class="label label--medium"> 1098 <span class="label__text">medium severity</span> 1099 </div> 1100 </div> 1101 1102 <hr/> 1103 1104 <ul class="card__meta"> 1105 <li class="card__meta__item"> 1106 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1107 </li> 1108 <li class="card__meta__item"> 1109 Package Manager: npm 1110 </li> 1111 <li class="card__meta__item"> 1112 Vulnerable module: 1113 1114 foundation-sites 1115 </li> 1116 1117 <li class="card__meta__item">Introduced through: 1118 1119 argo-cd-ui@1.0.0 and foundation-sites@6.8.1 1120 1121 </li> 1122 </ul> 1123 1124 <hr/> 1125 1126 1127 <h3 class="card__section__title">Detailed paths</h3> 1128 1129 <ul class="card__meta__paths"> 1130 <li> 1131 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1132 argo-cd-ui@1.0.0 1133 <span class="list-paths__item__arrow">›</span> 1134 foundation-sites@6.8.1 1135 1136 </span> 1137 1138 </li> 1139 <li> 1140 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1141 argo-cd-ui@1.0.0 1142 <span class="list-paths__item__arrow">›</span> 1143 argo-ui@1.0.0 1144 <span class="list-paths__item__arrow">›</span> 1145 foundation-sites@6.8.1 1146 1147 </span> 1148 1149 </li> 1150 </ul><!-- .list-paths --> 1151 1152 </div><!-- .card__section --> 1153 1154 <hr/> 1155 <!-- Overview --> 1156 <h2 id="overview">Overview</h2> 1157 <p><a href="https://github.com/zurb/foundation-sites">foundation-sites</a> is a responsive front-end framework</p> 1158 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.</p> 1159 <h2 id="poc">PoC</h2> 1160 <pre><code>https://www.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1161 </code></pre> 1162 <h2 id="details">Details</h2> 1163 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 1164 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 1165 <p>Let’s take the following regular expression as an example:</p> 1166 <pre><code class="language-js">regex = /A(B|C+)+D/ 1167 </code></pre> 1168 <p>This regular expression accomplishes the following:</p> 1169 <ul> 1170 <li><code>A</code> The string must start with the letter 'A'</li> 1171 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 1172 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 1173 </ul> 1174 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 1175 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 1176 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 1177 0.04s user 0.01s system 95% cpu 0.052 total 1178 1179 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 1180 1.79s user 0.02s system 99% cpu 1.812 total 1181 </code></pre> 1182 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 1183 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 1184 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 1185 <ol> 1186 <li>CCC</li> 1187 <li>CC+C</li> 1188 <li>C+CC</li> 1189 <li>C+C+C.</li> 1190 </ol> 1191 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 1192 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 1193 <table> 1194 <thead> 1195 <tr> 1196 <th>String</th> 1197 <th align="right">Number of C's</th> 1198 <th align="right">Number of steps</th> 1199 </tr> 1200 </thead> 1201 <tbody><tr> 1202 <td>ACCCX</td> 1203 <td align="right">3</td> 1204 <td align="right">38</td> 1205 </tr> 1206 <tr> 1207 <td>ACCCCX</td> 1208 <td align="right">4</td> 1209 <td align="right">71</td> 1210 </tr> 1211 <tr> 1212 <td>ACCCCCX</td> 1213 <td align="right">5</td> 1214 <td align="right">136</td> 1215 </tr> 1216 <tr> 1217 <td>ACCCCCCCCCCCCCCX</td> 1218 <td align="right">14</td> 1219 <td align="right">65,553</td> 1220 </tr> 1221 </tbody></table> 1222 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 1223 <h2 id="remediation">Remediation</h2> 1224 <p>There is no fixed version for <code>foundation-sites</code>.</p> 1225 <h2 id="references">References</h2> 1226 <ul> 1227 <li><a href="https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites">GitHub Advisory</a></li> 1228 <li><a href="https://github.com/foundation/foundation-sites/issues/12180">GitHub Issue</a></li> 1229 <li><a href="https://github.com/foundation/foundation-sites/blob/develop/js/foundation.abide.js#L864">Vulnerable Code</a></li> 1230 </ul> 1231 1232 <hr/> 1233 1234 <div class="cta card__cta"> 1235 <p><a href="https://snyk.io/vuln/SNYK-JS-FOUNDATIONSITES-8310364">More about this vulnerability</a></p> 1236 </div> 1237 1238 </div><!-- .card --> 1239 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1240 <h2 class="card__title">Insecure Randomness</h2> 1241 <div class="card__section"> 1242 1243 <div class="card__labels"> 1244 <div class="label label--low"> 1245 <span class="label__text">low severity</span> 1246 </div> 1247 </div> 1248 1249 <hr/> 1250 1251 <ul class="card__meta"> 1252 <li class="card__meta__item"> 1253 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1254 </li> 1255 <li class="card__meta__item"> 1256 Package Manager: npm 1257 </li> 1258 <li class="card__meta__item"> 1259 Vulnerable module: 1260 1261 formidable 1262 </li> 1263 1264 <li class="card__meta__item">Introduced through: 1265 1266 1267 argo-cd-ui@1.0.0, superagent@8.1.2 and others 1268 </li> 1269 </ul> 1270 1271 <hr/> 1272 1273 1274 <h3 class="card__section__title">Detailed paths</h3> 1275 1276 <ul class="card__meta__paths"> 1277 <li> 1278 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1279 argo-cd-ui@1.0.0 1280 <span class="list-paths__item__arrow">›</span> 1281 superagent@8.1.2 1282 <span class="list-paths__item__arrow">›</span> 1283 formidable@2.1.2 1284 1285 </span> 1286 1287 </li> 1288 </ul><!-- .list-paths --> 1289 1290 </div><!-- .card__section --> 1291 1292 <hr/> 1293 <!-- Overview --> 1294 <h2 id="overview">Overview</h2> 1295 <p>Affected versions of this package are vulnerable to Insecure Randomness due to its use of the <code>hexoid()</code> function in the generation of fingerprint IDs.</p> 1296 <h2 id="remediation">Remediation</h2> 1297 <p>Upgrade <code>formidable</code> to version 2.1.3, 3.5.3 or higher.</p> 1298 <h2 id="references">References</h2> 1299 <ul> 1300 <li><a href="https://github.com/node-formidable/formidable/commit/022c2c5577dfe14d2947f10909d81b03b6070bf5">GitHub Commit</a></li> 1301 <li><a href="https://github.com/zast-ai/vulnerability-reports/blob/main/formidable/file_upload/report.md">Vulnerability Report</a></li> 1302 </ul> 1303 1304 <hr/> 1305 1306 <div class="cta card__cta"> 1307 <p><a href="https://snyk.io/vuln/SNYK-JS-FORMIDABLE-9788127">More about this vulnerability</a></p> 1308 </div> 1309 1310 </div><!-- .card --> 1311 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1312 <h2 class="card__title">Regular Expression Denial of Service (ReDoS)</h2> 1313 <div class="card__section"> 1314 1315 <div class="card__labels"> 1316 <div class="label label--low"> 1317 <span class="label__text">low severity</span> 1318 </div> 1319 </div> 1320 1321 <hr/> 1322 1323 <ul class="card__meta"> 1324 <li class="card__meta__item"> 1325 Manifest file: /argo-cd <span class="list-paths__item__arrow">›</span> ui/yarn.lock 1326 </li> 1327 <li class="card__meta__item"> 1328 Package Manager: npm 1329 </li> 1330 <li class="card__meta__item"> 1331 Vulnerable module: 1332 1333 brace-expansion 1334 </li> 1335 1336 <li class="card__meta__item">Introduced through: 1337 1338 1339 argo-cd-ui@1.0.0, minimatch@3.1.2 and others 1340 </li> 1341 </ul> 1342 1343 <hr/> 1344 1345 1346 <h3 class="card__section__title">Detailed paths</h3> 1347 1348 <ul class="card__meta__paths"> 1349 <li> 1350 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1351 argo-cd-ui@1.0.0 1352 <span class="list-paths__item__arrow">›</span> 1353 minimatch@3.1.2 1354 <span class="list-paths__item__arrow">›</span> 1355 brace-expansion@1.1.11 1356 1357 </span> 1358 1359 </li> 1360 <li> 1361 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1362 argo-cd-ui@1.0.0 1363 <span class="list-paths__item__arrow">›</span> 1364 redoc@2.4.0 1365 <span class="list-paths__item__arrow">›</span> 1366 @redocly/openapi-core@1.30.0 1367 <span class="list-paths__item__arrow">›</span> 1368 minimatch@5.1.6 1369 <span class="list-paths__item__arrow">›</span> 1370 brace-expansion@2.0.1 1371 1372 </span> 1373 1374 </li> 1375 </ul><!-- .list-paths --> 1376 1377 </div><!-- .card__section --> 1378 1379 <hr/> 1380 <!-- Overview --> 1381 <h2 id="overview">Overview</h2> 1382 <p><a href="https://github.com/juliangruber/brace-expansion">brace-expansion</a> is a Brace expansion as known from sh/bash</p> 1383 <p>Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the <code>expand()</code> function, which is prone to catastrophic backtracking on very long malicious inputs.</p> 1384 <h2 id="poc">PoC</h2> 1385 <pre><code class="language-js">import index from "./index.js"; 1386 1387 let str = "{a}" + ",".repeat(100000) + "\u0000"; 1388 1389 let startTime = performance.now(); 1390 1391 const result = index(str); 1392 1393 let endTime = performance.now(); 1394 1395 let timeTaken = endTime - startTime; 1396 1397 console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`); 1398 </code></pre> 1399 <h2 id="details">Details</h2> 1400 <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.</p> 1401 <p>The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.</p> 1402 <p>Let’s take the following regular expression as an example:</p> 1403 <pre><code class="language-js">regex = /A(B|C+)+D/ 1404 </code></pre> 1405 <p>This regular expression accomplishes the following:</p> 1406 <ul> 1407 <li><code>A</code> The string must start with the letter 'A'</li> 1408 <li><code>(B|C+)+</code> The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the <code>+</code> matches one or more times). The <code>+</code> at the end of this section states that we can look for one or more matches of this section.</li> 1409 <li><code>D</code> Finally, we ensure this section of the string ends with a 'D'</li> 1410 </ul> 1411 <p>The expression would match inputs such as <code>ABBD</code>, <code>ABCCCCD</code>, <code>ABCBCCCD</code> and <code>ACCCCCD</code></p> 1412 <p>It most cases, it doesn't take very long for a regex engine to find a match:</p> 1413 <pre><code class="language-bash">$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")' 1414 0.04s user 0.01s system 95% cpu 0.052 total 1415 1416 $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' 1417 1.79s user 0.02s system 99% cpu 1.812 total 1418 </code></pre> 1419 <p>The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.</p> 1420 <p>Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as <em>catastrophic backtracking</em>.</p> 1421 <p>Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:</p> 1422 <ol> 1423 <li>CCC</li> 1424 <li>CC+C</li> 1425 <li>C+CC</li> 1426 <li>C+C+C.</li> 1427 </ol> 1428 <p>The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use <a href="https://regex101.com/debugger">RegEx 101 debugger</a> to see the engine has to take a total of 38 steps before it can determine the string doesn't match.</p> 1429 <p>From there, the number of steps the engine must use to validate a string just continues to grow.</p> 1430 <table> 1431 <thead> 1432 <tr> 1433 <th>String</th> 1434 <th align="right">Number of C's</th> 1435 <th align="right">Number of steps</th> 1436 </tr> 1437 </thead> 1438 <tbody><tr> 1439 <td>ACCCX</td> 1440 <td align="right">3</td> 1441 <td align="right">38</td> 1442 </tr> 1443 <tr> 1444 <td>ACCCCX</td> 1445 <td align="right">4</td> 1446 <td align="right">71</td> 1447 </tr> 1448 <tr> 1449 <td>ACCCCCX</td> 1450 <td align="right">5</td> 1451 <td align="right">136</td> 1452 </tr> 1453 <tr> 1454 <td>ACCCCCCCCCCCCCCX</td> 1455 <td align="right">14</td> 1456 <td align="right">65,553</td> 1457 </tr> 1458 </tbody></table> 1459 <p>By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.</p> 1460 <h2 id="remediation">Remediation</h2> 1461 <p>Upgrade <code>brace-expansion</code> to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.</p> 1462 <h2 id="references">References</h2> 1463 <ul> 1464 <li><a href="https://github.com/advisories/GHSA-v6h2-p8h4-qcjw">GitHub Advisory</a></li> 1465 <li><a href="https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2">GitHub Commit</a></li> 1466 <li><a href="https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466">GitHub Gist</a></li> 1467 <li><a href="https://github.com/juliangruber/brace-expansion/pull/65">GitHub PR</a></li> 1468 </ul> 1469 1470 <hr/> 1471 1472 <div class="cta card__cta"> 1473 <p><a href="https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073">More about this vulnerability</a></p> 1474 </div> 1475 1476 </div><!-- .card --> 1477 </div><!-- cards --> 1478 </div> 1479 </main><!-- .layout-stacked__content --> 1480 </body> 1481 1482 </html>