Authz: node18 re-write #387
Conversation
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| '<head>' + | ||
| '<script type="text/javascript">' + | ||
| 'sessionStorage.removeItem("' + sessionStorageKey + '");' + | ||
| 'window.location.href = "https://' + options.rta + '/v2/logout/?returnTo=' + encodedBaseUrl + '&client_id=' + encodedBaseUrl + '";' + |
There was a problem hiding this comment.
Cannot determine what 'encodedBaseUrl' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure 'encodedBaseUrl' is not externally controlled, or sanitize this data.
Ignore this finding from unknown-value-with-script-tag.
server/lib/tools/server.js
Outdated
| /* eslint-disable no-useless-escape */ | ||
|
|
||
| const Boom = require('@hapi/boom'); | ||
| const Request = require('request'); |
There was a problem hiding this comment.
Risk: Affected versions of @cypress/request and request are vulnerable to Server-Side Request Forgery (Ssrf). The vulnerability arises when SSRF filters implemented in request and cypress/request library, inadvertently delete all configured agents upon redirects involving protocol switches, thus nullifying established event listeners and anti-SSRF mechanisms, thereby enabling attackers to circumvent SSRF protections and potentially acquire unauthorized access to internal or restricted resources.
Fix: Upgrade this library to at least version 3.0.0 at auth0-authorization-extension/package-lock.json:32115.
Reference(s): GHSA-p8p7-x288-28g6, CVE-2023-28155
Ignore this finding from ssc-9bb58177-527a-4665-8cfc-e343dc367d9b.
|
Semgrep found 1 Risk: Affected version of handlebars is vulnerable to Improper Neutralization Of Special Elements In Output Used By A Downstream Component ('Injection') / Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The vulnerability allows for Prototype Pollution, potentially leading to Remote Code Execution, as templates can modify an object's Fix: Upgrade this library to at least version 4.3.0 at auth0-authorization-extension/package-lock.json:24340. Reference(s): GHSA-w457-6q6x-cgp9, CVE-2019-19919 Ignore this finding from ssc-45c7ee79-f517-41e2-b61a-45743d9df9c6.Semgrep found 7
Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm Fix: Upgrade this library to at least version 9.0.0 at auth0-authorization-extension/package-lock.json:34340. Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539 Ignore this finding from ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e.Semgrep found 7
Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC. Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in Fix: Upgrade this library to at least version 9.0.0 at auth0-authorization-extension/package-lock.json:34340. Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541 Ignore this finding from ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f.Semgrep found 2 Risk: Affected versions of @babel/traverse are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods Manual Review Advice: A vulnerability from this advisory is reachable if you use a 3rd party plugin that relies on the Fix: There are no safe versions of this library available for upgrade. Library included at auth0-authorization-extension/package-lock.json:23879. Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133 Ignore this finding from ssc-aff5e8de-c638-4356-8a93-120597e35ce9. |
sauntimo
force-pushed
the
authz-node18-dev
branch
from
adeab80 to
3c60da8
Compare
sauntimo
force-pushed
the
authz-node18-dev
branch
from
ad4e08a to
14334a7
Compare
sauntimo
force-pushed
the
authz-node18-dev
branch
from
14334a7 to
9f19bb3
Compare
Caution
Do not merge until the correct point in the Deployment Plan
✏️ Changes
18.16.021.3.3which involved a huge number of changes because the whole framework has been re-written from using callbacks to using async/await.NOTES
npm link. Then navigate back to the authorization extension repo and runnpm link auth0-extensions-cli. This will then use the local version of the extensions cli, not the master version.📷 Screenshots
If there were visual changes to the application with this change, please include before and after screenshots here. If it has animation, please use screen capture software like to make a gif.
🔗 References
🎯 Testing
✅ This change has been tested in a Webtask
✅ This change has unit test coverage
✅ This change has integration test coverage
✅ This change has been tested for performance
🚀 Deployment
🚫 This should only be merged and deployed using the extensions deployment tool at the correct point in the Deployment Plan
🎡 Rollout
In order to verify that the deployment was successful we will install and update the extension in a prod env and check functionality.
🔥 Rollback
If there are issues with the extension, then will will update the
extensions.jsonto the previous node12 version2.11.0of the authz extension and advise customers who have updated, to "update" again to the previous version.