Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[invalid CVE]: “Property Injection” in the function merge() CVE-2021-44907
See original GitHub issuemerge() (https://github.com/ljharb/qs/blob/main/dist/qs.js#L670) allows to assign properties on an array in the query. In case of any property being assigned a value the array is converted to an object containing these properties.
Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user, which may not be obvious to the user and can cause unexpected behavior.
While this seems intentional, this behavior is not stressed in documentation.
A couple of simple examples: https://jsfiddle.net/1s7pq93z/1/ https://jsfiddle.net/65jxksay/
The CVE Program has assigned the ID CVE-2021-44907 to this issue. This is a record on the CVE List, which standardizes names for security problems.
Issue Analytics
- State:
- Created 2 years ago
- Comments:28 (13 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Update - just got a reply from my CVE denial request and it looks like they approved the denial. The CVE status should be updated within a few hours. I’m not sure how long it takes GitHub’s advisory database to update its status, but I imagine within 24 hours or so.
I’m confused; why is there a CVE that wasn’t responsibly disclosed first? Filing security issues publicly is insanely irresponsible, and wildly insecure.
Someone who knows how to file a CVE should absolutely know how to follow a security policy.