Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Feature Request: please add a check for alasql JavaScript vulnerability and/or integrate Snyk
See original GitHub issueThe alasql javascript library <0.7.0 contains a arbitrary code injection vulnerability with a validated Proof of Concept.
An example header string to regex against is:
//! AlaSQL v0.4.5 | © 2014-2016 Andrey Gershun & Mathias Rangel Wulff | License: MIT !function(e,t){"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?module.exports=t():e.alasql=t()}
Snyk has a good description and the proof of concept available on their website: https://security.snyk.io/vuln/SNYK-JS-ALASQL-1082932
and a list of all the vulnerable versions: https://snyk.io/vuln/npm:alasql
They seem to be friendly to open-source projects so it might be possible to even integrate the entire Snyk javascript vulnerability database into ZAP to improve JavaScript library checks without having to code each one individually. https://snyk.io/blog/snyk-code-now-available-free-sast/
Issue Analytics
- State:
- Created a year ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Started the upstream process here: https://github.com/RetireJS/retire.js/issues/380
Specifically it’d be a PR against: https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json details for that file are here: https://github.com/RetireJS/retire.js/tree/master/repository#jsrepositoryjson