A security patch to issue #127 #140
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this PR all about?
This is a security patch to fix the issue #127 which identified a web application vulnerability( cross-site request forgery or
XSRF) on the server-side which can be dangerous to user data since it can be leveraged by attacker to gain access elsewhere in the system.Why all the fuss?
The biggest reason is avoid the use of 2 outdated and/or vulnerable packages whereby one(
request) no longer receives maintenance and updates whileaxioswasn't just updated via thepackage.json.Thus I added this patch to address the web vulnerabilities( Server-Side Request Forgery in Request and Prototype Pollution vulnerability ) introduced by the
tough-cookielibrary relied on by the now deprecated,request, library and the outdatedaxioslibrary version(Axios Cross-Site Request Forgery Vulnerability). I essentially updated the deprecated libraries and aligned the code to use the new packages.How did you do that?
I refactored and converted all the code that depended on
requestlibrary and replaced it with code that uses the latestaxiospackage. In the process, I allowed for backward compatibility torequestlibrary to avoid breaking other code that expected function return types similar to that of request library for example using aliases for propertiesBut, did you test your code?
Yes, I did.
All the tests passed successfully!