Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade debian from 9.5-slim to stretch-20210408-slim #14

Merged
merged 1 commit into from
Jun 21, 2021
Merged

[Snyk] Security upgrade debian from 9.5-slim to stretch-20210408-slim #14

merged 1 commit into from
Jun 21, 2021

Conversation

snyk-bot
Copy link

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Changes included in this PR

  • translations/es-ES/content/actions/creating-actions/dockerfile-support-for-github-actions.md

We recommend upgrading to debian:stretch-20210408-slim, as this image has only 72 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Some of the most important vulnerabilities in your base image include:

Severity Priority Score / 1000 Issue Exploit Maturity
high severity 714 Arbitrary Code Injection
SNYK-DEBIAN9-APT-407402		 No Known Exploit
high severity 671 Out-of-Bounds
SNYK-DEBIAN9-GLIBC-356506		 Mature
high severity 671 Out-of-Bounds
SNYK-DEBIAN9-GLIBC-356506		 Mature
high severity 671 Out-of-bounds Write
SNYK-DEBIAN9-GLIBC-356851		 Mature
high severity 671 Out-of-bounds Write
SNYK-DEBIAN9-GLIBC-356851		 Mature

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

@guardrails
Copy link

guardrails bot commented May 20, 2021

⚠️ We detected 78 security issues in this pull request:

Mode: paranoid | Total findings: 78 | Considered vulnerability: 78

Insecure File Management (21)
Docs Details
💡 Title: Use of non-literal require, Severity: High

docs/middleware/contextualizers/graphql.js

Line 26 in 5107ae6

schemaForCurrentVersion: require(`../../lib/graphql/static/schema-${graphqlVersion}`),
💡 Title: Use of non-literal require, Severity: High

docs/middleware/contextualizers/webhooks.js

Line 3 in 5107ae6

const webhookPayloads = require(path.join(process.cwd(), 'lib/webhooks'))
💡 Title: Use of non-literal require, Severity: High

docs/script/enterprise-server-deprecations/remove-version-markup.js

Line 65 in 5107ae6

require(path.join(process.cwd(), removeUnusedAssetsScript))
💡 Title: Use of non-literal require, Severity: High

docs/script/enterprise-server-releases/create-graphql-files.js

Line 55 in 5107ae6

const previews = require(previewsFile)
💡 Title: Use of non-literal require, Severity: High

docs/script/enterprise-server-releases/create-graphql-files.js

Line 56 in 5107ae6

const changes = require(changesFile)
💡 Title: Use of non-literal require, Severity: High

docs/script/enterprise-server-releases/create-graphql-files.js

Line 57 in 5107ae6

const objects = require(objectsFile)
💡 Title: Use of non-literal require, Severity: High

docs/script/enterprise-server-releases/create-rest-files.js

Line 66 in 5107ae6

const dereferencedSchema = require(path.join(process.cwd(), newDereferencedFile))
💡 Title: Use of non-literal require, Severity: High

docs/script/rest/openapi-check.js

Line 24 in 5107ae6

const schemas = files.map(filename => require(filename))
💡 Title: Use of non-literal require, Severity: High

docs/script/rest/update-files.js

Line 78 in 5107ae6

const schema = require(path.join(dereferencedPath, filename))
💡 Title: Use of non-literal require, Severity: High

docs/script/rest/update-files.js

Line 88 in 5107ae6

const schema = require(path.join(dereferencedPath, filename))
💡 Title: Path Traversal from user input, Severity: High

docs/lib/rewrite-local-links.js

Line 40 in 5107ae6

newHref = path.join('/', languageCode, href)
💡 Title: Path Traversal from user input, Severity: High

docs/lib/rewrite-local-links.js

Line 47 in 5107ae6

newHref = path.join('/', languageCode, href)
💡 Title: Path Traversal from user input, Severity: High

docs/lib/get-link-data.js

Line 37 in 5107ae6

const href = removeFPTFromPath(path.join('/', context.currentLanguage, version, linkPath))
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/early-access-breadcrumbs.js

Line 63 in 5107ae6

const mapTopicOrArticlePath = path.posix.join(categoryPath, pathParts[2])
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/early-access-breadcrumbs.js

Line 50 in 5107ae6

const categoryPath = removeFPTFromPath(path.posix.join('/', 'en', req.context.currentVersion, 'early-access', pathParts[0], pathParts[1]))
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/contextualizers/rest.js

Line 14 in 5107ae6

'/developers/apps'
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/breadcrumbs.js

Line 35 in 5107ae6

title: product.title
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/breadcrumbs.js

Line 21 in 5107ae6

const productPath = path.posix.join('/', req.context.currentProduct)
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/breadcrumbs.js

Line 34 in 5107ae6

href: removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath)),
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/breadcrumbs.js

Line 49 in 5107ae6

const categoryPath = removeFPTFromPath(path.posix.join('/', req.context.currentLanguage, req.context.currentVersion, productPath, pathParts[1]))
💡 Title: Path Traversal from user input, Severity: High

docs/middleware/archived-enterprise-versions-assets.js

Line 22 in 5107ae6

const proxyPath = path.join('/', requestedVersion, assetPath)

More info on how to fix Insecure File Management in JavaScript.

Insecure Use of Regular Expressions (16)
Docs Details
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/index.js

Line 99 in 5107ae6

app.use(/(\/.*)?\/early-access$/, instrument('./contextualizers/early-access-links'))
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/script/content-migrations/extended-markdown-tags.js

Line 7 in 5107ae6

const FINDER = /{{\s?([#/])([a-z-]+)?\s?}}/g
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/script/content-migrations/octicon-tag.js

Line 7 in 5107ae6

const FINDER = /{{\s?octicon-([a-z-]+)(\s[\w\s\d-]+)?\s?}}/g
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/script/content-migrations/site-data-tag.js

Line 7 in 5107ae6

const FINDER = /{{\s?site\.data\.([a-zA-Z0-9-_]+(?:\.[a-zA-Z0-9-_]+)+)\s*}}/g
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/script/update-internal-links.js

Line 125 in 5107ae6

versionMatch = oldLink.match(/(enterprise-server(?:@.[^/]*?)?)\//)
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/redirects/language-code-redirects.js

Line 14 in 5107ae6

if (redirectPattern.test(req.path)) {
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/render-page.js

Line 121 in 5107ae6

if (!patterns.homepagePath.test(req.path)) {
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/disable-caching-on-safari.js

Line 2 in 5107ae6

const isSafari = /^((?!chrome|android).)*safari/i.test(req.headers['user-agent'])
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/contextualizers/enterprise-release-notes.js

Line 82 in 5107ae6

if (!patterns.getEnterpriseServerNumber.test(req.path)) return next()
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/archived-enterprise-versions-assets.js

Line 19 in 5107ae6

if (!patterns.assetPaths.test(req.path)) return next()
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/archived-enterprise-versions.js

Line 19 in 5107ae6

if (patterns.assetPaths.test(req.path)) return next()
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/lib/old-versions-utils.js

Line 40 in 5107ae6

if (!patterns.enterprise.test(oldPath)) return 'dotcom'
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/lib/find-page.js

Line 12 in 5107ae6

const currentLang = getLanguageCode.test(href) ? href.match(getLanguageCode)[1] : 'en'
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/javascripts/filter-cards.js

Line 4 in 5107ae6

return Object.keys(card.dataset).some(key => matchReg.test(card.dataset[key]))
💡 Title: Regex DOS (ReDOS), Severity: Medium

docs/middleware/redirects/handle-redirects.js

Line 6 in 5107ae6

if (patterns.assetPaths.test(req.path)) return next()
💡 Title: Regex DOS (ReDOS) through user input, Severity: Medium

docs/middleware/find-page.js

Line 8 in 5107ae6

const englishPath = req.path.replace(new RegExp(`^/${req.language}`), '/en')

More info on how to fix Insecure Use of Regular Expressions in JavaScript.

Insecure Use of Dangerous Function (16)
Docs Details
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/anonymize-branch.js

Line 16 in 5107ae6

const { execSync: exec } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/early-access/clone-for-build.js

Line 24 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/enterprise-server-deprecations/archive-version.js

Line 5 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/fix-translation-errors.js

Line 11 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/get-new-dotcom-path.js

Line 6 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/graphql/update-files.js

Line 7 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/lint-translation-files.js

Line 3 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/move-category-to-product.js

Line 7 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/prevent-pushes-to-main.js

Line 3 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/prevent-translation-commits.js

Line 19 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/purge-fastly-by-url.js

Line 6 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/reconcile-filenames-with-ids.js

Line 9 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/reset-known-broken-translation-files.js

Line 6 in 5107ae6

const exec = promisify(require('child_process').exec)
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/reset-translated-file.js

Line 21 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/rest/update-files.js

Line 5 in 5107ae6

const { execSync } = require('child_process')
💡 Title: Use of child process and non-literal exec(), Severity: Medium

docs/script/update-crowdin-issue.js

Line 5 in 5107ae6

const { execSync } = require('child_process')

More info on how to fix Insecure Use of Dangerous Function in JavaScript.

Vulnerable Libraries (11)
Severity Details
Medium hosted-git-info@2.7.1 - no patch available
Medium linkinator@2.13.1 - no patch available
High lodash@4.17.20 - no patch available
Medium marked@1.2.9 - no patch available
High mdast-util-to-hast@6.0.2 upgrade to 8.1.0
Medium postcss@8.2.13 upgrade to 2.3.2
High remark-parse@7.0.2 upgrade to 9.0.0
High remark-rehype@5.0.0 upgrade to 8.1.0
Medium resolve-url-loader@3.1.2 upgrade to 2.3.2
High trim@0.0.1 upgrade to 9.0.0
High y18n@4.0.0 - no patch available

More info on how to fix Vulnerable Libraries in JavaScript.

Insecure Use of Language/Framework API (1)
Docs Details
💡 Title: User Controlled Method Invocation, Severity: Medium

docs/script/graphql/utils/remove-hidden-schema-members.rb

Line 99 in 5107ae6

schema.send(:own_orphan_types).clear

More info on how to fix Insecure Use of Language/Framework API in Ruby.

Insecure Processing of Data (12)
Docs Details
💡 Title: Insecure Deserialization (yaml), Severity: High

docs/tests/unit/actions-workflows.js

Line 11 in 5107ae6

const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })
💡 Title: Insecure Deserialization (yaml), Severity: High

docs/tests/helpers/crowdin-config.js

Line 7 in 5107ae6

return yaml.load(fs.readFileSync(filename, 'utf8'), { filename })
💡 Title: Unvalidated Redirect in Express redirect(), Severity: Low

docs/middleware/redirects/language-code-redirects.js

Line 15 in 5107ae6

return res.redirect(301, req.path.replace(redirectPattern, `/${language.code}`))
💡 Title: Unvalidated Redirect in Express redirect(), Severity: Low

docs/middleware/contextualizers/enterprise-release-notes.js

Line 94 in 5107ae6

return res.redirect(`https://enterprise.github.com/releases/${requestedVersion}.0/notes`)
💡 Title: Unvalidated Redirect in Express redirect(), Severity: Low

docs/middleware/archived-enterprise-versions.js

Line 24 in 5107ae6

return res.redirect(301, req.baseUrl + req.path.replace(/^\/en/, ''))
💡 Title: Unvalidated Redirect in Express redirect(), Severity: Low

docs/middleware/archived-enterprise-versions.js

Line 33 in 5107ae6

return res.redirect(301, redirect)
💡 Title: Unvalidated Redirect in Express redirect(), Severity: Low

docs/middleware/redirects/external.js

Line 6 in 5107ae6

return res.redirect(301, externalSites[req.path])
💡 Title: Unvalidated Redirect in Express redirect(), Severity: Low

docs/middleware/redirects/handle-redirects.js

Line 50 in 5107ae6

return res.redirect(301, redirect)
💡 Title: XSS (Express), Severity: Medium

docs/middleware/render-page.js

Line 144 in 5107ae6

res.send(addCsrf(req, output))
💡 Title: XSS (Express), Severity: Medium

docs/middleware/loaderio-verification.js

Line 5 in 5107ae6

return res.send(req.path.replace(/\//g, ''))
💡 Title: XSS (Express), Severity: Medium

docs/middleware/enterprise-server-releases.js

Line 12 in 5107ae6

return res.send(await liquid.parseAndRender(layouts['enterprise-server-releases'], req.context))
💡 Title: XSS (Express), Severity: Medium

docs/middleware/dev-toc.js

Line 8 in 5107ae6

return res.send(await liquid.parseAndRender(layouts['dev-toc'], req.context))

More info on how to fix Insecure Processing of Data in JavaScript.

Hard-Coded Secrets (1)
Docs Details
💡 Title: Hard-coded API secret, Severity: Medium

docs/tests/rendering/events.js

Line 13 in 5107ae6

process.env.AIRTABLE_API_KEY = '$AIRTABLE_API_KEY$'

More info on how to fix Hard-Coded Secrets in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@dotam99 dotam99 merged commit 69b4b4c into main Jun 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snyk-bot @dotam99