Conversation
![dev-semgrep-app[bot]](https://avatars.githubusercontent.com/in/73922?s=60&v=4){kind=small}
| @@ -0,0 +1 @@ | |||
| x = 5 == 5 No newline at end of file | |||
There was a problem hiding this comment.
|
Semgrep found 1
5 == 5 is a useless equality check Ignore this finding from eqeq-is-bad. |
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.There was a problem hiding this comment.
/semgrep-ignore emergency
|
Semgrep found 1
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45 Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10. Reference(s): GHSA-h726-x36v-rx45 Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.Semgrep found 1
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0. Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15. Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744 Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.Semgrep found 1
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25. Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906 Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a. |
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.There was a problem hiding this comment.
/semgrep ignore emergency
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.1 participant
No description provided.