Conversation
![dev-semgrep-app[bot]](https://avatars.githubusercontent.com/in/73922?s=60&v=4){kind=small}
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: Versions of lodash.merge before 4.6.2 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Please remediate by updating to version 4.6.2 or later. GHSA-h726-x36v-rx45
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:10.
Reference(s): GHSA-h726-x36v-rx45
Ignore this finding from ssc-086b4e74-9104-4eac-8248-5ee405f69181.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
| function notExposedVuln(args) { | ||
| //const args = ["a", "b", "c", "d"] | ||
| console.log(minimist(args)) | ||
| } |
There was a problem hiding this comment.
Risk: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Fix: Upgrade this library to at least version 1.2.6 at pr-comment-test/yarn.lock:25.
Reference(s): GHSA-xvch-5gv4-984h, CVE-2021-44906
Ignore this finding from ssc-f393d233-855d-49c5-a1c5-7a742519601a.
|
|
||
| const maliciousObj = { "__proto__": { "oops": "It works !" }}; | ||
|
|
||
| _.merge(myObj, maliciousObject); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.6.2 at pr-comment-test/yarn.lock:15.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
Ignore this finding from ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.1 participant
No description provided.