Patched slug CVE-2017-16117 by truncating input

5 years ago · 6925839f9b
parent 6e453ac15c
commit 6925839f9b
5 changed files with 14 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,7 @@
 * Improved debugging output
 * Tried to fix scrollwheel
 * Fixed security audited npm packages
+* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)

 ###### v0.9.0
 * [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes
--- a/README.md
+++ b/README.md
@ -67,6 +67,7 @@ Tracman will be updated according to [this branching model](http://nvie.com/post
 * Removed express validator and replaced with homegrown function
 * Fixed showing welcome message on every login
 * Removed naked domains
+* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)

 ###### v0.8.x
 * Hotfixed service worker bugs
--- a/config/routes/auth.js
+++ b/config/routes/auth.js
@ -5,10 +5,13 @@ const mail = require('../mail.js')
 const User = require('../models.js').user
 const crypto = require('crypto')
 const moment = require('moment')
-const slugify = require('slug')
 const sanitize = require('mongo-sanitize')
 const debug = require('debug')('tracman-routes-auth')
 const env = require('../env/env.js')
+// Trim slug to patch CVE-2017-16117
+const slugify = function(s) {
+  return require('slug')(s.slice(0,99))
+}

 module.exports = (app, passport) => {

--- a/config/routes/index.js
+++ b/config/routes/index.js
@ -1,9 +1,12 @@
 'use strict'

 const router = require('express').Router()
-const slug = require('slug')
 const xss = require('xss')
 const User = require('../models.js').user
+// Trim slug to patch CVE-2017-16117
+const slug = function(s) {
+  return require('slug')(s.slice(0,99))
+}

 module.exports = router

--- a/config/routes/settings.js
+++ b/config/routes/settings.js
@ -1,14 +1,16 @@
 'use strict'

-const slug = require('slug')
 const xss = require('xss')
 const mw = require('../middleware.js')
 const User = require('../models.js').user
 const mail = require('../mail.js')
 const env = require('../env/env.js')
-const sanitize = require('mongo-sanitize')
 const debug = require('debug')('tracman-routes-settings')
 const router = require('express').Router()
+// Trim slug to patch CVE-2017-16117
+const slug = function(s) {
+  return require('slug')(s.slice(0,99))
+}

 // Settings form
 router.route('/')