Patched slug CVE-2017-16117 by truncating input

master
Keith Irwin 2018-08-14 23:09:52 +00:00
parent 6e453ac15c
commit 6925839f9b
No known key found for this signature in database
GPG Key ID: 378933C743E2BBC0
5 changed files with 14 additions and 4 deletions

View File

@ -7,6 +7,7 @@
* Improved debugging output * Improved debugging output
* Tried to fix scrollwheel * Tried to fix scrollwheel
* Fixed security audited npm packages * Fixed security audited npm packages
* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)
###### v0.9.0 ###### v0.9.0
* [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes * [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes

View File

@ -67,6 +67,7 @@ Tracman will be updated according to [this branching model](http://nvie.com/post
* Removed express validator and replaced with homegrown function * Removed express validator and replaced with homegrown function
* Fixed showing welcome message on every login * Fixed showing welcome message on every login
* Removed naked domains * Removed naked domains
* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)
###### v0.8.x ###### v0.8.x
* Hotfixed service worker bugs * Hotfixed service worker bugs

View File

@ -5,10 +5,13 @@ const mail = require('../mail.js')
const User = require('../models.js').user const User = require('../models.js').user
const crypto = require('crypto') const crypto = require('crypto')
const moment = require('moment') const moment = require('moment')
const slugify = require('slug')
const sanitize = require('mongo-sanitize') const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-routes-auth') const debug = require('debug')('tracman-routes-auth')
const env = require('../env/env.js') const env = require('../env/env.js')
// Trim slug to patch CVE-2017-16117
const slugify = function(s) {
return require('slug')(s.slice(0,99))
}
module.exports = (app, passport) => { module.exports = (app, passport) => {

View File

@ -1,9 +1,12 @@
'use strict' 'use strict'
const router = require('express').Router() const router = require('express').Router()
const slug = require('slug')
const xss = require('xss') const xss = require('xss')
const User = require('../models.js').user const User = require('../models.js').user
// Trim slug to patch CVE-2017-16117
const slug = function(s) {
return require('slug')(s.slice(0,99))
}
module.exports = router module.exports = router

View File

@ -1,14 +1,16 @@
'use strict' 'use strict'
const slug = require('slug')
const xss = require('xss') const xss = require('xss')
const mw = require('../middleware.js') const mw = require('../middleware.js')
const User = require('../models.js').user const User = require('../models.js').user
const mail = require('../mail.js') const mail = require('../mail.js')
const env = require('../env/env.js') const env = require('../env/env.js')
const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-routes-settings') const debug = require('debug')('tracman-routes-settings')
const router = require('express').Router() const router = require('express').Router()
// Trim slug to patch CVE-2017-16117
const slug = function(s) {
return require('slug')(s.slice(0,99))
}
// Settings form // Settings form
router.route('/') router.route('/')