Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability: Misinterpretation of malicious XML input #203

Closed
leifjones opened this issue Mar 18, 2021 · 6 comments
Closed

Vulnerability: Misinterpretation of malicious XML input #203

leifjones opened this issue Mar 18, 2021 · 6 comments

Comments

@leifjones
Copy link

Per this advisory, it seems that it's recommended that a version of xmldom >= 0.5.0 is used instead.

I came upon this when running npm install for a project that currently utilizes JUnitXMLReporter of this package.
@arobinson
Copy link 

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Misinterpretation of malicious XML input                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xmldom                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.7.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-reporters [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jasmine-reporters > xmldom                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1769                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@fennibay
Copy link
Contributor

fennibay commented Aug 20, 2021
edited
Loading

xmldom could not be updated due to missing permissions. The proposed solution is to switch to the @xmldom/xmldom Refs: xmldom/xmldom#278 xmldom/xmldom#271

@rvravi
Copy link

rvravi commented Aug 27, 2021

@putermancer Could you please take a look in to this?

@larrymyers
Copy link
Owner

Resolved in recently merged PR.

@rvravi
Copy link

rvravi commented Aug 30, 2021

@larrymyers Could you please publish a version with this fix?

@fennibay fennibay mentioned this issue Aug 30, 2021
Merged
@fennibay
Copy link
Contributor

Resolved in recently merged PR.

Do you mean #205? I believe this fix is not correct, xmldom does not have a version 0.7.0. It was moved to @xmldom/xmldom, where the latest version is 0.7.3 currently. I had sent some links in my comment above about the background of this move.

I created new PR #206 to fix the issue.

Shall we re-open this issue until new jasmine-reporters version is published?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@larrymyers @arobinson @leifjones @rvravi @fennibay