Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-02-23 00:22:19 +01:00
Code Issues Projects Releases Wiki Activity

fix: resolve tar to 6.2.1 (#7256)

Browse Source 
https://github.com/isaacs/node-tar/compare/v6.1.11...v6.2.1

This solves an issue:

> ### Denial of service while parsing a tar file due to lack of folders
count validation
> 
> During some analysis today on npm's node-tar package I came across the
folder creation process, Basicly if you provide node-tar with a path
like this ./a/b/c/foo.txt it would create every folder and sub-folder
here a, b and c until it reaches the last folder to create foo.txt,
In-this case I noticed that there's no validation at all on the amount
of folders being created, that said we're actually able to CPU and
memory consume the system running node-tar and even crash the nodejs
client within few seconds of running it using a path with too many
sub-folders inside
This commit is contained in:
Gastón Fournier 2024-06-04 09:35:00 +02:00 committed by GitHub
parent d6b158b8b0
commit cadf3fb061
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -226,6 +226,7 @@
"ssh2": "^1.4.0", "ssh2": "^1.4.0",
"json-schema": "^0.4.0", "json-schema": "^0.4.0",
"ip": "^2.0.1", "ip": "^2.0.1",
"tar": "6.2.1",
"minimatch": "^5.0.0", "minimatch": "^5.0.0",
"semver": "^7.5.3", "semver": "^7.5.3",
"tough-cookie": "4.1.4" "tough-cookie": "4.1.4"

2
yarn.lock
View File

@ -7024,7 +7024,7 @@ swagger2openapi@^7.0.6:
yaml "^1.10.0" yaml "^1.10.0"
yargs "^17.0.1" yargs "^17.0.1"
tar@^6.1.11: tar@6.2.1, tar@^6.1.11:
version "6.2.1" version "6.2.1"
resolved "https://registry.yarnpkg.com/tar/-/tar-6.2.1.tgz#717549c541bc3c2af15751bea94b1dd068d4b03a" resolved "https://registry.yarnpkg.com/tar/-/tar-6.2.1.tgz#717549c541bc3c2af15751bea94b1dd068d4b03a"
integrity sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A== integrity sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==