Skip to content

Update requiremodulev3 monorepo #769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jan 9, 2024
Merged

Update requiremodulev3 monorepo #769

merged 14 commits into from
Jan 9, 2024

Conversation

07souravkunda
Copy link
Collaborator

No description provided.

@07souravkunda 07souravkunda requested a review from a team as a code owner January 2, 2024 13:16
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 2, 2024
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 2, 2024
View reviewed changes
bin/testObservability/helper/helper.js
if (WORKSPACE_MODULE_PATH) {
exports.debug(`Getting ${module} from path ${WORKSPACE_MODULE_PATH}`);
let workspace_path = null;
workspace_path = path.join(WORKSPACE_MODULE_PATH, 'node_modules', module);

Check warning

Code scanning / Semgrep

Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
bin/testObservability/helper/helper.js
/* Find from node path */
let node_path = null;
if (!exports.isUndefined(process.env.NODE_PATH)) {
node_path = path.join(process.env.NODE_PATH, module);

Check warning

Code scanning / Semgrep

Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
bin/testObservability/helper/helper.js
/* Find from global node modules path */
exports.debug(`Getting ${module} from ${GLOBAL_MODULE_PATH}`);

let global_path = path.join(GLOBAL_MODULE_PATH, module);

Check warning

Code scanning / Semgrep

Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 2, 2024
View reviewed changes
bin/testObservability/helper/helper.js
} catch (_) {
/* Find from current working directory */
exports.debug(`Getting ${module} from ${process.cwd()}`);
let local_path = path.join(process.cwd(), 'node_modules', module);

Check warning

Code scanning / Semgrep

Semgrep Finding: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
@07souravkunda
Copy link
Collaborator Author

07souravkunda commented Jan 2, 2024
edited
Loading

Whitelisted all the required module paths. If not in the list throw error. This will ensure any random value of the module is not allowed.

@bstack-security-github bstack-security-github merged commit f443bb6 into browserstack:master Jan 9, 2024
@pranavj1001 pranavj1001 mentioned this pull request Jan 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kamal-kaur04 kamal-kaur04 kamal-kaur04 approved these changes

@asambstack asambstack asambstack approved these changes

+1 more reviewer

@khrithik khrithik khrithik approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@07souravkunda @kamal-kaur04 @khrithik @asambstack @bstack-security-github @pranavj1001