CTFNote
CTFNote copied to clipboard
TFNS
Dependencies can be updated ? Could the PR dependabot has created be merged ?
Hello,
Or is this project dead ?
Everything is subjective :-)
semver patches are for a ReDoS vulnerability. CTFNote does not parse version numbers from user input.
word-wrap patches are for a ReDoS vulnerability. It is only used by a linter.
graphql patches are for a denial of service. I could not trigger the vulnerability[1]
PostCSS patches are for a CSS injection in the linter ? I'm not sure about this. Either way CTFNote does not parse CSS from user input.
In other words, those patches fix vulnerabilities that have no impact on CTFNote.
Patches usually come with changes like new features (that will not magically be used) or other miscellaneous changes (that might introduce bugs or worsen performances). So not only do these patches bring no value to CTFNote, they might actually make it worse.
The PR are still opened because:
- we might be wrong about a vulnerability having no impact, so anybody is welcome to prove us wrong and contribute an exploit
- they act as a reminder that we are making specific assumptions
If this is a problem for you (e.g. because of strict corporate policies), feel free to let us know and we will see what we can do.
Edit: [1]: for the record, here is how I tried to reproduce the vulnerability
<?php
echo json_encode([
[
// "operationName" => "getSettings",
"query" => "{" . str_repeat("__typename ", 1000) . "}",
"variables" => [],
]
]);
time curl -v http://localhost/graphql \
--header 'Content-Type: application/json' \
--data-binary "$(php graphql.php)"
Thanks a lot for the lenghty explanations and testing, I was just wanting to know if dependencies could impact me if I host this software on a server.
If I want to deploy it in a work environment it's probably better to have the bump if it's easy, if it's hard you can take your time
@AkechiShiro, CTFNote v3.0.0 just dropped which includes a dependency update :)
