![]() Async version also does not limit memory, but does not use `with_capacity`, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker. This affects only sync (non-Tokio) implementation. When `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. The root cause of the issue is during dataframe parsing. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. ![]() If you are unable to upgrade the package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. The GitHub Actions ToolKit provides a set of packages to make creating actions easier. This is better than `eval` for the following reasons: - Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions - Functions are created without local closures, so they only have access to the global scope If you use: - **Version `=3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary. ![]() In v2.2.2, we switched from using `eval` to using () to construct anonymous functions. This prop will be set to `true` in v2.2.2, which allows upgrade without losing backwards-compatibility. Prop is added to `JsonTree` called `allowFunctionEvaluation`. This vulnerability exists in the default `onSubmitValueParser` prop which calls (). One important note is that users who have defined a custom () callback prop on the () component should be ***unaffected***. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. To do this, Javascript's () function is used to execute strings that begin with "function" as Javascript. This library allows strings to be parsed as functions and stored as a specialized component, (). Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`. This vulnerability has been patched and release v9.15.0 contains the fix. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. Directus is a free and open-source data platform for headless content management.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |