https://huntr.dev/bounties/1-npm-sanitize #1
Conversation
|
👋 Hello, @janghwan. @frank-dspeed has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:
|
|
Is this vulnerability fixed In the sanitize module ? |
|
@abhisek3122 sure it is but it is not needed anymore at all so i deprecated it #(deprecated)!!! Use the sanitizer api |
|
Regarding my bounty from huntr ? I was been said to get $40 bounty once after the fix. |
|
@abhisek3122 - did the maintainer accept a fix into the upstream repository? |
|
I don't know about it, I didn't push the fix. Another person did. |
|
@abhisek3122 you will get nothing and i will get nothing the maintainer will not accept a fix and it is already deprecated as there is now a nativ api for this. I do not expect that the Maintainer mergs this or even looks into this. I Fixed it wouthout knowing that. but i am fine with it |
|
@frank-dspeed ohh ok. That's fine. |
|
@JamieSlome - I think the fix has been accepted and commited |
4 participants
📊 Metadata *
Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.
Bounty URL:
https://huntr.dev/bounties/1-npm-sanitize
⚙️ Description *
I did add html escaping as requested to all string methods as also exposed new Raw methods for people that still need the old behavior
💻 Technical Description *
implemented html escaping into all string methods as requested.
🐛 Proof of Concept (PoC) *
Provide the vulnerability exploit to show the security issue you're fixing.
🔥 Proof of Fix (PoF) *
Open this URL http://localhost:3001/ping?param=hi'"><script>alert(1)</script>
Drive link: https://drive.google.com/drive/folders/1rq7ztN4kQUtcJWx8iTiRpHI8nKSvD90a?
👍 User Acceptance Testing (UAT)
node-sanitize$ make
sanitize.js
sanitize()
value()
✓ should validate bool with value true
✓ should validate bool with value false
✓ should validate bool with value null
✓ should validate int with value 1
✓ should validate int with value 1
✓ should validate int with value undefined
✓ should validate int with value null
✓ should validate int with value asdf
✓ should validate float with value 0
✓ should validate float with value 1.1
✓ should validate float with value 1.123456,2
✓ should validate float with value null
✓ should validate float with value undefined
✓ should validate float with value a1asdf
✓ should validate phone with value 408-123-4567
✓ should validate phone with value (408) 123 - 4567
✓ should validate phone with value
✓ should validate phone with value null
✓ should validate phone with value undefined
✓ should validate email with value test@test.com
✓ should validate email with value test
✓ should validate email with value
✓ should validate email with value null
✓ should validate email with value undefined
✓ should validate url with value http://grooveshark.com/#!/search?q=funky+music
✓ should validate url with value grooveshark.com/#!/search?q=funky+music
✓ should validate url with value grooveshark.com/#!/search?q=funky+music,sftp
✓ should validate url with value sftp://grooveshark.com/#!/search?q=funky+music,sftp
✓ should validate url with value http://grooveshark.com/#!/search?q=funky+music,sftp
✓ should validate url with value
✓ should validate url with value ://asdf
✓ should validate url with value null
✓ should validate url with value undefined
✓ should validate /123/i with value abc123
✓ should validate /abc123/ with value ABC123
✓ should validate /1/ with value null
✓ should validate /1/ with value undefined
✓ should validate function(value) {
return value.toString() + '123';
} with value abc
✓ should validate function(value) {
return null
} with value
✓ should validate str with value abcde
✓ should validate str with value 1
✓ should validate str with value null
✓ should validate str with value undefined
✓ should validate string with value function Error() { [native code] }
✓ should validate json with value {"id": 1, "name": "watson"}
✓ should validate json with value {
✓ should validate json with value null
✓ should validate json with value undefined
✓ should validate array with value 1,2,3
✓ should validate array with value 1,2,3
✓ should validate array with value
✓ should validate obj with value Wed Apr 14 2021 16:33:44 GMT+0200 (Mitteleuropäische Sommerzeit)
✓ should validate pojo with value Wed Apr 14 2021 16:33:44 GMT+0200 (Mitteleuropäische Sommerzeit)
✓ should validate pojo with value [object Object]
object()
✓ a plain object {"user_id":1,"password":"abc123","email":"test@test.com"} should be valid by {"user_id":"int","password":"str","email":"email"}
✓ a plain object {"password":"abc123","email":"test@test.com"} should be invalidated by {"user_id":"str","password":"str","email":"email"}
✓ a plain object {"user_id":null,"password":"abc123","email":"test@test.com"} should be invalidated by {"user_id":"str","password":"str","email":"email"}
✓ a plain object {"user_id":1,"password":"abc123","email":"test"} should be invalidated by {"user_id":"str","password":"str","email":"email"}
primitive()
✓ should remove all non strings and numbers and convert booleans to 1 or 0
array()
✓ should validate an array of valid values
✓ should invalidate an array with at least one invalid value
✓ should invalidate an array with a NaN
✓ should invalidate an array with an undefined
oneOf()
{
my: Sanitizer {},
value: [Function (anonymous)],
primitives: [Function: primitives],
object: [Function: filterProps],
array: [Function: array]
}
✓ should validate a string if it is within finite list
{
my: Sanitizer {},
value: [Function (anonymous)],
primitives: [Function: primitives],
object: [Function: filterProps],
array: [Function: array]
}
✓ should invalidate a string if it is not within finite list
{
my: Sanitizer {},
value: [Function (anonymous)],
primitives: [Function: primitives],
object: [Function: filterProps],
array: [Function: array]
}
✓ should invalidate a string if finite list is not an array
sanitize.my
✓ should have sanitizing functions directly attached to it
sanitize.middleware
✓ should sanitize float numbers
✓ should sanitize float numbers with precision
✓ should sanitize arrays of items
✓ should sanitize arrays of items with an arg applied to each item
✓ should sanitize integer numbers
✓ should sanitize emails
✓ should sanitize strings
✓ should sanitize patterns
✓ should sanitize one of
sanitize.Sanitizer
✓ should support custom filters
✓ should support overriding default filters
78 passing (30ms)