anthony-bible / password-exchange Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://password.exchange
License: MIT License
Home Page: https://password.exchange
License: MIT License
This can best be done by a bootstrap modal
This can best be done by a bootstrap modal.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip
Dependency Hierarchy:
Found in base branch: master
In Gin Web Framework the filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Publish Date: 2023-04-05
URL: CVE-2023-29401
Base Score Metrics:
Step up your Open Source Security Game with Mend here
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /slackbot/requirements.txt
Path to vulnerable library: /slackbot/requirements.txt,/slackbot/requirements.txt
Dependency Hierarchy:
Found in base branch: master
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value
instead of key=value
. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad
for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad
as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: 2.2.3
Step up your Open Source Security Game with Mend here
[mirror] Go text processing support
Dependency Hierarchy:
Found in HEAD commit: 337b33b514b0a65fd52482aa10cefd0cbf566398
Found in base branch: master
Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.
Publish Date: 2021-08-12
URL: CVE-2021-38561
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2021-0113
Release Date: 2021-08-12
Fix Resolution: v0.3.7
Step up your Open Source Security Game with WhiteSource here
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
WORKSPACE
io_bazel_rules_go v0.35.0
bazel_gazelle v0.26.0
build_stack_rules_proto 36ceb79a987a6de33768c8bdb08d22b516a7e32e
build_stack_bazel_gazelle_debug 2518a88cb0908f1896ff50b506e87d880a9695cb
bazel_skylib 1.3.0
rules_proto_grpc 4.1.1
rules_python 0.8.1
com_google_protobuf v3.21.10
io_bazel_rules_docker v0.25.0
alpine_linux_amd64 3.16@sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
python3_linux_amd64 3.11.0-slim-buster@sha256:876053fd9c3f645ed21e9e03122ecc1520be76473be89e5d222c748cad432bde
io_bazel_rules_k8s v0.6
.bazelversion
bazel 5.3.2
.devcontainer/Dockerfile
mcr.microsoft.com/vscode/devcontainers/go 0-1.18-bullseye
Dockerfile
python 3.11.0-slim-buster
.github/workflows/autopr.yaml
actions/checkout v2
.github/workflows/bazel-build.yml
docker/login-action v2
actions/checkout v3
softprops/action-gh-release v1
ubuntu 20.04
.github/workflows/codeql-analysis.yml
actions/checkout v3
github/codeql-action v2
github/codeql-action v2
github/codeql-action v2
app/go.mod
go 1.19
github.com/gin-gonic/gin v1.9.0
github.com/go-kit/kit v0.12.0
github.com/go-sql-driver/mysql v1.6.0
github.com/golang/protobuf v1.5.2
github.com/p768lwy3/gin-server-timing v0.0.0-20200316080543-ab69795cf847@ab69795cf847
github.com/rabbitmq/amqp091-go v1.5.0
github.com/rs/xid v1.4.0
github.com/rs/zerolog v1.28.0
github.com/spf13/cobra v1.6.1
github.com/spf13/viper v1.13.0
golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e@793ad666bf5e
google.golang.org/grpc v1.51.0
google.golang.org/protobuf v1.28.1
slackbot/requirements.txt
beautifulsoup4 ==4.11.1
click ==8.1.3
Flask ==2.2.5
google ==3.0.0
greenlet ==2.0.1
grpcio ==1.51.1
grpcio-tools ==1.50.0
gunicorn ==20.1.0
importlib-metadata ==5.0.0
itsdangerous ==2.1.2
Jinja2 ==3.1.2
mariadb ==1.0.11
MarkupSafe ==2.1.1
mysqlclient ==2.1.1
protobuf ==4.21.9
six ==1.16.0
slack-bolt ==1.15.5
slack-sdk ==3.19.4
soupsieve ==2.3.2.post1
SQLAlchemy ==1.4.44
Werkzeug ==2.2.3
zipp ==3.11.0
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: .github/renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: extends
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2016-4055
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4055
Release Date: 2017-01-23
Fix Resolution: 2.11.2
Step up your Open Source Security Game with WhiteSource here
Protocol Buffers
Path to dependency file: /slackbot/requirements.txt
Path to vulnerable library: /slackbot/requirements.txt,/slackbot/requirements.txt
Dependency Hierarchy:
Found in base branch: master
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
Base Score Metrics:
Type: Upgrade version
Origin: https://cloud.google.com/support/bulletins#GCP-2022-019
Release Date: 2022-09-22
Fix Resolution: Google.Protobuf - 3.18.3,3.19.5,3.20.2,3.21.6;protobuf-python - 3.18.3,3.19.5,3.20.2,4.21.6
Step up your Open Source Security Game with Mend here
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /slackbot/requirements.txt
Path to vulnerable library: /slackbot/requirements.txt,/slackbot/requirements.txt
Dependency Hierarchy:
Found in base branch: master
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data
, request.form
, request.files
, or request.get_data(parse_form_data=False)
, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.
Publish Date: 2023-02-14
URL: CVE-2023-25577
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-25577
Release Date: 2023-02-14
Fix Resolution: 2.2.3
Step up your Open Source Security Game with Mend here
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
Regular expression denial of service vulnerability in the moment package, by using a specific 40 characters long string in the "format" method.
Publish Date: 2016-10-24
URL: WS-2016-0075
Base Score Metrics:
Type: Upgrade version
Origin: moment/moment#3525
Release Date: 2016-10-24
Fix Resolution: 2.15.2
Step up your Open Source Security Game with WhiteSource here
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with WhiteSource here
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214
Release Date: 2018-03-04
Fix Resolution: 2.19.3
Step up your Open Source Security Game with WhiteSource here
A simple framework for building complex web applications.
Library home page: https://files.pythonhosted.org/packages/0f/43/15f4f9ab225b0b25352412e8daa3d0e3d135fcf5e127070c74c3632c8b4c/Flask-2.2.2-py3-none-any.whl
Path to dependency file: /slackbot/requirements.txt
Path to vulnerable library: /slackbot/requirements.txt
Dependency Hierarchy:
Found in base branch: master
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches Set-Cookie
headers, it may send one client's session
cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
session.permanent = True
SESSION_REFRESH_EACH_REQUEST
enabled (the default).Cache-Control
header to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the Vary: Cookie
header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Publish Date: 2023-05-02
URL: CVE-2023-30861
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-30861
Release Date: 2023-05-02
Fix Resolution: 2.3.2
Step up your Open Source Security Game with Mend here
This isn't a done desciscion but one that's being contemplated:
Switching from bcrypt to argon2id will help alleviate the possibility of fgpas quickly bruteforcing passwords since it uses more memory. I'll update this issue as I research and find more information
This issue is to track the feature that will allow users to add the ability to upload files
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with WhiteSource here
Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Dependency Hierarchy:
Found in base branch: master
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Publish Date: 2023-05-04
URL: CVE-2023-26125
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
[mirror] Go supplementary cryptography libraries
Dependency Hierarchy:
Found in HEAD commit: 337b33b514b0a65fd52482aa10cefd0cbf566398
Found in base branch: master
There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.
Publish Date: 2021-11-10
URL: CVE-2021-43565
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
Publish Date: 2017-03-15
URL: CVE-2016-7103
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7103
Release Date: 2017-03-15
Fix Resolution: 1.12.0
Step up your Open Source Security Game with WhiteSource here
In the app/cmd/web/
folder there is a section that displays a page that has people select whether to input a password. Only display this page if the password column is not empty.
Go testing in the browser. Integrates with `go test`. Write behavioral tests in Go.
Dependency Hierarchy:
Found in HEAD commit: 3b232af8b9a5f8a3aa4da628daf24ce315858de4
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.