Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requestretry vulnerability #44

Open
chrisleekr opened this issue Mar 2, 2022 · 2 comments
Open

requestretry vulnerability #44

chrisleekr opened this issue Mar 2, 2022 · 2 comments

Comments

@chrisleekr
Copy link

The requestretry v1.13.0 has a cookie exposure vulnerability.

To reproduce:

$ npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cookie exposure in requestretry                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ requestretry                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ opsgenie-sdk                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ opsgenie-sdk > requestretry                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-hjp8-2cm3-cc45            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Environment:

  • Node version: 14.19.0
  • opsgenie-sdk: 1.13.0

Could you be able to update requestretry to 7.0.0?
@hao4
Copy link

hao4 commented Mar 9, 2022

Any update on this? Seems like there is already a dependabot PR opened: #43.

@hao4
Copy link

hao4 commented Mar 22, 2022

I see that a new version of opsgenie-sdk is released with the updated version of requestretry. Unfortunately it appears that the upgrade is a breaking change. Specifically, FGRibreau/node-request-retry@0979c60#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346R33 is now stripping away the authorization header. As a result, any call via the OpsGenie API using the new sdk will have no api_key, resulting in 401 error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrisleekr @hao4