Docsify: vulnerability report

Created on 19 Apr 2020  路  17Comments  路  Source: docsifyjs/docsify





Bug Report

I have found a security vulnerability in docsify.sj. How would you like me to report it?

Steps to reproduce

What is current behaviour

What is the expected behaviour

Other relevant information

  • [ ] Bug does still occur when all/other plugins are disabled?
  • Your OS:
  • Node.js version:
  • npm/yarn version:
  • Browser version:
  • Docsify version:
  • Docsify plugins:

Please create a reproducible sandbox

Edit 307qqv236

Mention the docsify version in which this bug was not present (if any)

pinned

All 17 comments

here only. fill the template and you can submit the report here

I would advise against disclosing security vulnerabilities in a public manner before there is fix. please confirm that you want me to disclose details of the vulnerability here. I'll be happy to provide a detailed report and try to help to push a fix as soon as possible .

I would advise against disclosing security vulnerabilities in a public manner before there is fix.

thanks for the alert. no don't report here.
Actually we didn't set up any security policy as of now (I know its bad, I will set up this as soon as possible after discussing with the team ).

  • I would suggest reporting it to Snyk Security Team first. They will help triage the security issue and work with all involved parties to remediate and release a fix.
  • if you want to contact me, you can contact through my email
    and if you want to share some sensitive report ( still I would suggest to reach snyk team first ), mention in the mail and we can discuss there how to do so !

How severe is this issue? Is it in an NPM module that affects local development?

It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).

@anikethsaha Maybe we can make a security issue template, and it can specify contact instructions there.

we need to set up a policy here

Ah cool, I didn't know about that.

It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).

true, but we do support GA, codefund plugins and markdown may contain embedded files so it may be harmful in those cases. not sure though 馃槄 .

I will still suggest reporting first in snyk for any cases even if it is in our dependencies,

I'll get in touch with snyk team asap. I'll contact you through email for a detailed report

we need to set up a policy here

please let me know if I can contribute in any way

I'll get in touch with snyk team asap. I'll contact you through email for a detailed report

great. 馃憤

please let me know if I can contribute in any way

contribution of any kind are always welcome. you can share some idea or submit as a policy for better approach. We can discuss there

The Snyk team have verified the vulnerability. they will try to get in touch with you to discuss a fix. if you want to close this issue, you can always reach me at amin.[email protected].

Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.

you can always reach me at amin.[email protected].

sure.

Thanks 馃憤

I think it's better to keep it open until a response from snyk just to mark it. 馃憤

Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.

you can always reach me at amin.[email protected].

sure.

Thanks 馃憤

my pleasure

I think it's better to keep it open until a response from snyk just to mark it. 馃憤

I agree

I can't imagine the vulnerability in Docsify either.
As a static website, all congratulations can be reached in the browser. including the GA or something stuff(all websites deployed it in same way).

I got a mail from snyk and I think we should fix it cause it may be serious. there is a PoC as well. I will share the mail with @docsifyjs/reviewers chat room soon so that we can discuss the fix.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nothingrandom picture nothingrandom  路  5Comments

anikethsaha picture anikethsaha  路  3Comments

patrickboulay picture patrickboulay  路  4Comments

toavinar picture toavinar  路  3Comments

smlbiobot picture smlbiobot  路  5Comments