I have found a security vulnerability in docsify.sj. How would you like me to report it?
here only. fill the template and you can submit the report here
I would advise against disclosing security vulnerabilities in a public manner before there is fix. please confirm that you want me to disclose details of the vulnerability here. I'll be happy to provide a detailed report and try to help to push a fix as soon as possible .
I would advise against disclosing security vulnerabilities in a public manner before there is fix.
thanks for the alert. no don't report here.
Actually we didn't set up any security policy as of now (I know its bad, I will set up this as soon as possible after discussing with the team ).
How severe is this issue? Is it in an NPM module that affects local development?
It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).
@anikethsaha Maybe we can make a security issue template, and it can specify contact instructions there.
we need to set up a policy here
Ah cool, I didn't know about that.
It is hard to imagine any issue with static HTML (markdown) sites being insecure. Docsify sites are purely static by default, with no user information (or did I miss something?).
true, but we do support GA, codefund plugins and markdown may contain embedded files so it may be harmful in those cases. not sure though 馃槄 .
I will still suggest reporting first in snyk for any cases even if it is in our dependencies,
I'll get in touch with snyk team asap. I'll contact you through email for a detailed report
we need to set up a policy here
please let me know if I can contribute in any way
I'll get in touch with snyk team asap. I'll contact you through email for a detailed report
great. 馃憤
please let me know if I can contribute in any way
contribution of any kind are always welcome. you can share some idea or submit as a policy for better approach. We can discuss there
The Snyk team have verified the vulnerability. they will try to get in touch with you to discuss a fix. if you want to close this issue, you can always reach me at amin.[email protected].
Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.
you can always reach me at amin.[email protected].
sure.
Thanks 馃憤
I think it's better to keep it open until a response from snyk just to mark it. 馃憤
Thanks a lot for the reports and responses.
this issue also was a reminder that we need a policy for security reports.you can always reach me at amin.[email protected].
sure.
Thanks 馃憤
my pleasure
I think it's better to keep it open until a response from snyk just to mark it. 馃憤
I agree
I can't imagine the vulnerability in Docsify either.
As a static website, all congratulations can be reached in the browser. including the GA or something stuff(all websites deployed it in same way).
I got a mail from snyk and I think we should fix it cause it may be serious. there is a PoC as well. I will share the mail with @docsifyjs/reviewers chat room soon so that we can discuss the fix.