Objection.js: Potential security concern

Created on 23 Jun 2018  路  18Comments  路  Source: Vincit/objection.js

@koskimas I sent you an email.

picture linkenneth

Most helpful comment

@heisian @linkenneth @kibertoad I don't think we should publish the attack vector. If we do that, everyone will need to add hacks to their apps (because there is no clean way to prevent it in objection yet) to prevent that, while I'm pretty confident that no one will exploit the vector if we don't publish it. It's pretty easy to figure out, but to guess the needed stuff to exploit it is basically impossible. Do you agree?

picture koskimas on 17 Jul 2018
👍2

All 18 comments

What is the concern?

heisian picture heisian on 24 Jun 2018

I'm working with @koskimas privately to triage and verify this. If this is a security issue, it'd be best not to publicly disclose until fixed.

I'm also not entirely sure who I should be contacting about this. @heisian If you'd like to help out, can you ping @koskimas and have him add you to our thread?

linkenneth picture linkenneth on 24 Jun 2018

Hi @koskimas I am interested in what the security concern is, please add to thread.. thanks

heisian picture heisian on 24 Jun 2018

Could you both join objection's gitter and we could continue the discussion in a private group chat?

koskimas picture koskimas on 25 Jun 2018

Joined.

linkenneth picture linkenneth on 25 Jun 2018

let me know if there is anything needed from me

elhigu picture elhigu on 25 Jun 2018

@linkenneth Is this issue still relevant and should be kept open?

kibertoad picture kibertoad on 16 Jul 2018

@kibertoad Yes, this is still relevant. It's been addressed but not yet resolved.

linkenneth picture linkenneth on 16 Jul 2018

I think this issue is a low-risk attack vector that can be safely published here with a repro script - I think the community in this case is better served by being aware of the risks rather than being kept in the dark. If @koskimas agrees, please post what you've found @linkenneth - thanks.

heisian picture heisian on 16 Jul 2018

@heisian Sure, this is up to @koskimas.

linkenneth picture linkenneth on 17 Jul 2018

@heisian @linkenneth @kibertoad I don't think we should publish the attack vector. If we do that, everyone will need to add hacks to their apps (because there is no clean way to prevent it in objection yet) to prevent that, while I'm pretty confident that no one will exploit the vector if we don't publish it. It's pretty easy to figure out, but to guess the needed stuff to exploit it is basically impossible. Do you agree?

koskimas picture koskimas on 17 Jul 2018
👍2

@koskimas Yeah, it's not a good idea to disclose the vector before the fix. I presume fix is not straightforward and requires a bit of internal changes?..

kibertoad picture kibertoad on 17 Jul 2018

The fix is really easy, but it requires a breaking change and because of semver, a 2.0 release. I don't want to release 2.0 just because of this low risk security issue.

koskimas picture koskimas on 17 Jul 2018
👍1

@koskimas Yes, I agree. In that case let's leave this open.

linkenneth picture linkenneth on 17 Jul 2018
👍1

Hi, was this issue fixed? which version?

nspessot picture nspessot on 23 May 2019

@nspessot

Look couple of comments up

The fix is really easy, but it requires a breaking change and because of semver, a 2.0 release. I don't want to release 2.0 just because of this low risk security issue.

koskimas picture koskimas on 2 Jun 2019

@koskimas We are dropping support for Node.js 6 in 0.18.0. Might be a good time to bump Objection.js major when upgrading to the next knex version.

kibertoad picture kibertoad on 2 Jun 2019

Handled in v2.0 branch.

koskimas picture koskimas on 30 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

purepear picture purepear  路  3Comments
zacharynevin picture zacharynevin  路  4Comments
AhmadRaza786 picture AhmadRaza786  路  3Comments
nicolaracco picture nicolaracco  路  3Comments
mycahjay-nms picture mycahjay-nms  路  4Comments