update to latest bunyan #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was reported privately as:
https://hackerone.com/reports/902739
bunyan - RCE via insecure command formatting
After this change:
% ./bin/bunyan -p "S'11;touch hacked ;'\\"
bunyan: error: no matching PIDs found for "S'11;touch hacked ;'\"
With bunyan's self-trace logging to show the escaped command:
% BUNYAN_SELF_TRACE=1 ./bin/bunyan -p "S'11;touch hacked ;'\\"
[bunyan self-trace] exec cmd: "ps -A -o pid,command | grep '[S]'\\''11;touch hacked ;'\\''\\\\'"
bunyan: error: no matching PIDs found for "S'11;touch hacked ;'\"
[bunyan self-trace] cleanupAndExit(2, undefined)
[bunyan self-trace] process.exit(2)
Before this change these would create a "hacked" file in the current dir.
Installing with `--no-optional` can reduce a bunyan 1.x install from ~3-4MB to ~450kB.
THis is a slight change in how `log.info(undefined, 'some message')` is rendered by Bunyan, but that's been a fact since node v12. nodejs/node#23162 was the relevant change.
…rcular refs In nodejs/node#27685 (part of node v14), how objects with circular references are stringified with `util.inspect` changed.
This change uses `os.EOL` for line endings instead of `\n` This is useful for those of us using NodeJS on Windows where the easiest log reader is Notepad.exe Fixes #589
Co-authored-by: Ron Korving <[email protected]>
This also: - adds "files" to package.json which removes a lot of dev files from the published package - adds a package-lock.json file for 'npm ci' usage
- fix more jsstyle issues with newer Perl - drop windows testing for now until using node-tap that handles globs
CVE-2017-18214 https://nodesecurity.io/advisories/532 See the upstream issue resolved by the update: moment/moment#4163
Currently just tap v9 because that is the last major version of node-tap that supports back to node v0.10.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.