Headline
CVE-2022-36034: nitrado.js/CHANGELOG.md at v0.2.5 · cainthebest/nitrado.js
nitrado.js is a type safe wrapper for the Nitrado API. Possible ReDoS with lib input of {{
and with many repetitions of {{|
. This issue has been patched in all versions above 0.2.5
. There are currently no known workarounds.
****0.2.5** (2022-08-09)**
- npm(update): push fix for vulnerability
- fix regex (#98)
Fix Polynomial regular expression used on uncontrolled data
Co-authored-by: cainthebest [email protected]
****0.2.4** (2022-08-09)**
- npm(update): push patch
- Merge pull request #95 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.33.0
build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.32.0 to 5.33.0
- Merge pull request #96 from cainthebest/dependabot/npm_and_yarn/types/node-18.6.5
build(deps-dev): bump @types/node from 18.6.4 to 18.6.5
- Merge pull request #97 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.33.0
build(deps-dev): bump @typescript-eslint/parser from 5.32.0 to 5.33.0
- fix(mistake): apply fix for merge
- Merge pull request #94 from cainthebest/regex-guard
Regex guard
- build(deps-dev): bump @types/node from 18.6.4 to 18.6.5
Bumps @types/node from 18.6.4 to 18.6.5.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- fix(regex): add path param guard
- fix(work around): fix for CWE-480 & CWE-561
- chore(format): fix format issue
- Create codeql-analysis.yml
****0.2.3** (2022-08-07)**
- npm(update): new patch
- chore(package): insure users use node >=16
- impl(services): support all service endpoints
Co-authored-by: DeathIsUndead [email protected]
- chore(build)
- chore(dependabot): remove un-needed
- Merge pull request #92 from cainthebest/dependabot/npm_and_yarn/types/node-18.6.4
build(deps-dev): bump @types/node from 18.6.3 to 18.6.4
- chore(discord): update invite
- build(deps-dev): bump @types/node from 18.6.3 to 18.6.4
Bumps @types/node from 18.6.3 to 18.6.4.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- Merge pull request #90 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.32.0
build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.31.0 to 5.32.0
- Merge pull request #91 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.32.0
build(deps-dev): bump @typescript-eslint/parser from 5.31.0 to 5.32.0
- Merge pull request #89 from cainthebest/dependabot/npm_and_yarn/eslint-8.21.0
build(deps-dev): bump eslint from 8.20.0 to 8.21.0
****0.2.2** (2022-08-01)**
- npm(update): patch
- impl(service): add some of service endpints
- chore(format)
- chore(deps): update
- fix(error): type error already exists for key
- impl(encryption): encourage token safety
****0.2.1** (2022-07-27)**
- npm(patch): push patch for oauth support
- build(deps-dev): bump @types/node from 18.0.6 to 18.6.1 (#84)
Bumps @types/node from 18.0.6 to 18.6.1.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-minor …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cain [email protected]
- fix(settings): typo
- impl(OAuth2): add endpoints
- del(comments): remove un useful comments
- fix(file name): rename
- fix(file names): rename to follow trend
- impl(tokens): add endpoints
- build(deps-dev): bump @types/node from 18.0.4 to 18.0.6 (#80)
Bumps @types/node from 18.0.4 to 18.0.6.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cain [email protected]
- build(deps-dev): bump @types/node from 18.0.3 to 18.0.4 (#76)
Bumps @types/node from 18.0.3 to 18.0.4.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cain [email protected]
****0.2.0** (2022-07-14)**
- npm(new semver minor): has breaking changes!
- fix(issue #72): fix for issue still needs testing
Co-authored-by: WildCarlUK [email protected]
Restructure API types for maintainability (#37)
del(api files): make a clean dir
del(eslint config): move to package.json
del(prettier config): move to package.json
chore(scripts & config): update scripts and move config
chore(deps): add dev dep npm run all
chore(ts target): change to esnext
chore(workflow): change ci to use new script
impl(global): health check endpoint
impl(global): add maintenance endpoint
impl(global): add version endpoint
impl(global): export global
fix(urls): change structure of types
impl(config): add a basic config param
doc(maintrnance): add comments
doc(version): add comments
doc(health_check): add comments
chore(rename import): change interface name style
fix(shorten): error response (still broken)
impl(long life tokens): add endpoints
impl(sub token): add endpoint
impl(oauth2): export type
impl(oauth2): export type
impl(registration): add endpoints
revert(ci): just doesnt want to work
Merge(local): local -> restructure
test(ci): test with change
merge(master ci): copy master ci
chore(build)
del(dist)
chore(ignore): add dist
fix(types): move types to types
doc(init): make basic
chore(build)
quickfix(docs)
chore(build)
doc(fix)
dox(fix)
docs(style)
test(doc): just playing around with styles
chore(build)
test(docs)
docs(update)
doc(style): too light
docs(style): make darker
docs(style): make darker
doc(fix style)
docs(update)
doc(update)
chore(build)
docs(update)
doc(update)
update(docs)
docs(update)
doc(fix)
docs(update)
docs(update)
docs(update)
chore(build)
docs(update)
docs(update)
docs(update)
docs(update)
docs(update)
impl(endpoint): service - AutoExtend
impl(endpoint): service - Cancel
impl(endpoint): service - KnowledgeBase
impl(endpoint): service - Logs
impl(endpoint): service - Notifications
impl(endpoint): service - SalePrice
impl(endpoint): service - SubDomain
impl(endpoint): service - Services
impl(endpoint): service
chore(build)
docs(update)
chore(build)
docs(test): codeblocks
Create CNAME
Update CNAME
Update _config.yaml
chore(build)
Update _config.yaml
chore(build)
Update _config.yaml
Delete CNAME
del(docs): moved to its own repo
Test alternative format (#59)
init
merge(local)
merge(local)
fix(test): remove test
Merge(local)
doc(fix): add comments to endpoints
chore(build)
Co-authored-by: cainthebest [email protected]
****0.1.17** (2022-07-10)**
- npm(update): deps
- chore(gitignore): add dist
- del(dist): remove from repo, built in workflow
- chore(build)
- fix(package-lock): gen new one
- build(deps-dev): bump @types/node from 18.0.0 to 18.0.3 (#71)
Bumps @types/node from 18.0.0 to 18.0.3.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Merge pull request #62 from nitradojs/dependabot/npm_and_yarn/typescript-eslint/parser-5.30.0
- Merge pull request #63 from nitradojs/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.30.0
****0.1.16** (2022-06-24)**
- Merge pull request #61 from nitradojs/import-resolution-fix
Import resolution fix
- npm(update): push patch with fix
- fix(imports): change to root imports
****0.1.15** (2022-06-21)**
- npm(update): deps
- Merge pull request #47 from cainthebest/dependabot/npm_and_yarn/tsup-6.1.2
build(deps-dev): bump tsup from 6.1.0 to 6.1.2
- Merge pull request #55 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.29.0
build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.27.1 to 5.29.0
- Merge pull request #57 from cainthebest/dependabot/npm_and_yarn/eslint-8.18.0
build(deps-dev): bump eslint from 8.17.0 to 8.18.0
- Merge pull request #58 from cainthebest/dependabot/npm_and_yarn/typescript-4.7.4
build(deps-dev): bump typescript from 4.7.3 to 4.7.4
- build(deps-dev): bump typescript from 4.7.3 to 4.7.4
Bumps typescript from 4.7.3 to 4.7.4.
- Release notes
- Commits
updated-dependencies:
- dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- Merge pull request #56 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.29.0
build(deps-dev): bump @typescript-eslint/parser from 5.27.1 to 5.29.0
- Merge pull request #53 from cainthebest/dependabot/npm_and_yarn/prettier-2.7.1
build(deps-dev): bump prettier from 2.6.2 to 2.7.1
- Merge pull request #54 from cainthebest/dependabot/npm_and_yarn/types/node-18.0.0
build(deps-dev): bump @types/node from 17.0.41 to 18.0.0
- build(deps-dev): bump @types/node from 17.0.41 to 18.0.0
Bumps @types/node from 17.0.41 to 18.0.0.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-major …
Signed-off-by: dependabot[bot] [email protected]
- Merge pull request #44 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.27.1
build(deps-dev): bump @typescript-eslint/parser from 5.27.0 to 5.27.1
- Merge pull request #46 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.41
build(deps-dev): bump @types/node from 17.0.40 to 17.0.41
- Merge pull request #45 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.27.1
build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.27.0 to 5.27.1
- build(deps-dev): bump @types/node from 17.0.40 to 17.0.41
Bumps @types/node from 17.0.40 to 17.0.41.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
****0.1.14** (2022-06-06)**
- publish(npm): push dep updates
- Merge pull request #40 from cainthebest/dependabot/npm_and_yarn/tsup-6.1.0
- Merge pull request #41 from cainthebest/dependabot/npm_and_yarn/typescript-4.7.3
- Merge pull request #42 from cainthebest/dependabot/npm_and_yarn/eslint-8.17.0
- Merge pull request #43 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.40
- build(deps-dev): bump @types/node from 17.0.38 to 17.0.40
Bumps @types/node from 17.0.38 to 17.0.40.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- build(deps-dev): bump typescript from 4.7.2 to 4.7.3
Bumps typescript from 4.7.2 to 4.7.3.
- Release notes
- Commits
updated-dependencies:
- dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- fix(ci): fix the dupe ci bug
- fix(ci): try again
- chore(build)
- fix(ci)
- del(ci): broken for now
- fix(ci): make simpler
- impl(ci): add ci for branch
****0.1.13** (2022-06-02)**
- publish(npm): fix and dep updates
- chore(build)
- fix(typescript): runtime implicit conversion
- Merge pull request #38 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.38
- build(deps-dev): bump @types/node from 17.0.36 to 17.0.38
Bumps @types/node from 17.0.36 to 17.0.38.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- Merge pull request #34 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.36
build(deps-dev): bump @types/node from 17.0.35 to 17.0.36
- build(deps-dev): bump @types/node from 17.0.35 to 17.0.36
Bumps @types/node from 17.0.35 to 17.0.36.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- Merge pull request #35 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.27.0
build(deps-dev): bump @typescript-eslint/parser from 5.26.0 to 5.27.0
- Merge pull request #36 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.27.0
build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.26.0 to 5.27.0
- Merge pull request #29 from cainthebest/dependabot/npm_and_yarn/eslint-8.16.0
- Merge pull request #30 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.26.0
- Merge pull request #31 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.26.0
- Merge pull request #32 from cainthebest/dependabot/npm_and_yarn/tsup-6.0.1
- Merge pull request #33 from cainthebest/dependabot/npm_and_yarn/typescript-4.7.2
- build(deps-dev): bump typescript from 4.6.4 to 4.7.2
Bumps typescript from 4.6.4 to 4.7.2.
- Release notes
- Commits
updated-dependencies:
- dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-minor …
Signed-off-by: dependabot[bot] [email protected]
****0.1.12** (2022-05-21)**
- publish(npm): update
- Merge pull request #28 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.35
build(deps-dev): bump @types/node from 17.0.34 to 17.0.35
- build(deps-dev): bump @types/node from 17.0.34 to 17.0.35
Bumps @types/node from 17.0.34 to 17.0.35.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
****0.1.11** (2022-05-18)**
- publish(npm): update
- Merge pull request #25 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.25.0
- Merge pull request #26 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.25.0
****0.1.10** (2022-05-17)**
- publish(npm): update
- fix(readme): change url for issue forms
- chore(build)
- impl(github forms): replace templates with forms
- impl(templates): add github template url
- chore(build)
- Impl(github): issue templates
****0.1.9** (2022-05-17)**
- publish(npm): update
- chore(build)
- Merge pull request #21 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.24.0
build(deps-dev): bump @typescript-eslint/parser from 5.23.0 to 5.24.0
- Merge pull request #22 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.34
build(deps-dev): bump @types/node from 17.0.33 to 17.0.34
- Merge pull request #23 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.24.0
build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.23.0 to 5.24.0
- Merge pull request #24 from ghostdevv/master
Update Docs
- docs: remove workaround for api token
- docs: update
- docs: update
- build(deps-dev): bump @types/node from 17.0.33 to 17.0.34
Bumps @types/node from 17.0.33 to 17.0.34.
- Release notes
- Commits
updated-dependencies:
- dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
- chore(build)
- impl(endpoint): Gameserver - Game - List
- impl(endpoint): Gameserver - Game - Install
- chore(build)
- impl(endpoint): Gameserver - Full Game list
- impl(endpoints): Gameserver - Files - Upload
- impl(endpoint): Gameserver - Files - Stat
- impl(endpoint): Gameserver - Files - Size
- impl(endpoint): Gameserver - Files - Seek
- impl(endpoint): Gameserver - Files - Move / Rename
- chore(build)
- fix(endpoint): Gameserver - Files - List
- impl(endpoint): Gameserver - Files - List
- impl(endpoint): Gameserver - Files - Download
- impl(endpoint): Gameserver - Files - Delete
- impl(endpoint): Gameserver - Files - Create directory
****0.1.8** (2022-05-16)**
- publish(npm): update
- chore(build)
- impl(tsup): add config
- chore(ignore): tsup config
- del(rimraf): dev dep
- impl(endpoint): Gameserver - Files - Copy
- impl(tsup): dist bundler
- impl(endpoint): Gameserver - Files - Bookmarks
- impl(endpoint): Gameserver - FTP - Change password
- impl(endpoint): Gameserver - Backup - Restore Game Server
- impl(endpoint): Gameserver - Backup - Restore Database
****0.1.7** (2022-05-16)**
- publish(npm): update
- chore(build)
- impl(URLs): add Game_Lastoasis
- impl(endpoint): Game_Lastoasis - Lastoasis Useridentifier
- chore(build)
- impl(endpoint): Gameserver - App Server - Ping
- impl(endpoint): Gameserver - App Server - Command
- impl(endpoint): Gameserver - Backup - List Backups
- impl(endpoint): Gameserver - Stop
- fix(endpoint): Gameserver - Restart
- impl(endpoint): Gameserver - Restart
- doc(readme): add cjs example import
- chore(build)
****0.1.6** (2022-05-14)**
- fix(semver): change format
- chore(build)
- fix(conflict): pr conflict
****0.1.5-ALPHA** (2022-05-14)**
- publish(npm): update
- chore(build)
- quickfix(response): comment out unused type
- chore(build)
- quickfix(bug): error response type
****0.1.4-ALPHA** (2022-05-14)**
- publish(npm): update latest
- doc(readme): update
- chore(build)
- impl(endpoint): Domain - Get all DNS records
- impl(endpoint): Domain - Get Domain Auth Code
- impl(endpoint): Domain - Extension Price
- impl(endpoint): Domain - Extend Domain
- impl(endpoint): Domain - Domain info
- imp(endpoint): Domain - Delete a redirect
- impl(endpoint): Domain - Delete a record
- fix(delete handle): change mesg type
- impl(endpoint): Domain - Delete Handle
- inc(readme): add readme to dist
- chore(build)
- fix(unused): AxiosError is defined but never used
****0.1.3-ALPHA** (2022-05-14)**
- chore(build)
- publish(latest): update npm
- fix(.then): type could be error and on response
- doc(examples): add some quick examples
****0.1.2-ALPHA** (2022-05-14)**
- chore(build)
- fix(node latest): says will work in docs, ofc not
****0.1.1-ALPHA** (2022-05-14)**
- fix(semver): change semver format due to bug
- fix(C CI & D): update branch to master
- del(dev ci): make repo more simple
- publish(0.1.0-ALPHA.2): new version
- fix(CI): run node latest to publish to npm
Related news
### Impact Possible ReDoS with lib input of `{{` and with many repetitions of `{{|`. ### Patches Patched in all versions above `0.2.5` ### Workarounds No known work arounds. ### References - OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) - Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS). - Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity). - James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf). - Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html). - Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).