Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36034: nitrado.js/CHANGELOG.md at v0.2.5 · cainthebest/nitrado.js

nitrado.js is a type safe wrapper for the Nitrado API. Possible ReDoS with lib input of {{ and with many repetitions of {{|. This issue has been patched in all versions above 0.2.5. There are currently no known workarounds.

CVE
#vulnerability#ios#nodejs#js#git#oauth#auth

****0.2.5** (2022-08-09)**

  • npm(update): push fix for vulnerability
  • fix regex (#98)

Fix Polynomial regular expression used on uncontrolled data

Co-authored-by: cainthebest [email protected]

****0.2.4** (2022-08-09)**

  • npm(update): push patch
  • Merge pull request #95 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.33.0

build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.32.0 to 5.33.0

  • Merge pull request #96 from cainthebest/dependabot/npm_and_yarn/types/node-18.6.5

build(deps-dev): bump @types/node from 18.6.4 to 18.6.5

  • Merge pull request #97 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.33.0

build(deps-dev): bump @typescript-eslint/parser from 5.32.0 to 5.33.0

  • fix(mistake): apply fix for merge
  • Merge pull request #94 from cainthebest/regex-guard

Regex guard

  • build(deps-dev): bump @types/node from 18.6.4 to 18.6.5

Bumps @types/node from 18.6.4 to 18.6.5.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • fix(regex): add path param guard
  • fix(work around): fix for CWE-480 & CWE-561
  • chore(format): fix format issue
  • Create codeql-analysis.yml

****0.2.3** (2022-08-07)**

  • npm(update): new patch
  • chore(package): insure users use node >=16
  • impl(services): support all service endpoints

Co-authored-by: DeathIsUndead [email protected]

  • chore(build)
  • chore(dependabot): remove un-needed
  • Merge pull request #92 from cainthebest/dependabot/npm_and_yarn/types/node-18.6.4

build(deps-dev): bump @types/node from 18.6.3 to 18.6.4

  • chore(discord): update invite
  • build(deps-dev): bump @types/node from 18.6.3 to 18.6.4

Bumps @types/node from 18.6.3 to 18.6.4.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • Merge pull request #90 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.32.0

build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.31.0 to 5.32.0

  • Merge pull request #91 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.32.0

build(deps-dev): bump @typescript-eslint/parser from 5.31.0 to 5.32.0

  • Merge pull request #89 from cainthebest/dependabot/npm_and_yarn/eslint-8.21.0

build(deps-dev): bump eslint from 8.20.0 to 8.21.0

****0.2.2** (2022-08-01)**

  • npm(update): patch
  • impl(service): add some of service endpints
  • chore(format)
  • chore(deps): update
  • fix(error): type error already exists for key
  • impl(encryption): encourage token safety

****0.2.1** (2022-07-27)**

  • npm(patch): push patch for oauth support
  • build(deps-dev): bump @types/node from 18.0.6 to 18.6.1 (#84)

Bumps @types/node from 18.0.6 to 18.6.1.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-minor …

Signed-off-by: dependabot[bot] [email protected]

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cain [email protected]

  • fix(settings): typo
  • impl(OAuth2): add endpoints
  • del(comments): remove un useful comments
  • fix(file name): rename
  • fix(file names): rename to follow trend
  • impl(tokens): add endpoints
  • build(deps-dev): bump @types/node from 18.0.4 to 18.0.6 (#80)

Bumps @types/node from 18.0.4 to 18.0.6.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cain [email protected]

  • build(deps-dev): bump @types/node from 18.0.3 to 18.0.4 (#76)

Bumps @types/node from 18.0.3 to 18.0.4.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cain [email protected]

****0.2.0** (2022-07-14)**

  • npm(new semver minor): has breaking changes!
  • fix(issue #72): fix for issue still needs testing

Co-authored-by: WildCarlUK [email protected]

  • Restructure API types for maintainability (#37)

  • del(api files): make a clean dir

  • del(eslint config): move to package.json

  • del(prettier config): move to package.json

  • chore(scripts & config): update scripts and move config

  • chore(deps): add dev dep npm run all

  • chore(ts target): change to esnext

  • chore(workflow): change ci to use new script

  • impl(global): health check endpoint

  • impl(global): add maintenance endpoint

  • impl(global): add version endpoint

  • impl(global): export global

  • fix(urls): change structure of types

  • impl(config): add a basic config param

  • doc(maintrnance): add comments

  • doc(version): add comments

  • doc(health_check): add comments

  • chore(rename import): change interface name style

  • fix(shorten): error response (still broken)

  • impl(long life tokens): add endpoints

  • impl(sub token): add endpoint

  • impl(oauth2): export type

  • impl(oauth2): export type

  • impl(registration): add endpoints

  • revert(ci): just doesnt want to work

  • Merge(local): local -> restructure

  • test(ci): test with change

  • merge(master ci): copy master ci

  • chore(build)

  • del(dist)

  • chore(ignore): add dist

  • fix(types): move types to types

  • doc(init): make basic

  • chore(build)

  • quickfix(docs)

  • chore(build)

  • doc(fix)

  • dox(fix)

  • docs(style)

  • test(doc): just playing around with styles

  • chore(build)

  • test(docs)

  • docs(update)

  • doc(style): too light

  • docs(style): make darker

  • docs(style): make darker

  • doc(fix style)

  • docs(update)

  • doc(update)

  • chore(build)

  • docs(update)

  • doc(update)

  • update(docs)

  • docs(update)

  • doc(fix)

  • docs(update)

  • docs(update)

  • docs(update)

  • chore(build)

  • docs(update)

  • docs(update)

  • docs(update)

  • docs(update)

  • docs(update)

  • impl(endpoint): service - AutoExtend

  • impl(endpoint): service - Cancel

  • impl(endpoint): service - KnowledgeBase

  • impl(endpoint): service - Logs

  • impl(endpoint): service - Notifications

  • impl(endpoint): service - SalePrice

  • impl(endpoint): service - SubDomain

  • impl(endpoint): service - Services

  • impl(endpoint): service

  • chore(build)

  • docs(update)

  • chore(build)

  • docs(test): codeblocks

  • Create CNAME

  • Update CNAME

  • Update _config.yaml

  • chore(build)

  • Update _config.yaml

  • chore(build)

  • Update _config.yaml

  • Delete CNAME

  • del(docs): moved to its own repo

  • Test alternative format (#59)

  • init

  • merge(local)

  • merge(local)

  • fix(test): remove test

  • Merge(local)

  • doc(fix): add comments to endpoints

  • chore(build)

Co-authored-by: cainthebest [email protected]

****0.1.17** (2022-07-10)**

  • npm(update): deps
  • chore(gitignore): add dist
  • del(dist): remove from repo, built in workflow
  • chore(build)
  • fix(package-lock): gen new one
  • build(deps-dev): bump @types/node from 18.0.0 to 18.0.3 (#71)

Bumps @types/node from 18.0.0 to 18.0.3.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

  • Merge pull request #62 from nitradojs/dependabot/npm_and_yarn/typescript-eslint/parser-5.30.0
  • Merge pull request #63 from nitradojs/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.30.0

****0.1.16** (2022-06-24)**

  • Merge pull request #61 from nitradojs/import-resolution-fix

Import resolution fix

  • npm(update): push patch with fix
  • fix(imports): change to root imports

****0.1.15** (2022-06-21)**

  • npm(update): deps
  • Merge pull request #47 from cainthebest/dependabot/npm_and_yarn/tsup-6.1.2

build(deps-dev): bump tsup from 6.1.0 to 6.1.2

  • Merge pull request #55 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.29.0

build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.27.1 to 5.29.0

  • Merge pull request #57 from cainthebest/dependabot/npm_and_yarn/eslint-8.18.0

build(deps-dev): bump eslint from 8.17.0 to 8.18.0

  • Merge pull request #58 from cainthebest/dependabot/npm_and_yarn/typescript-4.7.4

build(deps-dev): bump typescript from 4.7.3 to 4.7.4

  • build(deps-dev): bump typescript from 4.7.3 to 4.7.4

Bumps typescript from 4.7.3 to 4.7.4.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • Merge pull request #56 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.29.0

build(deps-dev): bump @typescript-eslint/parser from 5.27.1 to 5.29.0

  • Merge pull request #53 from cainthebest/dependabot/npm_and_yarn/prettier-2.7.1

build(deps-dev): bump prettier from 2.6.2 to 2.7.1

  • Merge pull request #54 from cainthebest/dependabot/npm_and_yarn/types/node-18.0.0

build(deps-dev): bump @types/node from 17.0.41 to 18.0.0

  • build(deps-dev): bump @types/node from 17.0.41 to 18.0.0

Bumps @types/node from 17.0.41 to 18.0.0.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-major …

Signed-off-by: dependabot[bot] [email protected]

  • Merge pull request #44 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.27.1

build(deps-dev): bump @typescript-eslint/parser from 5.27.0 to 5.27.1

  • Merge pull request #46 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.41

build(deps-dev): bump @types/node from 17.0.40 to 17.0.41

  • Merge pull request #45 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.27.1

build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.27.0 to 5.27.1

  • build(deps-dev): bump @types/node from 17.0.40 to 17.0.41

Bumps @types/node from 17.0.40 to 17.0.41.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

****0.1.14** (2022-06-06)**

  • publish(npm): push dep updates
  • Merge pull request #40 from cainthebest/dependabot/npm_and_yarn/tsup-6.1.0
  • Merge pull request #41 from cainthebest/dependabot/npm_and_yarn/typescript-4.7.3
  • Merge pull request #42 from cainthebest/dependabot/npm_and_yarn/eslint-8.17.0
  • Merge pull request #43 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.40
  • build(deps-dev): bump @types/node from 17.0.38 to 17.0.40

Bumps @types/node from 17.0.38 to 17.0.40.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • build(deps-dev): bump typescript from 4.7.2 to 4.7.3

Bumps typescript from 4.7.2 to 4.7.3.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • fix(ci): fix the dupe ci bug
  • fix(ci): try again
  • chore(build)
  • fix(ci)
  • del(ci): broken for now
  • fix(ci): make simpler
  • impl(ci): add ci for branch

****0.1.13** (2022-06-02)**

  • publish(npm): fix and dep updates
  • chore(build)
  • fix(typescript): runtime implicit conversion
  • Merge pull request #38 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.38
  • build(deps-dev): bump @types/node from 17.0.36 to 17.0.38

Bumps @types/node from 17.0.36 to 17.0.38.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • Merge pull request #34 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.36

build(deps-dev): bump @types/node from 17.0.35 to 17.0.36

  • build(deps-dev): bump @types/node from 17.0.35 to 17.0.36

Bumps @types/node from 17.0.35 to 17.0.36.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • Merge pull request #35 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.27.0

build(deps-dev): bump @typescript-eslint/parser from 5.26.0 to 5.27.0

  • Merge pull request #36 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.27.0

build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.26.0 to 5.27.0

  • Merge pull request #29 from cainthebest/dependabot/npm_and_yarn/eslint-8.16.0
  • Merge pull request #30 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.26.0
  • Merge pull request #31 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.26.0
  • Merge pull request #32 from cainthebest/dependabot/npm_and_yarn/tsup-6.0.1
  • Merge pull request #33 from cainthebest/dependabot/npm_and_yarn/typescript-4.7.2
  • build(deps-dev): bump typescript from 4.6.4 to 4.7.2

Bumps typescript from 4.6.4 to 4.7.2.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-minor …

Signed-off-by: dependabot[bot] [email protected]

****0.1.12** (2022-05-21)**

  • publish(npm): update
  • Merge pull request #28 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.35

build(deps-dev): bump @types/node from 17.0.34 to 17.0.35

  • build(deps-dev): bump @types/node from 17.0.34 to 17.0.35

Bumps @types/node from 17.0.34 to 17.0.35.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

****0.1.11** (2022-05-18)**

  • publish(npm): update
  • Merge pull request #25 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.25.0
  • Merge pull request #26 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.25.0

****0.1.10** (2022-05-17)**

  • publish(npm): update
  • fix(readme): change url for issue forms
  • chore(build)
  • impl(github forms): replace templates with forms
  • impl(templates): add github template url
  • chore(build)
  • Impl(github): issue templates

****0.1.9** (2022-05-17)**

  • publish(npm): update
  • chore(build)
  • Merge pull request #21 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/parser-5.24.0

build(deps-dev): bump @typescript-eslint/parser from 5.23.0 to 5.24.0

  • Merge pull request #22 from cainthebest/dependabot/npm_and_yarn/types/node-17.0.34

build(deps-dev): bump @types/node from 17.0.33 to 17.0.34

  • Merge pull request #23 from cainthebest/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.24.0

build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.23.0 to 5.24.0

  • Merge pull request #24 from ghostdevv/master

Update Docs

  • docs: remove workaround for api token
  • docs: update
  • docs: update
  • build(deps-dev): bump @types/node from 17.0.33 to 17.0.34

Bumps @types/node from 17.0.33 to 17.0.34.

  • Release notes
  • Commits

updated-dependencies:

  • dependency-name: “@types/node” dependency-type: direct:development update-type: version-update:semver-patch …

Signed-off-by: dependabot[bot] [email protected]

  • chore(build)
  • impl(endpoint): Gameserver - Game - List
  • impl(endpoint): Gameserver - Game - Install
  • chore(build)
  • impl(endpoint): Gameserver - Full Game list
  • impl(endpoints): Gameserver - Files - Upload
  • impl(endpoint): Gameserver - Files - Stat
  • impl(endpoint): Gameserver - Files - Size
  • impl(endpoint): Gameserver - Files - Seek
  • impl(endpoint): Gameserver - Files - Move / Rename
  • chore(build)
  • fix(endpoint): Gameserver - Files - List
  • impl(endpoint): Gameserver - Files - List
  • impl(endpoint): Gameserver - Files - Download
  • impl(endpoint): Gameserver - Files - Delete
  • impl(endpoint): Gameserver - Files - Create directory

****0.1.8** (2022-05-16)**

  • publish(npm): update
  • chore(build)
  • impl(tsup): add config
  • chore(ignore): tsup config
  • del(rimraf): dev dep
  • impl(endpoint): Gameserver - Files - Copy
  • impl(tsup): dist bundler
  • impl(endpoint): Gameserver - Files - Bookmarks
  • impl(endpoint): Gameserver - FTP - Change password
  • impl(endpoint): Gameserver - Backup - Restore Game Server
  • impl(endpoint): Gameserver - Backup - Restore Database

****0.1.7** (2022-05-16)**

  • publish(npm): update
  • chore(build)
  • impl(URLs): add Game_Lastoasis
  • impl(endpoint): Game_Lastoasis - Lastoasis Useridentifier
  • chore(build)
  • impl(endpoint): Gameserver - App Server - Ping
  • impl(endpoint): Gameserver - App Server - Command
  • impl(endpoint): Gameserver - Backup - List Backups
  • impl(endpoint): Gameserver - Stop
  • fix(endpoint): Gameserver - Restart
  • impl(endpoint): Gameserver - Restart
  • doc(readme): add cjs example import
  • chore(build)

****0.1.6** (2022-05-14)**

  • fix(semver): change format
  • chore(build)
  • fix(conflict): pr conflict

****0.1.5-ALPHA** (2022-05-14)**

  • publish(npm): update
  • chore(build)
  • quickfix(response): comment out unused type
  • chore(build)
  • quickfix(bug): error response type

****0.1.4-ALPHA** (2022-05-14)**

  • publish(npm): update latest
  • doc(readme): update
  • chore(build)
  • impl(endpoint): Domain - Get all DNS records
  • impl(endpoint): Domain - Get Domain Auth Code
  • impl(endpoint): Domain - Extension Price
  • impl(endpoint): Domain - Extend Domain
  • impl(endpoint): Domain - Domain info
  • imp(endpoint): Domain - Delete a redirect
  • impl(endpoint): Domain - Delete a record
  • fix(delete handle): change mesg type
  • impl(endpoint): Domain - Delete Handle
  • inc(readme): add readme to dist
  • chore(build)
  • fix(unused): AxiosError is defined but never used

****0.1.3-ALPHA** (2022-05-14)**

  • chore(build)
  • publish(latest): update npm
  • fix(.then): type could be error and on response
  • doc(examples): add some quick examples

****0.1.2-ALPHA** (2022-05-14)**

  • chore(build)
  • fix(node latest): says will work in docs, ofc not

****0.1.1-ALPHA** (2022-05-14)**

  • fix(semver): change semver format due to bug
  • fix(C CI & D): update branch to master
  • del(dev ci): make repo more simple
  • publish(0.1.0-ALPHA.2): new version
  • fix(CI): run node latest to publish to npm

Related news

GHSA-vqc4-v8hc-h2jg: Polynomial regular expression used on uncontrolled data in nitrado.js

### Impact Possible ReDoS with lib input of `{{` and with many repetitions of `{{|`. ### Patches Patched in all versions above `0.2.5` ### Workarounds No known work arounds. ### References - OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) - Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS). - Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity). - James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf). - Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html). - Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907