Headline
GHSA-vxjg-hchx-cc4g: @simonsmith/cypress-image-snapshothas fix for insecure snapshot file names
Impact
It’s possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. Example:
cy.get('h1').matchImageSnapshot('../../../ignore-relative-dirs')
The above will create an ignore-relative-dirs.png three levels up
Patches
Fixed in 8.0.2
Workarounds
Validate all the existing uses of matchImageSnapshot to ensure correct use of the filename argument. Example:
// snapshot name will be the test title
cy.matchImageSnapshot();
// snapshot name will be the name passed in
cy.matchImageSnapshot('login');
References
https://github.com/simonsmith/cypress-image-snapshot/issues/15
Package
npm @simonsmith/cypress-image-snapshot (npm)
Affected versions
<= 8.0.1
Patched versions
8.0.2
Description
Impact
It’s possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. Example:
cy.get(‘h1’).matchImageSnapshot(‘…/…/…/ignore-relative-dirs’)
The above will create an ignore-relative-dirs.png three levels up
Patches
Fixed in 8.0.2
Workarounds
Validate all the existing uses of matchImageSnapshot to ensure correct use of the filename argument. Example:
// snapshot name will be the test title
cy.matchImageSnapshot();
// snapshot name will be the name passed in
cy.matchImageSnapshot('login');
References
simonsmith/cypress-image-snapshot#15
References
- GHSA-vxjg-hchx-cc4g
- simonsmith/cypress-image-snapshot#15
- simonsmith/cypress-image-snapshot@ef49519
- https://github.com/simonsmith/cypress-image-snapshot/releases/tag/8.0.2
simonsmith published to simonsmith/cypress-image-snapshot
Jul 31, 2023
Published to the GitHub Advisory Database
Aug 1, 2023
Reviewed
Aug 1, 2023
Related news
cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2.