[Snyk] Upgrade react-native-screens from 3.33.0 to 3.34.0 #164

Summary

8 security issue(s)
- High : 5
- Medium : 0
- Low : 3

NShiftKey

Potential command injection

Description : Attacker could use eval() method to execute arbitrary code

Countermeasure : The eval() method that could be exploited by an attacker should not be used within the script or should be used, the context should be checked for security.

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/bootstrap/dom-event-handlers.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/bootstrap/dom-event-handlers.js

Lines 45 to 47 in 3e6eb2b

var scriptClass = eval(scriptClassName);

if (!scriptClass) {

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 153 to 155 in 3e6eb2b

    
           for (i = 0; i < names.length; i++) { 
        
               if (eval('!' + objName + '[' + getNames(i, '' + namesName + '') + ']')) { 
        
                   eval('' + objName + '[' + getNames(i, '' + namesName + '') + '] = {}');

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 154 to 156 in 3e6eb2b

    
           if (eval('!' + objName + '[' + getNames(i, '' + namesName + '') + ']')) { 
        
               eval('' + objName + '[' + getNames(i, '' + namesName + '') + '] = {}'); 
        
           }

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 158 to 160 in 3e6eb2b

    
           if ($.isEmptyObject(eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + ']'))) { 
        
               eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + '] = ' + xName + '.value');

Target Code : abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js [view change history] [ignore this]

abp/framework/src/Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared/wwwroot/libs/abp/aspnetcore-mvc-ui-theme-shared/jquery/jquery-extensions.js

Lines 159 to 161 in 3e6eb2b

    
           if ($.isEmptyObject(eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + ']'))) { 
        
               eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + '] = ' + xName + '.value'); 
        
           }

Information exposure

Description : If password is hardcoded in the source code, it can be leaked

Countermeasure : Do not hard-code important information in code, but encrypt and manage it in a safe place. For more information, see the link below: https://naver-security.github.io/nshiftkey-rule-guides/Password_Hardcoded_eng

Target Code : abp/npm/verdaccio-containers/publish-packages/entrypoint.sh [view change history] [ignore this]

abp/npm/verdaccio-containers/publish-packages/entrypoint.sh

Lines 13 to 15 in 3e6eb2b


	curl -XPUT -H "Content-type: application/json" -d '{ "name": "volo", "password": "123456", "email": "[email protected]" }' 'verdaccio:4873/-/user/org.couchdb.user:your_username'

Potential JS Security Warning (dangerouslySetInnerHTML)
- Description : Potentially exploitable by XSS
- Countermeasure : To prevent XSS attacks, do not use dangerouslySetInnerHTML to enable HTML tag rendering.
  - Target Code : abp/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js [view change history] [ignore this]
    https://github.com/2lambda123/abp/blob/3e6eb2bcfe11f81388a768e9ad1611497cc04f89/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js#L17118-L17120
  - Target Code : abp/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js [view change history] [ignore this]
    https://github.com/2lambda123/abp/blob/3e6eb2bcfe11f81388a768e9ad1611497cc04f89/modules/cms-kit/host/Volo.CmsKit.Web.Unified/wwwroot/libs/uppy/uppy.js#L17198-L17200

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade react-native-screens from 3.33.0 to 3.34.0 #164

[Snyk] Upgrade react-native-screens from 3.33.0 to 3.34.0 #164

Summary

Details

NShiftKey

Potential command injection

Information exposure

Potential JS Security Warning (dangerouslySetInnerHTML)

Re-running checks...

	for (i = 0; i < names.length; i++) {
	if (eval('!' + objName + '[' + getNames(i, '' + namesName + '') + ']')) {
	eval('' + objName + '[' + getNames(i, '' + namesName + '') + '] = {}');


	if ($.isEmptyObject(eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + ']'))) {
	eval('' + objName + '[' + getNames(names.length - 1, '' + namesName + '') + '] = ' + xName + '.value');


	var scriptClass = eval(scriptClassName);
	if (!scriptClass) {

[Snyk] Upgrade react-native-screens from 3.33.0 to 3.34.0 #164

fix: upgrade react-native-screens from 3.33.0 to 3.34.0

[Snyk] Upgrade react-native-screens from 3.33.0 to 3.34.0 #164

Summary

Details

NShiftKey

Potential command injection

Information exposure

Potential JS Security Warning (dangerouslySetInnerHTML)

Re-running checks...