8000
chore(deps): update dependency stateful/runme to v3.12.7 by uniget-bot · Pull Request #11044 · uniget-org/tools · GitHub
More Web Proxy on the site http://driver.im/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
golang.org/x/crypto0.33.0 (golang)
pkg:golang/golang.org/x/crypto@0.33.0
Affected range
<0.35.0
Fixed version
0.35.0
Description
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
github.com/expr-lang/expr1.16.9 (golang)
pkg:golang/github.com/expr-lang/expr@1.16.9
Allocation of Resources Without Limits or Throttling
Affected range
<1.17.0
Fixed version
1.17.0
CVSS Score
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Impact
If the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression. In scenarios where input size isn’t limited, a malicious or inadvertent extremely large expression can consume excessive memory as the parser builds a huge AST. This can ultimately lead to excessive memory usage and an Out-Of-Memory (OOM) crash of the process. This issue is relatively uncommon and will only manifest when there are no restrictions on the input size, i.e. the expression length is allowed to grow arbitrarily large. In typical use cases where inputs are bounded or validated, this problem would not occur.
Patches
The problem has been patched in the latest versions of the Expr library. The fix introduces compile-time limits on the number of AST nodes and memory usage during parsing, preventing any single expression from exhausting resources. Users should upgrade to Expr version 1.17.0 or later, as this release includes the new node budget and memory limit safeguards. Upgrading to v1.17.0 ensures that extremely deep or large expressions are detected and safely aborted during compilation, avoiding the OOM condition.
Workarounds
For users who cannot immediately upgrade, the recommended workaround is to impose an input size restriction before parsing. In practice, this means validating or limiting the length of expression strings that your application will accept. For example, set a maximum allowable number of characters (or nodes) for any expression and reject or truncate inputs that exceed this limit. By ensuring no unbounded-length expression is ever fed
8000
into the parser, you can prevent the parser from constructing a pathologically large AST and avoid potential memory exhaustion. In short, pre-validate and cap input size as a safeguard in the absence of the patch.
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
github.com/cli/go-gh1.2.1 (golang)
pkg:golang/github.com/cli/go-gh@1.2.1
Exposure of Sensitive Information to an Unauthorized Actor
Affected range
<2.11.1
Fixed version
Not Fixed
CVSS Score
6.5
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Description
Summary
A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
Details
go-gh sources authentication tokens from different environment variables depending on the host involved:
GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com
GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server
Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.
In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.
Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
Upgrade go-gh to 2.11.1
Advise extension users to regenerate authentication tokens:
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.12.6->3.12.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
stateful/runme (stateful/runme)
v3.12.7Compare Source
Download
macOS:
Linux
Windows
Changelog
Full changelog
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.