[SG-39076] thenify before 3.3.1 made use of unsafe calls to eval.

Review changes
Download
Patches
Plain diff

Open [SG-39076] thenify before 3.3.1 made use of unsafe calls to eval.

Overview 2
Commits 1
Pipelines 0
Changes 2

Open Warren Gifford requested to merge contractors/SG-39076 into main 2 years ago

Overview 2
Commits 1
Pipelines 0
Changes 2

Created by: gitstart-sourcegraph

Description

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.

Success criteria

Update thenify to a non-vulnerable version

Implementation details

The latest possible version of thenify that can be installed is 3.3.0. The earliest fixed version is 3.3.1.

Affected versions < 3.3.1

Refs

Sourcegraph issue Gitstart ticket

Test plan

Make sure there is no CI error resulting from this change

App preview:

Web
Storybook

Check out the client app preview documentation to learn more.

Merge request reports

Activity

Filter activity

Approvals
Assignees & reviewers
Comments (from bots)
Comments (from users)
Commits & branches
Edits
Labels
Lock status
Mentions
Merge request status
Tracking

Please register or sign in to reply

0 Assignees

0 Reviewers

Request review from

Labels

None

Select labels

Manage project labels

Milestone

None

Time tracking

No estimate or time spent

0 Participants

There are currently no pipelines.

To run a merge request pipeline, the jobs in the CI/CD configuration file must be configured to run in merge request pipelines and you must have sufficient permissions in the source project.