[Snyk] Security upgrade mattermost-redux from 10.9.0 to 11.4.0#659
[Snyk] Security upgrade mattermost-redux from 10.9.0 to 11.4.0#659avasconcelos114 merged 2 commits intomasterfrom
Conversation
…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MATTERMOSTREDUX-15702176
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Actually came back to see that the CI error here is in the linter, should have a fixed version pushed to this branch in a few, looks like other libs also need to be bumped together |
|
This pull request introduces code that listens for postMessage events from the parent window but does not validate the event.origin, allowing any site or iframe to send a 'SEND_POPOUT_STATE' message with an arbitrary channelId and trigger authenticated server fetches (getChannelSubscriptions), enabling hostile sites to probe or fetch data on channels the user can access. This is a high-severity cross-window messaging vulnerability and should be fixed by validating origin and restricting accepted message sources and payloads.
🟠 Cross-Window Messaging Security in
|
| Vulnerability | Cross-Window Messaging Security |
|---|---|
| Description | The application listens for messages from the parent window to synchronize state. While it successfully processes messages, it fails to validate the origin of the postMessage event. This allows any malicious website or iframe that can communicate with the application to send a 'SEND_POPOUT_STATE' message. This message can contain an arbitrary channelId, which then triggers getChannelSubscriptions to perform an authenticated fetch request to the server with that channelId. While the server likely authorizes the user's access to the channel, this vulnerability allows a malicious site to perform unauthorized data fetching or discovery by probing channels the user has access to. |
mattermost-plugin-gitlab/webapp/src/index.ts
Lines 177 to 183 in 41875b9
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
|
@DryRunSecurity fp drs_fa331cec This is a Mattermost platform API that already has origin validation built-in and proccesed in the webapp |
|
Finding fa331cec has been successfully dismissed and marked as False Positive. |
4 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
webapp/package.jsonwebapp/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-MATTERMOSTREDUX-15702176
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.