webrtc>> nsp-preprocessor-url>> 返回
项目作者: g-k

项目描述 :
An nsp input processor for urls
高级语言: Shell
项目地址: git://github.com/g-k/nsp-preprocessor-url.git
创建时间: 2018-02-19T15:49:53Z
项目社区:https://github.com/g-k/nsp-preprocessor-url
开源协议:Mozilla Public License 2.0
下载


NSP URL preprocessor

An NSP input processor for URLs

use cases

For check for vulnerabilities in node.js dependencies in projects:

  • without cloning large repos (or checking out specific branches or tags)

  • with non-standard version file names

  • with multiple package.json and other version files (e.g. if we have
    version files at https://github.com/me/myrepo/blob/master/frontend
    and https://github.com/me/myrepo/blob/master/old-frontend run this
    twice with both urls)

example usage

To install:

  1. npm install -g nsp nsp-preprocessor-url
  2. /usr/local/bin/nsp -> /usr/local/lib/node_modules/nsp/bin/nsp
  3. + nsp-preprocessor-url@0.2.1
  4. + nsp@3.2.1
  5. updated 2 packages in 4.094s

To fetch and check standard version file names (package.json,npm-shrinkwrap.json and package-lock.json):

  1. nsp check --preprocessor url --url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.1/ --verbose
  2. Found package.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.1/package.json
  3. Error fetching url npm-shrinkwrap.json: 404 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.1/npm-shrinkwrap.json
  4. Error fetching url package-lock.json: 404 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.1/package-lock.json
  5. (+) 1 vulnerability found
  6. ┌────────────┬────────────────────────────────────────────────────────────────────┐
  7.              Prototype pollution attack                                         
  8. ├────────────┼────────────────────────────────────────────────────────────────────┤
  9.  Name        hoek                                                               
  10. ├────────────┼────────────────────────────────────────────────────────────────────┤
  11.  CVSS        4 (Medium)                                                         
  12. ├────────────┼────────────────────────────────────────────────────────────────────┤
  13.  Installed   2.16.3                                                             
  14. ├────────────┼────────────────────────────────────────────────────────────────────┤
  15.  Vulnerable  <= 4.2.0 || >= 5.0.0 < 5.0.3                                       
  16. ├────────────┼────────────────────────────────────────────────────────────────────┤
  17.  Patched     > 4.2.0 < 5.0.0 || >= 5.0.3                                        
  18. ├────────────┼────────────────────────────────────────────────────────────────────┤
  19.  Path        ip-reputation-js-client@2.1.1 > request@2.75.0 > hawk@3.1.3 >      
  20.              hoek@2.16.3                                                        
  21. ├────────────┼────────────────────────────────────────────────────────────────────┤
  22.  More Info   https://nodesecurity.io/advisories/566                             │
  23. └────────────┴────────────────────────────────────────────────────────────────────┘

For non-standard version file names use args --pkg-url, --shrinkwrap-url, --pkg-lock-url respectively:

  1. nsp check --preprocessor url --url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/ --pkg-lock-url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/weird-pkg-lock.json --verbose
  2. Found package.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/package.json
  3. Found npm-shrinkwrap.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/npm-shrinkwrap.json
  4. Error fetching url package-lock.json: 404 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/weird-pkg-lock.json
  5. (+) No known vulnerabilities found

Or a combination of them (package lock override 404):

  1. nsp check --preprocessor url --url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/ --pkg-lock-url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/weird-pkg-lock.json --verbose
  2. Found package.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/package.json
  3. Found npm-shrinkwrap.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/npm-shrinkwrap.json
  4. Error fetching url package-lock.json: 404 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/weird-pkg-lock.json
  5. (+) No known vulnerabilities found

Overriding npm-shrinkwrap.json (200 via different tag):

  1. nsp check --preprocessor url --url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/ --shrinkwrap-url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.3/npm-shrinkwrap.json --verbose 2>&1
  2. Found package.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/package.json
  3. Found npm-shrinkwrap.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.3/npm-shrinkwrap.json
  4. Error fetching url package-lock.json: 404 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/package-lock.json
  5. (+) 2 vulnerabilities found
  6. ┌────────────┬────────────────────────────────────────────────────────────────────┐
  7.              Prototype pollution attack                                         
  8. ├────────────┼────────────────────────────────────────────────────────────────────┤
  9.  Name        hoek                                                               
  10. ├────────────┼────────────────────────────────────────────────────────────────────┤
  11.  CVSS        4 (Medium)                                                         
  12. ├────────────┼────────────────────────────────────────────────────────────────────┤
  13.  Installed   4.2.0                                                              
  14. ├────────────┼────────────────────────────────────────────────────────────────────┤
  15.  Vulnerable  <= 4.2.0 || >= 5.0.0 < 5.0.3                                       
  16. ├────────────┼────────────────────────────────────────────────────────────────────┤
  17.  Patched     > 4.2.0 < 5.0.0 || >= 5.0.3                                        
  18. ├────────────┼────────────────────────────────────────────────────────────────────┤
  19.  Path        ip-reputation-js-client@2.1.4 > joi@12.0.0 > hoek@4.2.0            
  20. ├────────────┼────────────────────────────────────────────────────────────────────┤
  21.  More Info   https://nodesecurity.io/advisories/566                             │
  22. └────────────┴────────────────────────────────────────────────────────────────────┘
  24. ┌────────────┬────────────────────────────────────────────────────────────────────┐
  25.              Prototype pollution attack                                         
  26. ├────────────┼────────────────────────────────────────────────────────────────────┤
  27.  Name        hoek                                                               
  28. ├────────────┼────────────────────────────────────────────────────────────────────┤
  29.  CVSS        4 (Medium)                                                         
  30. ├────────────┼────────────────────────────────────────────────────────────────────┤
  31.  Installed   4.2.0                                                              
  32. ├────────────┼────────────────────────────────────────────────────────────────────┤
  33.  Vulnerable  <= 4.2.0 || >= 5.0.0 < 5.0.3                                       
  34. ├────────────┼────────────────────────────────────────────────────────────────────┤
  35.  Patched     > 4.2.0 < 5.0.0 || >= 5.0.3                                        
  36. ├────────────┼────────────────────────────────────────────────────────────────────┤
  37.  Path        ip-reputation-js-client@2.1.4 > request@2.83.0 > hawk@6.0.2 >      
  38.              hoek@4.2.0                                                         
  39. ├────────────┼────────────────────────────────────────────────────────────────────┤
  40.  More Info   https://nodesecurity.io/advisories/566                             │
  41. └────────────┴────────────────────────────────────────────────────────────────────┘

Explicit package.json with no base/root --url:

  1. nsp check --preprocessor url --pkg-url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.4/package.json --verbose 2>&1
  2. No url provided for npm-shrinkwrap.json
  3. No url provided for package-lock.json
  4. Found package.json: 200 https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/2.1.4/package.json
  5. (+) No known vulnerabilities found

errors

Missing package.json:

  1. nsp check --preprocessor url --shrinkwrap-url https://raw.githubusercontent.com/mozilla-services/ip-reputation-js-client/master/npm-shrinkwrap.json --verbose
  2. No url provided for package.json
  3. No url provided for package-lock.json
  4. (+) Missing required URL for package.json (use --url or --pkg-url if the filename isn't package.json)

Missing all args:

  1. nsp check --preprocessor url --verbose
  2. No url provided for package.json
  3. No url provided for npm-shrinkwrap.json
  4. No url provided for package-lock.json
  5. (+) Missing url args.

Bad response from --url (406 since we can’t fetch JSON directly from github):

  1. nsp check --preprocessor url --url https://github.com/mozilla-services/ip-reputation-js-client/blob/master/ --verbose
  2. Error fetching url package.json: 406 https://github.com/mozilla-services/ip-reputation-js-client/blob/master/package.json
  3. Error fetching url npm-shrinkwrap.json: 406 https://github.com/mozilla-services/ip-reputation-js-client/blob/master/npm-shrinkwrap.json
  4. Error fetching url package-lock.json: 404 https://github.com/mozilla-services/ip-reputation-js-client/blob/master/package-lock.json
  5. (+) Failed to fetch JSON for package.json