Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-24434 dicer 包所有版本有安全风险,需要方案解决 #5018

Closed
gm3000 opened this issue Sep 16, 2022 · 6 comments · Fixed by #5023
Closed

CVE-2022-24434 dicer 包所有版本有安全风险,需要方案解决 #5018

gm3000 opened this issue Sep 16, 2022 · 6 comments · Fixed by #5023

Comments

@gm3000
Copy link

gm3000 commented Sep 16, 2022

What happens?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24434
是一个最高风险的CVE,破坏者可以通过form提交搞崩node,而问题根源dicer所有版本都有这个问题。
最新的egg依然引用,导致我们采用eggjs的产品无法通过安全审查,需要解决这个严重的安全问题。

最小可复现仓库

请使用 npm init egg --type=simple bug 创建,并上传到你的 GitHub 仓库

复现步骤,错误日志以及相关配置

相关环境信息

  • 操作系统
  • Node 版本
  • Egg 版本:2.36.0
@atian25
Copy link
Member

atian25 commented Sep 16, 2022
edited
Loading

是 multipart 那个问题么?#4977

@gm3000 有没有兴趣来提下 PR?我本人最近有点私事脱不了身,周末看看能否搞搞。

我们现在已经发了 egg3.0 了,Node 最低版本要求是 14 了,所以现在没有 #4977 这个 issue 那时候的困境了,可以直接升级 egg-multipart 到最新依赖,并发一个大版本集成到 egg 里面。

@gm3000
Copy link
Author

gm3000 commented Sep 16, 2022

是 multipart 那个问题么?#4977

@gm3000 有没有兴趣来提下 PR?我本人最近有点私事脱不了身,周末看看能否搞搞。

我们现在已经发了 egg3.0 了,Node 最低版本要求是 14 了,所以现在没有 #4977 这个 issue 那时候的困境了,可以直接升级 egg-multipart 到最新依赖,并发一个大版本集成到 egg 里面。

看起来是啊,dicer最新版好像处理了这个问题,我最近也有点私事儿:P, 空了看看,我担心眼前赶不上egg 下一个release,我这儿产品过两周就发布了

@atian25
Copy link
Member

atian25 commented Sep 16, 2022

我看了下,busboy 的 api 有些变化,得改改保证兼容性

@atian25
Copy link
Member

atian25 commented Sep 16, 2022

@gm3000 我尽量吧:#4977 (comment)

@atian25
Copy link
Member

atian25 commented Sep 21, 2022

eggjs/egg-multipart#54

@atian25 atian25 mentioned this issue Sep 21, 2022
Merged
4 tasks
fengmk2 pushed a commit that referenced this issue Sep 21, 2022
@atian25
feat: update egg-multipart 2.x -> 3.x (#5023)
733d669 
closes #5018
@atian25
Copy link
Member

atian25 commented Sep 21, 2022

@gm3000 你升级看看, egg3 然后 node 14.x+

iblogc pushed a commit to iblogc/egg that referenced this issue Jan 9, 2023
@atian25 @iblogc
feat: update egg-multipart 2.x -> 3.x (eggjs#5023)
87d77e3 
closes eggjs#5018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: update egg-multipart 2.x -> 3.x eggjs/egg
2 participants
@atian25 @gm3000