osweekends / batimagen Goto Github PK
View Code? Open in Web Editor NEWUn proyecto sobre metadatos del guild de ciberseguridad
License: GNU General Public License v3.0
Un proyecto sobre metadatos del guild de ciberseguridad
License: GNU General Public License v3.0
Pues eso... un project con su kamban?
Cómo organizar las quedadas...
Cuaderno de Bitácora para anotar lo que se acuerde en reuniones?
Style code?
....
....
Infrastructure
Batimage-core-env
and batimagen
Backend
./lib/phoenix.js
internal module to external dependency in NPMFrontend
New features
Testing
Documentation
Miscellaneous
Legacy Matters
The Lodash method `_.merge` exported as a module.
Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz
Path to dependency file: batimagen/package.json
Path to vulnerable library: batimagen/node_modules/lodash.merge/package.json
Dependency Hierarchy:
Found in HEAD commit: c0a367c5b1397d97c121bb83f39950920f054dca
lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2019-08-14
URL: WS-2019-0185
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1066
Release Date: 2019-08-14
Fix Resolution: 4.6.2
Step up your Open Source Security Game with WhiteSource here
Previas
development
@ElenaMLopez @FranciscoValdesoiroCódigo
dockerfile
con todas las dependencias sobre un Ubuntu. @FranciscoValdesoiro @ElenaMLopezsh
del aplicativo. @UlisesGasconOpcional
Documentación
development
Semana 12'19
(Docker + Previo)Semana 14'19
(Código)Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: b2e815be74ae58d35be335bf7aabcc699c1db776
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.19
Direct dependency fix Resolution (pug): 2.0.4
Step up your Open Source Security Game with WhiteSource here
Get the native type of a value.
Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz
Path to dependency file: /tmp/ws-scm/batimagen/package.json
Path to vulnerable library: /tmp/ws-scm/batimagen/node_modules/kind-of/package.json
Dependency Hierarchy:
Found in HEAD commit: 493cbe24d8ebe21f21db697094d361ce17d6718d
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
Step up your Open Source Security Game with WhiteSource here
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 4ca62256d58578677914676b0e282fb69b9fb06a
"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.
Publish Date: 2019-10-07
URL: WS-2019-0310
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1184
Release Date: 2019-10-07
Fix Resolution: https-proxy-agent - 2.2.3
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/@goblindb/goblindb/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 35b57dd298c3e989d269b49de4e8701f9c5b5a10
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with WhiteSource here
Parse, validate, manipulate, and display dates
path: /tmp/git/batimagen/node_modules/emailjs/node_modules/moment/package.json
Library home page: https://registry.npmjs.org/moment/-/moment-2.15.2.tgz
Dependency Hierarchy:
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
Base Score Metrics:
Type: Change files
Origin: moment/moment@69ed9d4
Release Date: 2017-11-29
Fix Resolution: Replace or update the following files: regex.js, moment-with-locales.js, moment.js
Step up your Open Source Security Game with WhiteSource here
process childs
target: _blank
Sección "Detected Faces"
detectionConfidence (% éxito)
y los xxxxxLikehood
Propuesto originalmente por @Kr0n0
Stegdetect:
Librería para detectar contenido esteganográfico: La esteganografía (del griego στεγανος steganos, "cubierto" u "oculto", y γραφος graphos, "escritura") trata el estudio y aplicación de técnicas que permiten ocultar mensajes u objetos, dentro de otros, llamados portadores, de modo que no se perciba su existencia Wikipedia.
Como desarrollador deseo dockerizar la app.
- https://semaphoreci.com/community/tutorials/dockerizing-a-node-js-web-application
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: e3c9fb28a65279a6f1183d5fb3c95bb64f92b509
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-04-30
Fix Resolution: 2.2.2,4.4.2
Step up your Open Source Security Game with WhiteSource here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 8998924e18246d26bca1a44a8961c821ae9ca27e
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md
Release Date: 2020-09-01
Fix Resolution: node-forge - 0.10.0
Step up your Open Source Security Game with WhiteSource here
en el package.json hay una tarea que es:
"scripts": {
"start": "node run tokens && node server.js",
"tokens": "export GOOGLE_APPLICATION_CREDENTIALS='./SECRET_gcloud.json'"
}
el de Start hay que cambiar node run tokens.....
por npm run tokens...
Definir listado de tareas y determinar tecnologías a utilizar en el desarrollo.
¿Express?
¿Auth para usuarios?
¿Guardar datos?
Aplicación de escritorio o tiramos de consola?
....
Vivo en mar de dudas
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.8.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/shelljs/package.json
Dependency Hierarchy:
Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1
Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.
Publish Date: 2019-06-16
URL: WS-2017-3737
Step up your Open Source Security Game with WhiteSource here
Hola!
Nos gustaría que nos ayudaras con un hermoso logo que represente nuestro proyecto. Nuestro proyecto se encarga de analizar los metadatos de la imágenes y documentos y es una herramienta para concienciar al mundo sobre el peligro inherente de los metadatos (datos de los datos). Por ejemplo tus fotografías pueden incluir información oculta como la ubicación.
Para hacerte una idea de como funciona este proyecto te hemos dejado esta presentación
Teniendo en cuenta el modo Honeypot
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Found in HEAD commit: 002a5d2a7f8a8c7e9bf7c418545f1586e0729b0a
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
Publish Date: 2020-07-30
URL: CVE-2020-7699
Base Score Metrics:
Type: Upgrade version
Origin: richardgirges/express-fileupload#236
Release Date: 2020-07-30
Fix Resolution: 1.1.8
Step up your Open Source Security Game with WhiteSource here
Simple express file upload middleware that wraps around Busboy
Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-1.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/express-fileupload/package.json
Dependency Hierarchy:
Found in HEAD commit: 4ca62256d58578677914676b0e282fb69b9fb06a
In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.
Publish Date: 2019-10-18
URL: WS-2019-0314
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1216
Release Date: 2019-10-18
Fix Resolution: 1.1.6-alpha.6
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/@goblindb/goblindb/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 35b57dd298c3e989d269b49de4e8701f9c5b5a10
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
Como usuario quiero poder subir ficheros con espacios y que la aplicaión funcione con normalidad
Probado en prod
Hay varias falta de ortografía en el archivo README, me gustaría solucionarlo.
https://www.npmjs.com/package/changelog-version
Lo uso en el trabajo. Lo ha desarrollado un cmpañero y mola un montón.
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 536e0619968e6016b2dff478b60b3e774ac99c70
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here
/honeypot
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/fstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1
Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.
Publish Date: 2019-05-23
URL: WS-2019-0100
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/886
Release Date: 2019-05-23
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 8ffa6931485ab67537327529dd72290783159077
A Prototype Pollution vulnerability was found in lodash through version 4.17.11.
Publish Date: 2019-07-08
URL: CVE-2019-10744
Type: Upgrade version
Origin: lodash/lodash@a01e4fa
Release Date: 2019-07-08
Fix Resolution: 4.17.12
Step up your Open Source Security Game with WhiteSource here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/node_modules/mkdirp/node_modules/minimist/package.json,/node_modules/minimist/package.json
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/grpc/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: aa82ff1f68d02ea40b74454bc494aa11785f428a
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
Parse, validate, manipulate, and display dates
path: /tmp/git/batimagen/node_modules/emailjs/node_modules/moment/package.json
Library home page: https://registry.npmjs.org/moment/-/moment-2.15.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 96c5623166ed27190affa49ce1f351458a85858a
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/532
Release Date: 2017-11-27
Fix Resolution: Update to version 2.19.3
Step up your Open Source Security Game with WhiteSource here
Recomendadas por Kr0n0
Node Jsdom Scrape Google's Reverse Image Search
"I want to programatically find a list of URLs for similar images given an image URL. I can't find any free image search APIs so I'm trying to do this by scraping Google's Search by Image...."
Stegdetect:
Librería para detectar contenido esteganográfico: La esteganografía (del griego στεγανος steganos, "cubierto" u "oculto", y γραφος graphos, "escritura") trata el estudio y aplicación de técnicas que permiten ocultar mensajes u objetos, dentro de otros, llamados portadores, de modo que no se perciba su existencia Wikipedia.
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in HEAD commit: 5445622de0cdb12895bce18c7de0dc2268316ed1
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9
Step up your Open Source Security Game with WhiteSource here
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz
Path to dependency file: /batimagen/package.json
Path to vulnerable library: /tmp/git/batimagen/node_modules/fstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1
fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.
Publish Date: 2019-07-02
URL: CVE-2019-13173
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
Release Date: 2019-07-02
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
As user I want to see the original image again, after load other analysis in the forensic tab.
After analyce an image, go to firensic tab, change the view, press 'original' button. Th eimage link is broken.
Como desarrollador quiero tener la variable de entorno TP_VIRUSTOTAL en vez de VIRUSTOTAL, para que funcione la app
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ajv/package.json
Dependency Hierarchy:
Found in HEAD commit: b2e815be74ae58d35be335bf7aabcc699c1db776
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3
Release Date: 2020-07-15
Fix Resolution: ajv - 6.12.3
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.