Comments (6)
Thanks @TheRealWaldo. Should be fixed it in v3.1.1. Although, if I may ask, I wonder in which scenario you would use this plugin with git: false
?
from conventional-changelog.
Primarily for CI/CD automation;
The release-it git plugin fails on a pull request workflow (always thinks there is zero commits and dies with a fatal on a git command), but we need to run it to verify the GitHub action (and release-it) will still work.
The second case is that we have a two step release process, first we bump the version, sometimes rebuild (depending on the project) then we test that the bump worked and didn't break anything. If it worked we merge the bump, and then officially release. With the git plugin enabled in conjunction with the bumper plugin, this results in two bumps (and some strange behavior with a different version in the changelog vs. The release vs. the files) So we disable the git plugin in the second step, and use the file based bumper to read the version.
from conventional-changelog.
@webpro latest update fails security scan; looks like a bad .replace
Title: Incomplete string escaping or encoding
This does not escape backslash characters in the input.
Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.
However, directly using the string replace method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.
In the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.
Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.
Recommendation
Use a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.
An even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.
Otherwise, make sure to use a regular expression with the g flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.
Note, however, that this is generally not sufficient for replacing multi-character strings: the String.prototype.replace method only performs one pass over the input string, and will not replace further instances of the string that result from earlier replacements.
For example, consider the code snippet s.replace(//..//g, ""), which attempts to strip out all occurences of /../ from s. This will not work as expected: for the string /./.././, for example, it will remove the single occurrence of /../ in the middle, but the remainder of the string then becomes /../, which is another instance of the substring we were trying to remove.
Example
For example, assume that we want to embed a user-controlled string accountNumber into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:
function escapeQuotes(s) {
return s.replace("'", "''");
}
As written, this sanitizer is ineffective: if the first argument to replace is a string literal (as in this case), only the first occurrence of that string is replaced.
As mentioned above, the function escapeQuotes should be replaced with a purpose-built sanitization library, such as the npm module sqlstring. Many other sanitization libraries are available from npm and other sources.
If this is not an option, escapeQuotes should be rewritten to use a regular expression with the g ("global") flag instead:
function escapeQuotes(s) {
return s.replace(/'/g, "''");
}
Note that it is very important to include the global flag: s.replace(/'/, "''") without the global flag is equivalent to the first example above and only replaces the first quote.
References
OWASP Top 10: A1 Injection.
npm: sqlstring package.
Common Weakness Enumeration: CWE-116.
Common Weakness Enumeration: CWE-20.
from conventional-changelog.
@webpro that security issue might be an upstream change; aside from some redundant escaping, I can't see an obvious problem in the recent changes.
from conventional-changelog.
@webpro strange behavior now, that didn't exist before:
- The changelog includes the previous version
- The GitHub release plugin updates the previous release with the current release notes, and the new release version, and does not create a new release, effectively destroying release history
Using --no-increment with --github.release is deprecated. Add --github.update in release-it v15.
🚀 Let's update release-it (currently at 0.6.1)
Changelog:
0.6.1 (2021-08-13)
0.6.0 (2021-08-07)
Features
- fail if required inputs are not set (a003cf1)
Bug Fixes
- imports (7c25850)
- properly handle error (42e50d4)
- remote branch not detected (94e47bb)
- remote branch not detected (9de163d)
- set property requiredUpstream of undefined (7f18842)
- unhandled promise rejection (45812c9)
from conventional-changelog.
As I think the original issue is fixed, I'm going to close this issue.
from conventional-changelog.
Related Issues (20)
- Build error in react-native projects HOT 1
- conventionalcommits types use same heading level as new version HOT 5
- angular preset ignores Url formats HOT 2
- Chagelog format conflicts with Prettier HOT 5
- Full history not being added without infile HOT 2
- Incorrect bump version HOT 13
- The recommended bump is "undefined" HOT 3
- origin vs upstream changelog HOT 2
- Aggregate all the pre releases HOT 1
- Option to edit the changelog while releasing HOT 4
- Update conventional-changelog Dependency to Support Changelog Section Sort Order HOT 5
- Update peer deps to `release-it` v16 HOT 1
- semver version should be bumped to fix CVE HOT 5
- How to combine submodule's release note into parent repo's release note? HOT 1
- Error in version 7.0.1: `createPreset` is not a function. HOT 16
- Undefined error in v7.0.1 HOT 2
- Error with conventionalcommits preset HOT 3
- releaseCount not work HOT 4
- ERROR The "angular" preset does not export a function. HOT 2
- issues with changelog modifcation behavior HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from conventional-changelog.