governance/audit-ci.jsonc at main · ArbitrumFoundation/governance · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// audit-ci.jsonc
{
    // $schema provides code completion hints to IDEs.
    "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
    "low": true,
    "allowlist": [
        // OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
        "GHSA-mx2q-35m2-x2rh",
        // GovernorCompatibilityBravo may trim proposal calldata
        "GHSA-93hq-5wgc-jc82",
        // OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
        "GHSA-5h3x-9wvq-w4m2",
        // OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
        "GHSA-wprv-93r4-jj2p",
        // OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
        "GHSA-4g63-c64m-25w9",
        // OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals
        "GHSA-xrc4-737v-9q75",
        // OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
        "GHSA-qh9x-gcfh-pcrw",
        // OpenZeppelin Contracts vulnerable to ECDSA signature malleability
        "GHSA-4h98-2769-gh6h",
        // OpenZeppelin Contracts ERC165Checker unbounded gas consumption
        "GHSA-7grf-83vw-6f5x",
        // tough-cookie Prototype Pollution vulnerability
        "GHSA-72xf-g2v4-qvf3",
        // Server-Side Request Forgery in Request
        "GHSA-p8p7-x288-28g6",
        // OpenZeppelin: Using ERC2771Context with a custom forwarder can yield address(0)
        "GHSA-g4vp-m682-qqmp",
        // OpenZeppelin Contracts base64 encoding may read from potentially dirty memory
        "GHSA-9vx6-7xxf-x967",
        // vuln in tar, node doesnt validate tar before trying to untar. Supplied bad tar can cause DOS on client
        // we use node only in dev, and tar is only used by web3 which we dont use client side
        // only bad tar we could be provided is through malicious package in dev
        "GHSA-f5x3-32g6-xq36",
        // ws dos too many http - we only use in dev
        "GHSA-3h5v-q93c-6h6q",
        // cookie accepts cookie name, path, and domain with out of bounds characters
        "GHSA-pxg6-pf52-xh8x",
        // form-data uses unsafe random function in form-data for choosing boundary (Critical)
        "GHSA-fjxv-7rqg-78g4",
        // tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
        "GHSA-52f5-9888-hmc6",
        // web3-core-subscriptions has a Prototype Pollution vulnerability
        "GHSA-hhf6-3xpg-pggx",
        // js-yaml has prototype pollution in merge (<<)
        "GHSA-mh29-5h37-fv8m",
        // body-parser is vulnerable to denial of service when url encoding is used
        "GHSA-wqch-xfxh-vrr4"
    ]
  }