Vulnerability in validator.js

[fagidutt]

Adding to recent requests for a new version, i wanted to guide attention to a recently discovered vulnerability in TSOAs dependency validator.js.

More context: GHSA-9965-vmph-33xx

Hopefully this can be addressed at the same time.

[github-actions]

Hello there fagidutt 👋

Thank you for opening your very first issue in this project.

We will try to get back to you as soon as we can.👀

[WoH]

Where do you see a dangerous / exploitable issue of the isURL?

[fagidutt]

Sorry if i made the impression that i can provide some sort of attack vector.
I recently had my pipeline fail because this vulnerability was listed in the dependencies of tsoa during the build.
I was able to mitigate this by changing my build parameters, but i figured i open an issue as without mitigation, this broke my pipeline.

Maybe that was unneccessary, in this case i do apologize.

For the notes: I was able to mitigate the failing pipeline by allowing moderate severity vulnerabilities in the dev build, but i'd prefer not to have to do this in production. Not doing this would fail with a non-zero code while installing dependencies.

edit: Just to clarify. When executing npm install, and a vulnerability is detected, the default behavior of npm is to fail with a non-zero status. In the context of a pipeline, this leads to the pipeline failing as the runner thinks an error occurred. This can be mitigated with the --audit-level flag set to high. But that doesn't seem to be ideal.

[zachkirsch]

@WoH Looks like this was fixed in #1809, when can we expect a new release to go out?

[cesco69]

> pnpm audit

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Validator is Vulnerable to Incomplete Filtering of One │
│                     │ or More Instances of Special Elements                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.22                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.22                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @tsoa/runtime@6.6.0 > validator@13.12.0            │
│                     │                                                        │
│                     │ . > tsoa@6.6.0 > @tsoa/cli@6.6.0 > @tsoa/runtime@6.6.0 │
│                     │ > validator@13.12.0                                    │
│                     │                                                        │
│                     │ . > tsoa@6.6.0 > @tsoa/cli@6.6.0 > validator@13.12.0   │
│                     │                                                        │
│                     │ ... Found 4 paths, run `pnpm why validator` for more   │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vghf-hv5q-vc2g      │
└─────────────────────┴────────────────────────────────────────────────────────┘

dependencies:
@tsoa/runtime 6.6.0
└── validator 13.12.0
tsoa 6.6.0
├─┬ @tsoa/cli 6.6.0
│ ├─┬ @tsoa/runtime 6.6.0
│ │ └── validator 13.12.0
│ └── validator 13.12.0
└─┬ @tsoa/runtime 6.6.0
  └── validator 13.12.0