GHSA-vxjg-hchx-cc4g

Suggest an improvement
Source
https://github.com/advisories/GHSA-vxjg-hchx-cc4g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-vxjg-hchx-cc4g/GHSA-vxjg-hchx-cc4g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vxjg-hchx-cc4g
Aliases
Related
Published
2023-08-01T16:59:40Z
Modified
2023-11-01T05:02:38.758635Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
@simonsmith/cypress-image-snapshothas fix for insecure snapshot file names
Details

Impact

It's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. Example:

  cy.get('h1').matchImageSnapshot('../../../ignore-relative-dirs')

The above will create an ignore-relative-dirs.png three levels up

Patches

Fixed in 8.0.2

Workarounds

Validate all the existing uses of matchImageSnapshot to ensure correct use of the filename argument. Example:

    // snapshot name will be the test title
    cy.matchImageSnapshot();

    // snapshot name will be the name passed in
    cy.matchImageSnapshot('login');

References

https://github.com/simonsmith/cypress-image-snapshot/issues/15

Database specific 
{
    "nvd_published_at": "2023-08-04T18:15:14Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-01T16:59:40Z"
}
References

Affected packages

npm / @simonsmith/cypress-image-snapshot

Package

Name
@simonsmith/cypress-image-snapshot
View open source insights on deps.dev
Purl
pkg:npm/%40simonsmith/cypress-image-snapshot

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.2

Database specific 

{
    "last_known_affected_version_range": "<= 8.0.1"
}