Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vimeo/psalm requirement from 4.7.2 to 4.10.0 #12

Closed
wants to merge 1 commit into from
Closed

Update vimeo/psalm requirement from 4.7.2 to 4.10.0 #12

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Sep 6, 2021

Updates the requirements on vimeo/psalm to permit the latest version.

Release notes

Sourced from vimeo/psalm's releases.

Better infinite loop inference, some PHP 8.1 support and a bunch of fixes

Added

Fixes

  • (#6305, #6310) SimpleXMLIterator signatures no longer depend on runtime PHP version (@​weirdan)
  • (#6309, #6311) Some assertions generated by in_array() were causing crashes (@​weirdan)
  • (#6312) PhpToken::getAll() was renamed to PhpToken::tokenize() (@​TysonAndre)
  • (#6312) fdiv() argument names were corrected to match names used by PHP (@​TysonAndre)
  • (#6312) ReflectionClass::getAttributes(), ReflectionClassConstant::getAttributes(), ReflectionFunctionAbstract::getAttributes(), ReflectionParameter::getAttributes(), ReflectionProperty::getAtributes(), ReflectionUnionType::getTypes() and ReflectionNamedType::isBuiltin() signatures were missing (@​TysonAndre)
  • (#6318, #6320) socket_select()'s tv_sec parameter is nullable (@​Forceu)
  • (#6323) Another case of crashes due to in_array() assertions (@​boesing)
  • (#6324) str_split() and mb_str_split() return require positive-int and str_split() returns non-empty array (@​VincentLanglet)
  • (#6328) Corrected message for calls from root namespace to internal methods in a different namespace (@​bdsl)
  • (#6325, #6327) Interface aliases were not recognized (@​boesing)
  • (#4738) is_subclass_of() requires a class-string for its parent parameter (@​BenMorel)
  • (#5356, #6344) UnusedSuppression was sometimes reported in ignored folders (@​orklah)
  • (#6343, #6346) @psalm-trace was reporting keys that were unset (@​orklah)
  • (#5096, #6321) Constants accessed through object instance (e.g. $obj::CONST) were not inferred (@​orklah)
  • (#6359) OuterIterator::getInnerIterator() always return Iterator (@​drupol)
  • (#6367, #6376) Variables used in backticks (`ls $file`) were reported as unused (@​orklah)
  • (#6358, #6375) openssl_x509_parse() and openssl_x509_read() signatures were outdated (@​ThomasLandauer)
  • (#6338, #6339) array_walk() and array_walk_recursive() accept object (and will trigger RawObjectIteration when given one) (@​niconoe-, @​weirdan)
  • (#6330, #6335) Alias chains created with class_alias() (A -> B -> C) were not understood (@​boesing)
  • (#6387, #6390) Type params can now be extracted from Generator argument passed to Iterator parameter (@​orklah)
  • (#6388, #6391) empty() could not be forbidden via forbiddenFunctions (@​ro0NL)
  • (#6333, #6317) in_array() did not produce correct assertions with non-literal types (@​TysonAndre)
  • (#6384, #6420) Variables reassigned in both branches of ternary operator were not correctly inferred (@​orklah)

Docs

Commits
  • 916b098 Merge pull request #6421 from weirdan/ftp-resource-to-objects
  • 08155dc Added FTP\Connection class
  • 36dfeed Converted ftp functions to use link object instead of a resource
  • 5dfd157 Merge pull request #6420 from orklah/ternary-override-type
  • b710aab Merge pull request #6419 from TysonAndre/in_array-fix
  • 3a3fde3 Merge pull request #6392 from orklah/control-action-test
  • de4b344 Merge pull request #6400 from craigfrancis/taint-limits
  • e2b5948 fix test
  • 0825f22 allow ternary to override previous type when reassigning
  • 2e9a3cb Merge pull request #6409 from weirdan/document-callmaps
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Update vimeo/psalm requirement from 4.7.2 to 4.10.0
6eabc0c 
Updates the requirements on [vimeo/psalm](https://github.com/vimeo/psalm) to permit the latest version.
- [Release notes](https://github.com/vimeo/psalm/releases)
- [Commits](vimeo/psalm@4.7.2...4.10.0)

---
updated-dependencies:
- dependency-name: vimeo/psalm
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 6, 2021
@dependabot dependabot bot mentioned this pull request Sep 6, 2021
Closed
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Oct 25, 2021

Superseded by #18.

@dependabot dependabot bot closed this Oct 25, 2021
@dependabot dependabot bot deleted the dependabot/composer/vimeo/psalm-4.10.0 branch October 25, 2021 10:41
lchrusciel pushed a commit that referenced this pull request Mar 14, 2022
@Zales0123
bug #12 [Security] XSS - SVG file upload vulnerability fixed (Rafikooo)
6ccc2d6 
This PR was merged into the 1.9 branch.

Discussion
----------

| Q               | A
| --------------- | -----
| Branch?         | 1.9 <!-- see the comment below -->
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no <!-- don't forget to update the UPGRADE-*.md file -->
| Related tickets | GHSA-4qrp-27r3-66fj
| License         | MIT

There is a possibility to upload an SVG file containing XSS code in the admin panel. In order to perform an XSS attack, the file itself has to be open in a new card (or loaded outside of the IMG tag). The problem applies both to the files opened on the admin panel and shop pages.

<!--
 - Bug fixes must be submitted against the 1.10 or 1.11 branch(the lowest possible)
 - Features and deprecations must be submitted against the master branch
 - Make sure that the correct base branch is set

 To be sure you are not breaking any Backward Compatibilities, check the documentation:
 https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->


Commits
-------

46ed54b [Security] XSS - SVG file upload vulnerability fixed
lchrusciel pushed a commit that referenced this pull request Mar 15, 2022
@Zales0123
bug Sylius#13765 [Security] Fixes for SVG XSS, wrong cache for logged…
3da169e 
… in users and clickjacking (ernestWarwas, lchrusciel, GSadee, Zales0123, Rafikooo)

This PR was merged into the 1.9 branch.

Discussion
----------

| Q               | A
| --------------- | -----
| Branch?         | 1.9
| Bug fix?        | yes
| New feature?    | no
| BC breaks?      | no
| Deprecations?   | no
| Related tickets | 
| License         | MIT

This PR aims to solve 3 issues:
1. Possibility to inject SVGs with scripts (https://rietta.com/blog/svg-xss-injection-attacks/)
2. Possibility to check admin pages with back button after logging out due to wrong cache'ing configuration
3. Clickjacking while rendering Sylius in iframe (https://portswigger.net/web-security/clickjacking)

<!--
 - Bug fixes must be submitted against the 1.10 or 1.11 branch(the lowest possible)
 - Features and deprecations must be submitted against the master branch
 - Make sure that the correct base branch is set

 To be sure you are not breaking any Backward Compatibilities, check the documentation:
 https://docs.sylius.com/en/latest/book/organization/backward-compatibility-promise.html
-->


Commits
-------

0886078 listener added to finish response with X-Frame-Options sameorigin header
c236431 suggested review changes
67de9e8 bug #14 [Security] Clickjacking vulnerability fixed (ernestWarwas)
4b6a77a [UI] Force no-store cache directives for admin and customer account section
691b700 [Maintenace] Test existence of new cache headers
08d0f5a Remove type declarations for properties due to supporting PHP 7.3
94366fd Minor fixes for specs and unit tests of cache control subscribers
5dee3dc [Behat] Add scenarios for securing access to account and dashboard after logging out
d4bf36c [Behat] Extract browser element and context
afa04e3 Replace str_contains with strpos method to support PHP 7
b00eb51 [PHPUnit] Move subscribers tests to main directory
253f66b bug #11 [Security] Set cache control directives to fix security leak after logging out and using back button (lchrusciel, GSadee)
46ed54b [Security] XSS - SVG file upload vulnerability fixed
6ccc2d6 bug #12 [Security] XSS - SVG file upload vulnerability fixed (Rafikooo)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants