SECURITY.md

Security policy

Updates

Always use the latest version of @stassi/leaf via the npm update command (documentation) to ensure the latest security updates are received.

Reporting

If you discover a potential vulnerability in the @stassi/leaf codebase, please follow these steps:

1. Do not publicly disclose any potential vulnerability. Public disclosure increases the risk of a malicious exploit before a remedy is available.

2. Contact [email protected] directly via email. Please provide detailed information about the potential vulnerability, including steps to reproduce and any relevant code snippets or logs. Additional information or clarification may be requested.

Maintenance

Automated security scans are integrated into the continuous delivery (CD) pipeline.

Advisories

View all security advisories for @stassi/leaf.

Dependencies

Dependabot, Snyk, and the npm audit command (documentation) mitigate upstream security risks by analyzing upstream dependencies. Potential vulnerabilities in third-party libraries like Leaflet are patched during the build process.

Sanitization

All dynamic HTML content is sanitized using DOMPurify to prevent cross-site scripting (XSS) attacks.

Static analysis

CodeQL (Semmle) and ESLint use static analysis to detect potential vulnerabilities early.

Disclosures

The following potential vulnerabilities were resolved after detection.

DOM clobbering gadget in rollup bundled scripts leading to XSS

• Detected by: Dependabot
• Vulnerable package: rollup
• Detection time: 2024-09-24 19:48
• Resolution time: 2024-09-25 04:41
• Resolution version (@stassi/leaf): v0.0.30
• CVSS (severity): 8.3 (high)
• Advisory: GHSA-gcx4-mw62-g8wm
• CVE: CVE-2024-47068
• CWEs:
  • CWE-79: Cross-site scripting (XSS)
  • CWE-116: Improper encoding or escaping of output

Regular expression denial of service (ReDoS) in path-to-regexp

• Detected by: Dependabot & Snyk
• Vulnerable package: path-to-regexp (via serve)
• Detection times:
  • Dependabot: 2024-09-24 19:48
  • Snyk: 2024-09-23 19:08
• Resolution time: 2024-09-25 05:05
• Resolution version (@stassi/leaf): v0.0.31
• CVSS (severity):
  • Dependabot: 7.7 (high)
  • Snyk: 6.9 (medium)
• Advisories:
  • Dependabot: GHSA-9wv6-86v2-598j
  • Snyk: SNYK-JS-PATHTOREGEXP-7925106
• CVE: CVE-2024-45296
• CWE: CWE-1333 (Inefficient regular expression complexity)

Regular expression denial of service (ReDoS) in cross-spawn

• Detected by: Snyk
• Vulnerable package: cross-spawn (via serve)
• Detection time: 2024-11-07 08:43
• Resolution time: 2024-11-12 01:13
• Resolution version (@stassi/leaf): v0.0.78
• CVSS (severity): 8.7 (high)
• Advisory: SNYK-JS-CROSSSPAWN-8303230
• CVE: CVE-2024-21538
• CWE: CWE-1333 (Inefficient regular expression complexity)

Unsafe HTML constructed from leaflet library input

• Detected by: CodeQL
• Vulnerable package: leaflet
• Detection time: 2024-09-24 16:03
• Resolution time: 2024-10-04 03:17
• Resolution versions (@stassi/leaf):
  • v0.0.34
  • v0.0.37
• CVSS (severity): 6.1 (medium)
• Advisory: CodeQL js/html-constructed-from-input
• CWEs:
  • CWE-79: Cross-site scripting (XSS)
  • CWE-116: Improper encoding or escaping of output