Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency codecov to v3.7.1 [security] #42

Merged
merged 1 commit into from
Oct 13, 2023
Merged

chore(deps): update dependency codecov to v3.7.1 [security] #42

merged 1 commit into from
Oct 13, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 22, 2020
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
codecov 3.1.0 -> 3.7.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-7597

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596.

CVE-2020-15123

Impact

The upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

A similar CVE was issued: CVE-2020-7597, but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer.

We have written a CodeQL query, which automatically detects this vulnerability. You can see the results of the query on the codecov-node project here.

Patches

This has been patched in version 3.7.1

Workarounds

None, however, the attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection.

References

For more information

If you have any questions or comments about this advisory:

CVE-2020-7596

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.

Release Notes

codecov/codecov-node (codecov)

v3.7.1

Compare Source

  • Move to execFileSync and security fixes

v3.7.0

Compare Source

  • Remove the X-Amz-Acl: public-read header

v3.6.5

Compare Source

v3.6.4

Compare Source

  • Fix Cirrus CI

v3.6.3

Compare Source

  • Fix for AWS Codebuild & package updates

v3.6.2

Compare Source

  • Command line args sanitized fix

v3.6.1

Compare Source

  • Fix for Semaphore

v3.6.0

Compare Source

  • Added AWS CodeBuild and Semaphore2

v3.5.0

Compare Source

  • Added TeamCity support

v3.4.0

Compare Source

  • Added Heroku CI support

v3.3.0

Compare Source

  • Added pipe with --pipe, -l

v3.2.0

Compare Source

  • Added azure pipelines
    .

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from b34d317 to 61d03c7 Compare May 2, 2020 21:58
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch 3 times, most recently from 3b16cd4 to 23372c8 Compare June 25, 2020 04:12
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 23372c8 to edaefc4 Compare July 3, 2020 00:32
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from edaefc4 to 92e83ac Compare July 17, 2020 16:30
@renovate renovate bot changed the title chore(deps): update dependency codecov to v3.6.5 [security] chore(deps): update dependency codecov to v3.7.1 [security] Jul 20, 2020
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 92e83ac to 14415ee Compare July 22, 2020 02:28
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 14415ee to e0ae9ce Compare October 25, 2020 23:57
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from e0ae9ce to 301c3f5 Compare November 28, 2020 08:56
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 301c3f5 to 97da7e0 Compare December 10, 2020 15:56
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 97da7e0 to 67ce496 Compare January 10, 2021 20:55
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch 3 times, most recently from 62a9a8f to 2d47651 Compare May 1, 2021 23:42
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 2d47651 to 59687c7 Compare May 3, 2021 19:21
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 59687c7 to 69f937e Compare March 7, 2022 11:59
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 69f937e to 08d5885 Compare March 26, 2022 15:08
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 08d5885 to dafa51e Compare April 24, 2022 19:50
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from dafa51e to 1d10c9c Compare June 18, 2022 19:28
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 1d10c9c to 0d6c984 Compare November 20, 2022 08:42
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 0d6c984 to 144490f Compare March 18, 2023 18:01
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 144490f to 4e707f1 Compare May 28, 2023 12:15
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 4e707f1 to b5b84c1 Compare July 6, 2023 12:11
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from b5b84c1 to 467ba3b Compare August 9, 2023 14:34
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch 2 times, most recently from ba5bf21 to 7c9e00c Compare August 27, 2023 10:46
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch 2 times, most recently from 3594d1a to a785215 Compare October 12, 2023 06:04
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from a785215 to 3d7ec64 Compare October 13, 2023 04:56
@renovate
chore(deps): update dependency codecov to v3.7.1 [security]
4f7ba72 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-codecov-vulnerability branch from 3d7ec64 to 4f7ba72 Compare October 13, 2023 04:57
@stevemao stevemao merged commit d232fc2 into master Oct 13, 2023
0 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@stevemao