Giter Site home page Giter Site logo

crossbrowsertesting / cbt-tunnel-nodejs Goto Github PK

View Code? Open in Web Editor NEW
38.0 16.0 32.0 23.52 MB

Node.js module for Local Connections to crossbrowsertesting.com

License: MIT License

JavaScript 100.00%
screenshot cbt-tunnels crossbrowsertesting browser-testing browser-tests cross-browser selenium

cbt-tunnel-nodejs's Introduction

Local Connection with NodeJs

Creates a local connection (tunnel) to CrossBrowserTesting.com which allows you to test sites behind your firewall or to access web pages that are saved locally on your machine.

In just a few seconds, you can establish a connection which allows you to do live testing, screenshots, or run Selenium scripts against any of the internal sites you have access to.

This command line version uses WSS (secure websockets over https, port 443) to create the local connection. It can be scripted, so it is useful if you want to initiate a local connection programmatically before running automated javascript, screenshots, or selenium tests.

Install:
npm install -g cbt_tunnels
Scripted usage:
var cbt = require('cbt_tunnels');

There are three options provided for you to do this:

Internal websites:
This directs requests from CBT browsers to your computer to test sites behind your firewall
that would otherwise be inaccessible.

Basic usage: 
    Command line: 'cbt_tunnels --username USERNAME --authkey AUTHKEY'
    Scripted:   'cbt.start({"username":"USERNAME","authkey":"AUTHKEY"},function(err){ if(!err) do stuff })'
Local HTML Files:
This allows you to host static files on your computer that are not currently hosted on a server, 
as well as routing through your computer to access local or privileged sites.

Basic usage: 
    Command line: 'cbt_tunnels --username USERNAME --authkey AUTHKEY --dir PATHTODIRECTORY (optional: --port OPENPORT)'
    Scripted:   'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","dir":"PATHTODIRECTORY", (optional: "port":"PORT") },function(err){ if(!err) do stuff })'
Proxy Server:
The tunnel still routes through your computer to download site data, but it further directs that 
connection through a proxy of your choosing. By default the CBT tunnel uses your local machine
to act as an HTTP proxy for web traffic from our remote browsers. Sometimes it is desirable
to use a remote proxy rather than your local machine. For example, if you wanted for it to
appear as though your traffic were coming from the United Kingdom, proxying through a server
there would allow for that.

Basic usage: 
    Command line: 'cbt_tunnels --username USERNAME --authkey AUTHKEY --proxyIp PROXYIP --proxyPort PROXYPORT'
    Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","proxyIp":"PROXYIP","proxyPort":"PROXYPORT"},function(err){ if(!err) do stuff })'

Usage with basic authentication:
    Command line: 'cbt_tunnels --username USERNAME --authkey AUTHKEY --proxyIp PROXYIP --proxyPort PROXYPORT --proxyUser PROXYUSER --proxyPass PROXYPASS'
    Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","proxyIp":"PROXYIP","proxyPort":"PROXYPORT","proxyUser:":"PROXYUSER","proxyPass":"PROXYPASS"},function(err){ if(!err) do stuff })'
PAC File:
In lieu of specifying a single proxy server, you may provide a proxy auto-config (PAC) file. 
Each request made through your local machine will follow the routing directives listed in 
the PAC. If the HTTP_PROXY or HTTPS_PROXY options listed below are employed, they will take
precedence in routing the connection from your local machine to CrossBrowserTesting. It does
not make sense to use the above Proxy Server option alongside the PAC file option, but in the 
case that you do, the Proxy Server option will take precedence. You may specify a path to a 
file or a URL.

Basic usage: 
    Command line: 'cbt_tunnels --username USERNAME --authkey AUTHKEY --pac URL/PATHTOFILE'
    Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","pac":"URL/PATHTOFILE"},function(err){ if(!err) do stuff })'
Note:
All flags may also be set as environment variables beginning with CBT_TUNNELS.
e.g. Instead of typing --username, you may instead set the environment variable
CBT_TUNNELS_USERNAME to the desired username.
Further Options:
Tunnel name:
    There are some cases where multiple tunnels might be necessary, such as when working with multiple 
    development environments. In this case, we provide the option to name tunnels so that they may be 
    specifically selected for use in various tests: in the advanced settings in the UI, or by specifying
    the property "tunnel_name" in the JSON sent to the API.

    Command line: '--tunnelname TUNNELNAME'
    Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","tunnelname":"TUNNELNAME"},function(err){ if(!err) do stuff })'

HTTP_PROXY:
    Some corporations use an HTTP proxy for all outbound web traffic. The CBT tunnel communicates via wss
    over port 443 to CrossBrowserTesting.com server to initiate a local connection. By default, it will
    try to connect directly to CrossBrowserTesting. If you have an HTTP proxy that it must route through, 
    use this option to do so. It works by temporarily setting the HTTP_PROXY environment variable, so may
    be redundant in cases wherein it is already set.

    Basic usage:
        Command line: '--httpProxy HTTPPROXY'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","httpProxy":"HTTPPROXY"},function(err){ if(!err) do stuff })'

    Usage with basic authentication:
        Command line: '--httpProxy PROXYUSER:PROXYPASS@HTTPPROXY'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","httpProxy":"PROXYUSER:PROXYPASS@HTTPPROXY"},function(err){ if(!err) do stuff })'

HTTPS_PROXY:
    Has the same functionality as HTTP_PROXY but sets the HTTPS_PROXY environment variable instead.

    Basic usage:
        Command line: '--httpsProxy HTTPSPROXY'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","httpsProxy":"HTTPSPROXY"},function(err){ if(!err) do stuff })'

    Usage with basic authentication:
        Command line: '--httpsProxy PROXYUSER:PROXYPASS@HTTPSPROXY'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","httpsProxy":"PROXYUSER:PROXYPASS@HTTPSPROXY"},function(err){ if(!err) do stuff })'

Bypass:
    Specify whether public-resolvable URLs should resolve direct (true behavior) or pass through
    the tunnel (default/false behavior).

    Basic Usage:
        Command line: '--bypass true' or '--bypass false'
        Scripted: 'cbt.start({"username":"USERNAME", "authkey":"AUTHKEY", "bypass": "false"}, function(err){if (!err) do stuff })'

Kill file:
    The kill file option allows you specify the name of a 'kill file' that if placed in the current 
    directory will cause the program to gracefully shutdown.

    Basic usage: 
        Command line: '--kill KILLFILENAME'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","kill":"KILLFILENAME"},function(err){ if(!err) do stuff })'

Ready file:
    When the tunnel is up-and-running, an empty file will be placed in the path specified by the user.

    Basic usage:
        Command line: '--ready READYFILENAME'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","ready":"READYFILENAME"},function(err){ if(!err) do stuff })'

Verbose mode:
    Specifying this flag enables verbose mode; you'll see most of the traffic handling.

    Basic usage:
        Command line: '--verbose'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","verbose":true},function(err){ if(!err) do stuff })'

Quiet mode:
    Specifying this flag disables most output.

    Basic usage:
        Command line: '--quiet'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","quiet":true},function(err){ if(!err) do stuff })'

Stop function:
    This function takes no parameters and kills the tunnel gracefully.

    Basic usage:
        Scripted: 'cbt.stop()'

Status function:
    This function takes no parameters and returns the status of the tunnel as a boolean
    (this is of limited use).

    Basic usage:
        Scripted: 'cbt.status()'

AcceptAllCerts:
   Set up the tunnel to work with sites with invalid (self-signed, expired) certificates.  
   Useful for testing sites that present with certificate errors in a browser.

    Basic usage:
        Command line: '--acceptAllCerts'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","acceptAllCerts":true},function(err){ if(!err) do stuff })'

RejectUnauthorized:
    Enable or disable SSL certificate checking in Node itself.  Useful if a self-signed certificate
    is in the chain (i.e., on a proxy), but only works in narrow cases.

    Basic usage:
        Command line: '--rejectUnauthorized false'
        Scripted: 'cbt.start({"username":"USERNAME","authkey":"AUTHKEY","rejectUnauthorized":"false"},function(err){ if(!err) do stuff })'
Building Binary From Source:
Binaries may be found at https://github.com/crossbrowsertesting/cbt-tunnel-nodejs/releases 
and are compiled using pkg. 

You may compile from source as follows:

Requirements:
node.js/npm
pkg

- npm install -g pkg
- git clone https://github.com/crossbrowsertesting/cbt-tunnel-nodejs.git
- navigate to cloned directory
- type 'pkg ./cmd_start.js --targets TARGETSTRING --output OUTPUTBINARYPATH'

(for target string information see: https://github.com/zeit/pkg)

cbt-tunnel-nodejs's People

Contributors

chasecook412 avatar jreese802 avatar kyleconnelly avatar lkende avatar martinloewinger avatar mend-for-github-com[bot] avatar nickbouldien avatar smelchior avatar sydneybrokeit avatar tonetheman avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

tonycwu johndirek rekharamarayanaik shackijj dcconn rayantony nzb15555196162 larshassler globalcherry-group codenamejason dawidpolakowskiqa cameronbroe cameronroe-cbt chinnajee acidburn0zzz ryadbkr mecasn nickbouldien zydlyhz charlesvg dael-victoria-reyes arigaud-ca hkivela srautiai ceda heyagosper anderscan emilbraqa christian7877 nairk19 rmachado-elsevier

cbt-tunnel-nodejs's Issues

Add quiet mode.

Hello!
Showing traffic handling could be useless while using cbt_tunnels through nodejs. Furthermore, graphics which are drawn in stdout, broke output of application which uses cbt_tunnels.

CVE-2021-23406 (High) detected in degenerator-1.0.4.tgz

CVE-2021-23406 - High Severity Vulnerability

Vulnerable Library - degenerator-1.0.4.tgz

Turns sync functions into async generator functions

Library home page: https://registry.npmjs.org/degenerator/-/degenerator-1.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/degenerator/package.json

Dependency Hierarchy:

  • pac-resolver-3.0.1.tgz (Root Library)
    • degenerator-1.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.

Publish Date: 2021-08-24

URL: CVE-2021-23406

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j49-mfvp-vmhm

Release Date: 2021-08-24

Fix Resolution: pac-resolver -5.0.0, degenerator - 3.0.1

cbt.stop() does not close the tunnel

I'm using protractor.

In beforeLaunch I call cbt.start() and I see the tunnel active in the UI
In afterLaunch I call cbt.stop() the UI reports the tunnel is still open and also using the API tells me the tunnel is still active. What am I doing wrong ?

Here a snippet

config.beforeLaunch = function () {
  console.log('Before Launch');
  return new Promise((resolve, reject) => {
    cbt.stop((msg) => {});
    cbt.start({'username': CBT_USERNAME, 'authkey': CBT_AUTHKEY}, (err) => {
      if (!err) {
        return resolve();
      }
      console.error('Error:', err);
      return reject(err);
    });
  });
};

config.afterLaunch = function () {
  console.log('After Launch');
  cbt.stop((msg) => {
    console.log('Stop:', msg);
  });
};

The callback of the stop in never called

calling cbt_tunnels.quit() programmatically kills program

To reproduce, paste this in the REPL:

const cbt = require('cbt_tunnels');

const creds = { username: 'username', authkey: 'authkey' };

cbt.start( creds, (err) => {
    cbt.stop();
    setTimeout( () => { console.log('this should appear after two seconds') }, 2000 );
})

The REPL quits immediately after the tunnel is closed, and the log statement never prints.

CVE-2020-7774 (High) detected in y18n-4.0.0.tgz

CVE-2020-7774 - High Severity Vulnerability

Vulnerable Library - y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

  • yargs-12.0.1.tgz (Root Library)
    • y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 8688aa10b33fec25b1e087f0926e222b990130a4

Found in base branch: master

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 4.0.1

Direct dependency fix Resolution (yargs): 12.0.2

  • Check this box to open an automated fix PR

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Library - minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

  • log4js-3.0.3.tgz (Root Library)
    • streamroller-0.7.0.tgz
      • mkdirp-0.5.1.tgz
        • minimist-0.0.8.tgz (Vulnerable Library)

Found in HEAD commit: 8688aa10b33fec25b1e087f0926e222b990130a4

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (log4js): 3.0.4

  • Check this box to open an automated fix PR

WS-2019-0307 (Medium) detected in mem-1.1.0.tgz

WS-2019-0307 - Medium Severity Vulnerability

Vulnerable Library - mem-1.1.0.tgz

Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input

Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/mem/package.json

Dependency Hierarchy:

  • yargs-12.0.1.tgz (Root Library)
    • os-locale-2.1.0.tgz
      • mem-1.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 8688aa10b33fec25b1e087f0926e222b990130a4

Found in base branch: master

Vulnerability Details

In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.

Publish Date: 2018-08-27

URL: WS-2019-0307

CVSS 3 Score Details (5.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1084

Release Date: 2018-08-27

Fix Resolution (mem): 4.0.0

Direct dependency fix Resolution (yargs): 12.0.2

  • Check this box to open an automated fix PR

latest release without file extension

Hi,

I see the release page doesn't have file extension for Mac and Linux:
image

It is not clear what type of files they are (for Mac or Linux).

In comparison, the previous release page looks like this:
image

I think it's much clearer having the file extension (.zip for Mac and Linux).

Is the removal of extension intentional, and if so, please kindly provide some clarification and instruction as to how these files should be handled.

Thanks.

Is this package still maintained?

Hey 👋

I'm reaching out to inquire about the current maintenance status of this package, particularly in relation to CrossBrowserTesting compatibility. There are a number of significant vulnerability reports that have not been addressed publicly, which raises concerns about the package's reliability. It would be beneficial for the user community if there was transparent communication regarding your future plans. Will there be an effort to address these vulnerabilities, or is there an intention to deprecate the package? Clear guidance on this matter would be greatly appreciated.

Thanks a lot.

CVE-2021-29418 (Medium) detected in netmask-1.0.6.tgz

CVE-2021-29418 - Medium Severity Vulnerability

Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy:

  • pac-resolver-3.0.1.tgz (Root Library)
    • netmask-1.0.6.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.

Publish Date: 2021-03-30

URL: CVE-2021-29418

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://vuln.ryotak.me/advisories/6.txt

Release Date: 2021-03-30

Fix Resolution (netmask): 2.0.1

Direct dependency fix Resolution (@crossbrowsertesting/pac-resolver): 3.0.2

  • Check this box to open an automated fix PR

Starting a tunnel defaults to setting --bypass false

When starting a tunnel without setting '--bypass false', the default behaviour according to the tunnel info on Crossbrowsertesting is that Bypass = false.

This contradicts the documentation that indicates that the default behaviour should be Bypass = true.

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • request-2.87.0.tgz (Root Library)
    • http-signature-1.2.0.tgz
      • jsprim-1.4.1.tgz
        • json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (request): 2.88.0

  • Check this box to open an automated fix PR

CVE-2020-15366 (Medium) detected in ajv-5.5.2.tgz

CVE-2020-15366 - Medium Severity Vulnerability

Vulnerable Library - ajv-5.5.2.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-5.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

  • request-2.87.0.tgz (Root Library)
    • har-validator-5.0.3.tgz
      • ajv-5.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 8688aa10b33fec25b1e087f0926e222b990130a4

Found in base branch: master

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (request): 2.88.0

  • Check this box to open an automated fix PR

CVE-2020-8203 (High) detected in lodash-4.17.15.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 8688aa10b33fec25b1e087f0926e222b990130a4

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: 4.17.19

  • Check this box to open an automated fix PR

0.9.2. Failed to start a new tunnel with bypass option.

When I trying to start a new tunnel with bypass options (either boolean or string) I get the error

cmdArgs.bypass.toLowerCase is not a function

That happens because the option is coerced to boolean at /cbt_tunnels/tunnel_start.js: 178

How about covering parameters validation with unit tests? AFAIR, it's not the first time when params validation got broken after release.

I could help with implementation. Just let me know.

CVE-2020-28500 (Medium) detected in lodash-4.17.15.tgz

CVE-2020-28500 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: 4.17.21

  • Check this box to open an automated fix PR

[email protected]' is not in the npm registry

Since this morning when I try to run the tunnel I get this error message.

npm ERR! 404 Not Found - GET https://registry.npmjs.org/@crossbrowsertesting/pac-resolver/-/pac-resolver-3.0.1.tgz
npm ERR! 404
npm ERR! 404  '@crossbrowsertesting/[email protected]' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'cbt_tunnels'

cbt_tunnel or cbt_tunnels?

Hi there,

I noticed that the latest release (v1.2.2) the assets are named differently than previous releases.

In v1.2.2 I see:
image

There are cbt_tunnel and cbt_tunnels assets.

But in previous releases:
image

Only cbt_tunnels here.

Can I ask for some consistency with the names here?

Thanks!

unable to install using NPM due to access issue with pac-resolver dependency

I am trying to install cbt_tunnels but I get this error: fatal: "unable to access 'https://github.com/rosesandhello/node-pac-resolver.git/' . I was wondering if there was any reason to use that repo which seems like it is not published in NPM registry (hence the use of github repo) instead of something already in NPM like https://github.com/TooTallNate/node-pac-resolver?
I cannot get my machine to install cbt_tunnels because of this issue. Please advice!

TypeError: require(...).env is not a function

We at WebdriverIO just had issues with our build because of a problem with this package trying to import yargs:

    argv = require('yargs').env('CBT_TUNNELS').argv,

failing with: TypeError: require(...).env is not a function. This got probably introduced in one of the recent updates.

npm publish

Very helpful repo. I try to create a docker container out of this, could you plz publish the latest master to npm? :-) (nevermind, had the wrong one)

Nightwatch reading tunnel authkey

What's the correct setting for nightwatch to read desiredCapabilities and use the CBT authkey used to start the tunnel?

e.g.

cbt_tunnels --username USERNAME --authkey AUTHKEY

and in nightwatch.json -- something like this?

settings.test_settings.default
    .desiredCapabilities['crossbrowsertesting.key'] = ( // maybe `authkey` ?
      process.env.AUTHKEY
    );

CVE-2021-3807 (High) detected in ansi-regex-3.0.0.tgz

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Library - ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/strip-ansi/node_modules/ansi-regex/package.json

Dependency Hierarchy:

  • yargs-12.0.1.tgz (Root Library)
    • cliui-4.1.0.tgz
      • strip-ansi-4.0.0.tgz
        • ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 3.0.1

Direct dependency fix Resolution (yargs): 12.0.2

  • Check this box to open an automated fix PR

CVE-2021-28918 (High) detected in netmask-1.0.6.tgz

CVE-2021-28918 - High Severity Vulnerability

Vulnerable Library - netmask-1.0.6.tgz

Parse and lookup IP network blocks

Library home page: https://registry.npmjs.org/netmask/-/netmask-1.0.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/netmask/package.json

Dependency Hierarchy:

  • pac-resolver-3.0.1.tgz (Root Library)
    • netmask-1.0.6.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.

Publish Date: 2021-04-01

URL: CVE-2021-28918

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pch5-whg9-qr2r

Release Date: 2021-04-01

Fix Resolution (netmask): 2.0.1

Direct dependency fix Resolution (@crossbrowsertesting/pac-resolver): 3.0.2

  • Check this box to open an automated fix PR

Allow to specify port for --httpProxy and --httpsProxy command options

Hi,

I'm trying to establish a connection to use crossbrowsertesting locally with the following command:

.\cbt_tunnels.exe --username USERNAME --authkey AUTHKEY --httpsProxy proxy.host:8080 --httpProxy proxy.host:8080 --acceptAllCerts

The output (with error) I get is:

[2019-04-24T14:31:55.270] [INFO] default - HTTP proxy set to proxy.host:8080
[2019-04-24T14:31:55.275] [INFO] default - HTTPS proxy set to proxy.host:8080
[2019-04-24T14:31:57.578] [ERROR] default - Authentication error! Please check your credentials and try again.
[2019-04-24T14:31:57.580] [ERROR] default - { Error: tunneling socket could not be established, cause=getaddrinfo ENOTFOUND 8080 8080:80
    at ClientRequest.onError (C:\snapshot\warner.johnson\Documents\CBT\cbt-tunnel-nodejs\node_modules\tunnel-agent\index.js:177:17)
    at Object.onceWrapper (events.js:273:13)
    at ClientRequest.emit (events.js:182:13)
    at Socket.socketErrorListener (_http_client.js:382:9)
    at Socket.emit (events.js:182:13)
    at emitErrorNT (internal/streams/destroy.js:82:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
    at process._tickCallback (internal/process/next_tick.js:63:19) code: 'ECONNRESET' }

Would be nice to be able to specify an alternative port for the proxy.

CVE-2021-23337 (High) detected in lodash-4.17.15.tgz

CVE-2021-23337 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.15.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution: 4.17.21

  • Check this box to open an automated fix PR

CVE-2020-7608 (Medium) detected in yargs-parser-10.1.0.tgz

CVE-2020-7608 - Medium Severity Vulnerability

Vulnerable Library - yargs-parser-10.1.0.tgz

the mighty option parser used by yargs

Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-10.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yargs-parser/package.json

Dependency Hierarchy:

  • yargs-12.0.1.tgz (Root Library)
    • yargs-parser-10.1.0.tgz (Vulnerable Library)

Found in HEAD commit: 8688aa10b33fec25b1e087f0926e222b990130a4

Found in base branch: master

Vulnerability Details

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.

Publish Date: 2020-03-16

URL: CVE-2020-7608

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-16

Fix Resolution (yargs-parser): 13.1.2

Direct dependency fix Resolution (yargs): 13.0.0-candidate.0

  • Check this box to open an automated fix PR

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.