Skip to content

SECURITY: FIX unintended Email protocol resolution#3759

Merged
cortinico merged 1 commit into
react:mainfrom
Pranav-yadav:Pranav-yadav/security-fix-email-protocol-resolution
Jun 13, 2023
Merged

SECURITY: FIX unintended Email protocol resolution#3759
cortinico merged 1 commit into
react:mainfrom
Pranav-yadav:Pranav-yadav/security-fix-email-protocol-resolution

Conversation

@Pranav-yadav

@Pranav-yadav Pranav-yadav commented Jun 13, 2023
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Fixes #3758

Wherever we've specified the package versions explicitly and haven't enclosed them in the inline-code-block (`) or multiline-code-block (```) they are resolved as an email protocol (address), which is unintended and is a primary security concern.

This diff updates such occurrences to enclose them in inline code blocks and of course some code formatting touchups 😇

Changelog:

[SECURITY]: FIX unintended Email protocol resolution

Changes

Before After
image image

P.S.: Came across this when working on #3732

@netlify

netlify Bot commented Jun 13, 2023

Copy link
Copy Markdown

Deploy Preview for react-native ready!

Name Link
🔨 Latest commit 5db19b8
🔍 Latest deploy log https://app.netlify.com/sites/react-native/deploys/6487fe2defa72800084c526a
😎 Deploy Preview https://deploy-preview-3759--react-native.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@Pranav-yadav Pranav-yadav mentioned this pull request Jun 13, 2023
Closed
@Pranav-yadav

Pranav-yadav commented Jun 13, 2023
edited
Loading

Copy link
Copy Markdown
Contributor Author

@cortinico We must backport this change as it's a security concern 🚨.
Lmk, so I can proceed with backporting this (to almost all versions)? 👍

@Simek

Simek commented Jun 13, 2023

Copy link
Copy Markdown
Collaborator

It's not a high security risk, but since the changes are quite simple, it would be nice if you can backport them. 🙂

@Pranav-yadav

Pranav-yadav commented Jun 13, 2023

Copy link
Copy Markdown
Contributor Author

May not be a high-security issue but, a similar email protocol resolution and domain resolution for .zip files hosted on GitHub[dot]com have been (being) exploited recently.

Since it's only email resolution, and these instances don't make up valid email addresses they are of "low" security concerns. 👍

P.S.: If it was a "high" security concern (vulnerability) I would've reported it privately :)

--

Sure 🙂.

cortinico
cortinico approved these changes Jun 13, 2023
View reviewed changes

@cortinico cortinico left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reporting this @Pranav-yadav
and yes let's backport it

@cortinico cortinico merged commit 90e0d84 into react:main Jun 13, 2023
@Pranav-yadav

Pranav-yadav commented Jun 13, 2023

Copy link
Copy Markdown
Contributor Author

Welcome!
Sure, will open a PR(s) whenever I get some time. 👍

@Pranav-yadav Pranav-yadav deleted the Pranav-yadav/security-fix-email-protocol-resolution branch June 13, 2023 17:07
@Pranav-yadav Pranav-yadav mentioned this pull request Jun 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cortinico cortinico cortinico approved these changes

Assignees

No one assigned

Labels

CLA Signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SECURITY: Unintended Email protocol resolution for package versions

4 participants

@Pranav-yadav @Simek @cortinico @facebook-github-bot