Fix for Security scanning vulnerabilities in Spectral #2825
Description
Hi Team,
I did a security scanning on the Spectral codebase in the develop branch and the following vulnerabilities were identified. Could you please have a look and let know if they are already accepted or can be fixed?
Security Scanning:
- Improper neutralization of data within XPath expressions (XPath Injection) - https://cwe.mitre.org/data/definitions/643.html in oasExample.ts
- Uncontrolled resource consumption - https://cwe.mitre.org/data/definitions/400.html
/packages/rulesets/src/arazzo/functions/arazzoCriterionValidation.ts:42 - Improper neutralization of directives in dynamically evaluated code ('Eval Injection')
https://cwe.mitre.org/data/definitions/95.html
packages/ruleset-bundler/src/loader/browser.ts:19 - Improper neutralization of directives in dynamically evaluated code ('Eval Injection')- https://cwe.mitre.org/data/definitions/95.html
packages/ruleset-bundler/src/tests/index.test.ts:89
Dependency Scan:
- ip SSRF improper categorization in isPublic - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29415 - Vulnerable Package
ip:2.0.1 - ws affected by a DoS when handling a request with many HTTP headers - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37890 - Vulnerable Package
ws:8.11.0 - path-to-regexp outputs backtracking regular expressions - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45296 - Vulnerable Package
path-to-regexp:2.4.0 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46175 - json5:2.2.1
- Regular Expression Denial of Service (ReDoS) in cross-spawn - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21538 - cross-spawn:7.0.3
- tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905 - tar-fs:2.1.1
Thanks in advance!