The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/webpack-dev-server/node_modules/ws/package.json,HaloCollectibles/halo-collectibles/node_modules/jest-environment-jsdom-fourteen/node_modules/ws/package.json
Dependency Hierarchy:
react-scripts-3.4.1.tgz (Root Library)
jest-environment-jsdom-fourteen-1.0.1.tgz
jsdom-14.1.0.tgz
❌ ws-6.2.1.tgz (Vulnerable Library)
ws-5.2.2.tgz
Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (websockets/ws@00c425e). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Currently the README is an artifact of the initial site that was configured to be a set of markdown files, but was later abandoned in favor of a react application
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication
Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Some achievements are not categorized into any specific game. Those should be moved into a new page for tracking.
This could optionally be the home page, but I feel that may be less obvious to users where those achievements are kept. Most likely should be a new nav item, preferably as the first item after the Logo/Brand
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Path to dependency file: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/hapi/html/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/multiplex/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/echo/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express-3.x/index.html,HaloCollectibles/halo-collectibles/node_modules/sockjs/examples/express/index.html
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
A flaw was found in merge-deep before 3.0.3. A prototype pollution issue of Object.prototype via a constructor payload may lead to denial of service and other consequences.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
I'm interested in tracking other Halo games in the same way that you've done here. Is there any easy way to adjust the code to have it include other game ids?
We want the users to be able to see where to locate the skulls in the game. This gives an opportunity to learn several cool things, but the steps will be roughly as follows
Create a Collectibles component that lists a series of collectibles, their locations, and provides a link to a video/picture of where and how to get the skull
Create another file, perhaps collectibles.json, to track the Halo: CE skull locations. This one is a lot simpler since there are only ~10 skulls, so it'll be much less tedious and we can forgo the categories altogether
I'll give you all the flexibility you want here, you're welcome to design the layout and JSON however you think is best, and if you have any questions or want less creative freedom feel free to send me a message or leave a comment here.
Couple other notes:
Don't forget to make a new branch before you start work. You can use the Rob branch again, but it's generally better to name your branches something descriptive so others know what the purpose of the branch is
If you make a separate page, you'll need to add that page to the routes
We could potentially add a feature that allows users to hide skulls they've already found, based on which achievements they've already unlocked. This would give you some experience with updating state, React Hooks, and React Context (since I stored the user's achievements in the context)
Think about making the Collectibles component reusable. We should be able to use it for Skulls, Terminals, Datapads, and whatever else is added to the games that could be considered collectibles. Reusability of components is a key feature of React
Ask questions: Thomas and I are always happy to help, so if you have anything you're uncertain of just text or talk to one of us
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('proto'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
The ODST Achievements are currently the achievements for the base game of ODST (as if you bought it ala carte on Xbox 360), but instead needs to be the Halo: Master Chief Collection achievements.
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you.
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.
Some achievements, particularly those that are difficult or involve East Eggs, may benefit from having a link to YouTube or TrueAchievements/XboxAchievements to help the user quickly find a guide to obtaining the achievement.
Several links have already been added for Halo: CE JSON as an example of the expected format. The AchievementCard would then need to have a link added if the achievement has a link
Path to dependency file: HaloCollectibles/halo-collectibles/package.json
Path to vulnerable library: HaloCollectibles/halo-collectibles/node_modules/fast-glob/node_modules/glob-parent/package.json,HaloCollectibles/halo-collectibles/node_modules/watchpack-chokidar2/node_modules/glob-parent/package.json,HaloCollectibles/halo-collectibles/node_modules/webpack-dev-server/node_modules/glob-parent/package.json
Dependency Hierarchy:
react-scripts-3.4.1.tgz (Root Library)
webpack-dev-server-3.10.3.tgz
chokidar-2.1.8.tgz
❌ glob-parent-3.1.0.tgz (Vulnerable Library)
glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.