Home / Companies / Snyk / Blog / May 2016

May 2016 Summaries

3 posts from Snyk

Filter
Month: Year:
Post Summaries Back to Blog
The marked package is a popular Markdown parser that can be used to render user input into rich text, but it has an XSS vulnerability due to its support for inline HTML and tags. This allows attackers to inject malicious scripts through links or other means. The vulnerability can be mitigated by enabling the sanitize option in the package's settings, which removes dangerous input and encodes or removes it. However, even with sanitization, there are still potential vulnerabilities, such as the use of HTML entities that browsers do not enforce, allowing attackers to evade detection. A patch is available through Snyk's Wizard, but users can also consider using alternative Markdown packages until a new version of marked is released. The vulnerability was first reported in 2015, but only recently gained attention due to its potential impact on user security.
May 15, 2016 1,081 words in the original blog post.
This blog post discusses building a serverless web application in AWS using the Serverless framework. The application is built on top of AWS Lambda functions, API Gateway, DynamoDB, and IAM roles. The project uses a hybrid approach to code organization, dividing the code into microservices that share similar functionality. The use of Serverless addresses several pain points, including sharing code between functions, handling environmental variables, and making API Gateway communicate with Lambda functions. The project structure is well-organized, with separate folders for each function and resources. The blog post also covers the deployment workflow, testing, and final thoughts on using Serverless for building serverless applications. Additionally, it highlights the importance of learning and experimenting to get the most out of AWS Lambda and its features.
May 09, 2016 3,036 words in the original blog post.
Mitigating ImageMagick vulnerabilities in Node.js ` ImageMagick, a widely used library for image manipulation, has been disclosed multiple severe and easily exploitable vulnerabilities. These vulnerabilities allow attackers to execute commands on servers, expose server files, and more. To protect against these vulnerabilities, a new npm package called imagemagick-safe has been released, which disables the vulnerable features by editing ImageMagick's policy.xml configuration file. This package is recommended until new ImageMagick binaries are released, and users can also use it via the gm package. The vulnerabilities are related to processing specific image file types and keywords, such as MVG, URL, and HTTPS, and can be mitigated by disabling support for these formats and keywords.
May 06, 2016 623 words in the original blog post.