Friday, March 31, 2017

hello! welcome back to war! Title: Downloads Resources over HTTP Recommendation: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time. Source: nodesecurity Severity: high

imageoptim is a Node.js wrapper for some images compression algorithms.
imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.


This plugin gzips your static resources.

It then sets the Transfer-Encoding header on the resources when rendering them.

Builds on the "Resources" framework plugin 

Todos:

* Add "excludes" URIs via Config to prevent certain types and URIs being handled in this way - 
  e.g. by default should exclude all image and pre-zipped formats but also allow excluding whole URIs and types.
  Allow closure to determine it at runtime. e.g.:

  zipped.resources.excludes = [
     '*.gif',
     '*.jpg',
     '*.jpeg',
     '*.png',
   '*.pdf',
   '*.zip',
   '*.gz',
   '*.dmg',
   { uri ->
      return !uri.startsWith('user-content')
   }
  ]

* Add a "minimum size" threshold under which it will not bother gzipping.
  Default to sane value circa 300bytes. Files smaller than this come out
  bigger as zips.

No comments:

Man in the Rain