chore: body-parser vulnerable to denial of service when url encoding is enabled#15243
chore: body-parser vulnerable to denial of service when url encoding is enabled#15243charlesBochet merged 1 commit intomainfrom
Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR addresses a security vulnerability by upgrading the body-parser dependency from version ^1.20.2 to ^1.20.3 in the serverless layer 1 package configuration. The vulnerability (Dependabot Alert 125) allows denial of service attacks when URL encoding is enabled in body-parser. This is a patch-level security update that maintains backward compatibility while closing the security gap. The change affects only the serverless driver layer's dependencies, specifically where body-parser is used for parsing incoming HTTP request bodies in the Twenty framework's serverless functions infrastructure.
Changed Files
| Filename | Score | Overview |
|---|---|---|
| packages/twenty-server/src/engine/core-modules/serverless/drivers/layers/1/package.json | 5/5 | Updated body-parser dependency from ^1.20.2 to ^1.20.3 to patch DoS vulnerability |
Confidence score: 5/5
- This PR is safe to merge with minimal risk as it only updates a single dependency to patch a known security vulnerability
- Score reflects that this is a standard security patch with no breaking changes, isolated to a single package.json file, and the patch version bump indicates backward compatibility
- No files require special attention; this is a straightforward dependency update with no code changes required
Sequence Diagram
sequenceDiagram
participant Dependabot
participant Developer
participant Package Manager
participant Dependencies
Dependabot->>Developer: "Alert 125: body-parser vulnerable to DoS"
Developer->>Package Manager: "Update body-parser in package.json"
Package Manager->>Dependencies: "Resolve body-parser ^1.20.3"
Dependencies->>Package Manager: "Return updated dependencies"
Package Manager->>Dependencies: "Update qs to 6.13.0"
Package Manager->>Dependencies: "Add security-related dependencies"
Note over Package Manager,Dependencies: async-function, call-bind-apply-helpers,<br/>dunder-proto, es-define-property,<br/>es-object-atoms, generator-function,<br/>get-proto, gopd, has-symbols,<br/>math-intrinsics, side-channel-*
Dependencies->>Package Manager: "Resolve dependency tree"
Package Manager->>Developer: "Update yarn.lock with secure versions"
Developer->>Package Manager: "Commit security fix"
1 file reviewed, no comments
![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
| "axios": "^1.7.5", | ||
| "bcrypt": "^5.1.1", | ||
| "body-parser": "^1.20.2", | ||
| "body-parser": "^1.20.3", |
There was a problem hiding this comment.
Bug: A database migration command contains a hardcoded reference to the old, vulnerable version of body-parser, which negates the security update for new or migrated workspaces.
(Severity: Critical 0.80 | Confidence: 1.00)
🔍 Detailed Analysis
The PR updates body-parser to version ^1.20.3 but fails to update hardcoded references to the previous version, ^1.20.2, within a database migration command. The getOrInsertCommonLayer() method in 1-8-fill-null-serverless-function-layer-id.command.ts uses constants COMMON_SERVERLESS_FUNCTION_LAYER_PACKAGE_JSON and COMMON_SERVERLESS_FUNCTION_LAYER_YARN_LOCK which still contain the old version. When this migration runs for new or upgrading workspaces, it will insert the vulnerable dependency into the database, negating the security fix for those instances.
💡 Suggested Fix
Update the COMMON_SERVERLESS_FUNCTION_LAYER_PACKAGE_JSON constant in packages/twenty-server/src/database/commands/upgrade-version-command/1-8/1-8-fill-null-serverless-function-layer-id.command.ts to use 'body-parser': '^1.20.3'. Then, regenerate the COMMON_SERVERLESS_FUNCTION_LAYER_YARN_LOCK constant to reflect this change and its dependencies.
🤖 Prompt for AI Agent
Fix this bug. In
packages/twenty-server/src/engine/core-modules/serverless/drivers/layers/1/package.json
at line 22: The PR updates `body-parser` to version `^1.20.3` but fails to update
hardcoded references to the previous version, `^1.20.2`, within a database migration
command. The `getOrInsertCommonLayer()` method in
`1-8-fill-null-serverless-function-layer-id.command.ts` uses constants
`COMMON_SERVERLESS_FUNCTION_LAYER_PACKAGE_JSON` and
`COMMON_SERVERLESS_FUNCTION_LAYER_YARN_LOCK` which still contain the old version. When
this migration runs for new or upgrading workspaces, it will insert the vulnerable
dependency into the database, negating the security fix for those instances.
Did we get this right? 👍 / 👎 to inform future reviews.
|
🚀 Preview Environment Ready! Your preview environment is available at: http://bore.pub:5375 This environment will automatically shut down when the PR is closed or after 5 hours. |
2 participants
Fixes Dependabot Alert 125 - body-parser vulnerable to denial of service when url encoding is enabled.