Skip to main content

Test Results

hardeep/kotlin-redux-observable

Snyk’s security scan found the following vulnerabilities.
Ready to fix your vulnerabilities? Automatically find, fix, and monitor vulnerabilities for free with Snyk.

Vulnerabilities

 2 via 6 paths

Dependencies

 8

Source

 GitHub

Commit

 c1c0121e

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

medium severity

Improper Locking

  • Vulnerable module: org.jetbrains.kotlin:kotlin-stdlib
  • Introduced through: io.reactivex.rxjava2:rxkotlin@2.2.0 and org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.2.10

Detailed paths

  • Introduced through: hardeep/kotlin-redux-observable@hardeep/kotlin-redux-observable#c1c0121ef440a2531f404f52810066afbe65e4fb io.reactivex.rxjava2:rxkotlin@2.2.0 org.jetbrains.kotlin:kotlin-stdlib@1.2.10
  • Introduced through: hardeep/kotlin-redux-observable@hardeep/kotlin-redux-observable#c1c0121ef440a2531f404f52810066afbe65e4fb org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.2.10 org.jetbrains.kotlin:kotlin-stdlib@1.2.10
    Remediation: Upgrade to org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.6.0.
  • Introduced through: hardeep/kotlin-redux-observable@hardeep/kotlin-redux-observable#c1c0121ef440a2531f404f52810066afbe65e4fb org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.2.10 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.2.10 org.jetbrains.kotlin:kotlin-stdlib@1.2.10
    Remediation: Upgrade to org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.6.0.

Overview

org.jetbrains.kotlin:kotlin-stdlib is a Kotlin Standard Library for JVM.

Affected versions of this package are vulnerable to Improper Locking due to inability to lock dependencies for Multiplatform Gradle Projects.

Remediation

Upgrade org.jetbrains.kotlin:kotlin-stdlib to version 1.6.0 or higher.

References

Improper Locking vulnerability report

low severity

Information Exposure

  • Vulnerable module: org.jetbrains.kotlin:kotlin-stdlib
  • Introduced through: io.reactivex.rxjava2:rxkotlin@2.2.0 and org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.2.10

Detailed paths

  • Introduced through: hardeep/kotlin-redux-observable@hardeep/kotlin-redux-observable#c1c0121ef440a2531f404f52810066afbe65e4fb io.reactivex.rxjava2:rxkotlin@2.2.0 org.jetbrains.kotlin:kotlin-stdlib@1.2.10
  • Introduced through: hardeep/kotlin-redux-observable@hardeep/kotlin-redux-observable#c1c0121ef440a2531f404f52810066afbe65e4fb org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.2.10 org.jetbrains.kotlin:kotlin-stdlib@1.2.10
    Remediation: Upgrade to org.jetbrains.kotlin:kotlin-stdlib-jdk8@2.1.0.
  • Introduced through: hardeep/kotlin-redux-observable@hardeep/kotlin-redux-observable#c1c0121ef440a2531f404f52810066afbe65e4fb org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.2.10 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.2.10 org.jetbrains.kotlin:kotlin-stdlib@1.2.10
    Remediation: Upgrade to org.jetbrains.kotlin:kotlin-stdlib-jdk8@2.1.0.

Overview

org.jetbrains.kotlin:kotlin-stdlib is a Kotlin Standard Library for JVM.

Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using createTempDir or createTempFile and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system.

Note: As of version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed".

PoC by JLLeitschuh

package org.jlleitschuh.sandbox

import org.junit.jupiter.api.Test
import java.io.BufferedReader
import java.io.File
import java.io.IOException
import java.io.InputStreamReader
import java.nio.file.Files

class KotlinTempDirectoryPermissionCheck {
    @Test
    fun `kotlin check default directory permissions`() {
        val dir = createTempDir()
        runLS(dir.parentFile, dir) // Prints drwxr-xr-x
    }

    @Test
    fun `Files check default directory permissions`() {
        val dir = Files.createTempDirectory("random-directory")
        runLS(dir.toFile().parentFile, dir.toFile()) // Prints drwx------
    }

    @Test
    fun `kotlin check default file permissions`() {
        val file = createTempFile()
        runLS(file.parentFile, file) // Prints -rw-r--r--
    }

    @Test
    fun `Files check default file permissions`() {
        val file = Files.createTempFile("random-file", ".txt")
        runLS(file.toFile().parentFile, file.toFile()) // Prints -rw-------
    }

    private fun runLS(file: File, lookingFor: File) {
        val processBuilder = ProcessBuilder()
        processBuilder.command("ls", "-l", file.absolutePath)
        try {
            val process = processBuilder.start()
            val output = StringBuilder()
            val reader = BufferedReader(
                InputStreamReader(process.inputStream)
            )
            reader.lines().forEach { line ->
                if (line.contains("total")) {
                    output.append(line).append('\n')
                }
                if (line.contains(lookingFor.name)) {
                    output.append(line).append('\n')
                }
            }
            val exitVal = process.waitFor()
            if (exitVal == 0) {
                println("Success!")
                println(output)
            } else {
                //abnormal...
            }
        } catch (e: IOException) {
            e.printStackTrace()
        } catch (e: InterruptedException) {
            e.printStackTrace()
        }
    }
}

Remediation

Upgrade org.jetbrains.kotlin:kotlin-stdlib to version 2.1.0 or higher.

References

Information Exposure vulnerability report