[Snyk] Security upgrade formidable from 1.2.6 to 3.2.4

[hekike]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	776/1000 Why? Recently disclosed, Has a fix available, CVSS 9.8	Arbitrary File Upload SNYK-JS-FORMIDABLE-2838956	Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: formidable

The new version differs by 250 commits.

• 143e473 chore: prepare release
• 2f553b4 docs: use slugify in the example
• 9969c25 refactor: code style
• 5103d09 feat: stop extension from being '.'
• 67c6a3f feat: allow numbers in file extensions
• 78de849 feat: stop at first invalid char
• 5fdb2d0 fix: replace regex with reliable filtering
• d2bd18d tests: add a test case that proves that the regex was always bad
• 703bec4 tests: add comment
• 15afa8a docs: add comment
• d3a05e9 add failing test case
• 971e3a7 chore: publish
• 92df3c8 fix: IncomingForm end event emitted twice (Add documentation for new formatter interface #851 #852)
• 21efa7d chore(deps): bump istanbul-reports from 3.0.2 to 3.1.4 (Restify errors #844)
• 8009584 chore(kodiak): always update PRs
• d6c17f1 chore: fix dependabot error
• 7ea655e chore: do not add reviewers to dep update prs ('after' event does not always fire before res.send() is complete. was (Response.send should handle formatter errors) #845)
• 635b4f8 chore: add Dependabot settings (require('restify') slow: takes about 800 ms #837)
• a93060c chore: fix kodiak config (style(examples): Unused deps, JSCS violations, gitignore #838)
• 7fbf974 chore: add KodiakHQ service (jsdoc comments #836)
• 786f2e1 chore(deps): bump ansi-regex from 4.1.0 to 4.1.1 (Wavewash patch 1 #835)
• 4718b78 chore(security): meta, add CodeQL action (dtrace-provider version bump #832)
• db22330 chore: remove auto-comment bot (Add iojs to travis config for builds #833)
• ab698ff chore(meta): remove LabelSponsors Action (Consider hiding or removing server.rm() #834)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[kolbma]

Do you check your pull requests, before opening?!

formidable 3.2.4 is an ESM module and for this it won't work without changing code in restify plugins.

And the more important is... is there a need for updating because of this snyk report, which doesn't seem to say much, and the CVE also. Air of importance.
This comes from an anonymous guy who thinks it would be a problem if there are filenames with html-tags.
Well the problem is if you as developer put these filenames unchecked on a website, but not if you send these files e.g. per mail.
So can you trust the filename of an uploaded file per webform, of course not. Like you can't trust any data put in any form field.

There is a need for updating formidable, because version 1 isn't supported any longer.
But as started, this needs more than updating a version number.

[kolbma]

Btw. version 1.2.6 filters the extension with .[a-z0-9]* and cuts off anything behind.
So this problem starts with v2 and the "fix" in v3.2.4 is far more dangerous. Uploads of .txt files with "right" filenames would be saved as .bat or .exe files and if you provide these files to your users of the web apps they might get executed, although you have blocked these extension by a filter. But the "magic" rename happens after the custom filter checks.