#community-help

Confusion Over Vulnerability of Typesense in Safety DB

TLDR Mehdi was confused about a vulnerability annotation on Typesense in Safety DB. Kishore Nallan clarified it was a false positive, suspecting a new feature of Typesense as the cause. Stefan supported the false positive claim.

31mo

Join the chat

Jul 07, 2021 (31 months ago)

Photo of md5-a3ecae8c75dfccecfa4e0116c9241a34

Mehdi

12:30 PM

https://pyupio.github.io/safety-db/ has marked Typesense version <0.13.0 as vulnerable, yet the latest version is 0.12.0. Does that make sense? :thinking_face:

Photo of md5-4e872368b2b2668460205b409e95c2ea

Kishore Nallan

12:32 PM

Do they say why it's insecure?

Jul 08, 2021 (31 months ago)

Photo of md5-d6c265b4792dbf0a1d6ae378f39d8736

Stefan

06:54 AM

    "typesense": [
        {
            "advisory": "Typesense 0.13.0 allows one to generate API keys with fine-grained access control restrictions for better security.",
            "cve": null,
            "id": "pyup.io-38798",
            "specs": [
                "<0.13.0"
            ],
            "v": "<0.13.0"
        }
    ],

https://raw.githubusercontent.com/pyupio/safety-db/4165745b90dde30ae53e40bd718fa13eb0cd5342/data/insecure_full.json

looks like a false positive?

06:55

Stefan

06:55 AM

"Most of the entries are found by filtering CVEs and changelogs for certain keywords and then manually reviewing them."

06:55

Stefan

06:55 AM

def. a false positive

Kishore Nallan

06:55 AM

I think it is talking about Typesense server version 0.13 where I think we introduced API key permissions.

06:56

Kishore Nallan

06:56 AM

Yup! https://github.com/typesense/typesense/releases/tag/v0.13.0

06:58

Kishore Nallan

06:58 AM

Thanks for pulling that up Stefan

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 3015 threads (79% resolved)

Join Our Community

Similar Threads

Typesense Bug Fix with `canceled_at` Field and Upgrade Concerns

Mateo reported an issue regarding the treatment of an optional field by Typesense which was confirmed a bug by Jason. After trying an upgrade, an error arose. Jason explained the bug was due to a recent change and proceeded to downgrade their version. Future upgrade protocols were discussed.

10mo

Announcement: General Availability of Typesense v0.25.0

Jason announces release of Typesense v0.25.0, listing new features. Users express excitement and ask pertinent questions. Gorkem, Manuel, and Daniel commend the team for the new functionalities. Manish and Tugay share their positive experiences with Typesense. Jason and Kishore Nallan answer questions and thank users for their feedback.

170

3mo

Typesense Feature Developments Discussed

Daniel asked about the release schedule of Typesense and the upcoming features. Kishore Nallan elaborated on the release process and confirmed the new features. They also discussed ID handling and search highlighting features. They tested one of the features successfully.

31mo

Fixing Corrupted Documents and Upgrading Typesense Cloud Version

gab had issues with corrupted documents in Typesense Cloud. Jason suggested upgrading to version 0.24.1.rc, which resolved the issue. They also discussed CORS domain management.

9mo

Issues with Generating Scope API Keys in Python

Danny had issues generating a valid scope API key in a Python GraphQL server. Jason suggested encoding changes and confirmed that the key length varies. Issue unresolved with Python, although JS library worked.

19mo