GHSA-8g98-m4j9-qww5

Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5

Summary

A series of moderate to high-severity security vulnerabilities have been identified specifically in version 7.0.7 of `taylored`. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches.

All users who have installed or generated a `taysell-server` using version 7.0.7 of `taylored` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below. Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues.

Vulnerabilities Patched in v7.0.8

Version 7.0.8 addresses the following issues found in the v7.0.7 template:

1. Path Traversal in Patch Download: The patch download endpoint did not properly sanitize the user-provided `patchId`. An attacker could have crafted a request with path traversal sequences (e.g., `../../etc/passwd`) to read arbitrary files from the server's filesystem. The `patchId` is now sanitized to ensure only files within the intended patches directory can be accessed.
2. Missing PayPal Webhook Validation: The server endpoint did not cryptographically verify incoming payment notifications, allowing an attacker to spoof a purchase and gain unauthorized access to patches.
3. Purchase Token Replay Vulnerability: A legitimate purchase token could be reused indefinitely. The system now correctly invalidates tokens after their first use.
4. Insufficient PBKDF2 Iterations: The key derivation function used an insufficient number of iterations, making encrypted patches more susceptible to brute-force attacks. This has been strengthened.

Required Actions

To fix these vulnerabilities, users of version 7.0.7 must upgrade the `taylored` tool and regenerate their `taysell-server` instance.

Please follow these steps carefully:

1. Upgrade to the Secure Version of `taylored`: Open your terminal and run the following command to install the latest version: ```bash npm install -g taylored@latest ``` Verify that you have version 7.0.8 or later.

2. Remove the Vulnerable Backend: Navigate to the project directory where you previously generated the backend with v7.0.7 and completely delete the old `taysell-server` directory. ```bash

   Back up any customizations if necessary

   rm -rf taysell-server ```

3. Generate the New, Secure Backend: From the same directory, run the `setup-backend` command again using the upgraded `taylored` tool. This will create a new `taysell-server` directory with the patched, secure code. ```bash taylored setup-backend ``` Follow the prompts and enter your PayPal credentials and server configuration. Using a new, strong, and unique `PATCH_ENCRYPTION_KEY` is highly recommended.

4. Recreate and Re-upload Commercial Patches: Due to the cryptography improvements, patches created with version 7.0.7 are not compatible with the new, secure backend. You must recreate them:

   • For each of your commercial patches, run the `taylored create-taysell` command again.
   • Upload the new encrypted files (e.g., `patch-name.taylored.encrypted`) to the `patches/` directory of your new `taysell-server`.

5. Launch the New Server: Start your new backend using Docker Compose: ```bash cd taysell-server docker-compose up --build -d ```

For questions or support, please refer to the official documentation or open an issue on our GitHub repository.

Thank you for your attention to this important update.