Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable dependencies #2764

Open
oskarwilliams opened this issue May 10, 2024 · 4 comments
Open

Vulnerable dependencies #2764

oskarwilliams opened this issue May 10, 2024 · 4 comments

Comments

@oskarwilliams
Copy link
Contributor

oskarwilliams commented May 10, 2024

Description

The balena-cli when installed via npm currently includes 39 vulnerabilities, including 2 critical, which are non patchable. Some of these include using a sub dependency that was last published 10 years ago (optimist). Could some of these vulnerabilities be assessed and looked at?

Expected Behavior

In the ideal world, 0 vulnerabilities when the package is installed with NPM

Actual Behavior

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical) and many deprecated packages

Steps to Reproduce the Problem

  1. npm init with just defaults
  2. npm install balena-cli
  3. The below output
❯ npm install balena-cli
npm WARN skipping integrity check for git dependency ssh://[email protected]/balena-io-modules/unbzip2-stream.git 
npm WARN skipping integrity check for git dependency ssh://[email protected]/resin-io-modules/multicast-dns.git 
npm WARN skipping integrity check for git dependency ssh://[email protected]/balena-io-modules/bonjour.git 
npm WARN deprecated @types/[email protected]: This is a stub types definition. nock provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/[email protected]: This is a stub types definition. is-root provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/[email protected]: This is a stub types definition. cli-truncate provides its own type definitions, so you do not need this installed.
npm WARN deprecated [email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Please upgrade to v7.0.2+ of superagent.  We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing.  See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 2139 packages, and audited 2140 packages in 15s

104 packages are looking for funding
  run `npm fund` for details

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
  1. Output of npm audit is
# npm audit report

bl  <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/ghauth/node_modules/bl
  ghauth  <=3.2.1
  Depends on vulnerable versions of bl
  node_modules/balena-cli/node_modules/ghauth

express  <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/express

follow-redirects  <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/follow-redirects

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/balena-cli/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/balena-cli/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/balena-cli/node_modules/update-notifier

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/jsonwebtoken

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer/node_modules/lodash
  inquirer  <=0.11.4
  Depends on vulnerable versions of lodash
  node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer

lodash.template  *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/lodash.template
  @oclif/plugin-warn-if-update-available  1.7.0 || 2.0.0 || 2.1.0 - 3.0.16
  Depends on vulnerable versions of lodash.template
  node_modules/balena-cli/node_modules/@oclif/plugin-warn-if-update-available

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/minimatch
  mocha  5.1.0 - 9.2.1
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of nanoid
  node_modules/balena-cli/node_modules/mocha

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/balena-cli/node_modules/optimist/node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/balena-cli/node_modules/optimist
    dbus-native  *
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of put
    Depends on vulnerable versions of xml2js
    node_modules/balena-cli/node_modules/dbus-native
      resin-discoverable-services  >=2.0.0
      Depends on vulnerable versions of dbus-native
      node_modules/balena-cli/node_modules/resin-discoverable-services
        balena-cli  *
        Depends on vulnerable versions of @balena/compose
        Depends on vulnerable versions of balena-preload
        Depends on vulnerable versions of request
        Depends on vulnerable versions of resin-discoverable-services
        Depends on vulnerable versions of update-notifier
        node_modules/balena-cli

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/nanoid

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/balena-cli/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/balena-cli/node_modules/svgo
      inline-source  6.1.0 - 7.2.0
      Depends on vulnerable versions of svgo
      node_modules/balena-cli/node_modules/inline-source
        inline-source-cli  >=2.0.0
        Depends on vulnerable versions of inline-source
        node_modules/balena-cli/node_modules/inline-source-cli

put  *
Sensitive Data Exposure in put - https://github.com/advisories/GHSA-v6gv-fg46-h89j
No fix available
node_modules/balena-cli/node_modules/put

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/balena-cli/node_modules/request
  @balena/compose  *
  Depends on vulnerable versions of pinejs-client-request
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/@balena/compose
  balena-preload  >=10.3.2-233-sh-truncate-exc-feff27b0a0cd5e8ce93564e8a8a25727bd7acffa
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise
  node_modules/balena-cli/node_modules/balena-preload
  pinejs-client-request  *
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/pinejs-client-request
  publish-release  *
  Depends on vulnerable versions of ghauth
  Depends on vulnerable versions of inquirer
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/publish-release
  request-promise  >=0.0.2
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-core
  Depends on vulnerable versions of tough-cookie
  node_modules/balena-cli/node_modules/request-promise
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/balena-cli/node_modules/request-promise-core

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/balena-cli/node_modules/tough-cookie

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/balena-cli/node_modules/meow

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/balena-cli/node_modules/dbus-native/node_modules/xml2js

39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.
@oskarwilliams
Copy link
Contributor Author

This issue is exacerbated by the fact that the use of npm-shrinkwrap prevents any consumer of the package from overriding the vulnerable dependencies themselves.

@aethernet
Copy link
Contributor

Hello,

Those vulnerabilities are not exploitable in the context of the CLI.
We do have plans to upgrade those dependencies but it's not a priority atm.

If you have any reasons to believe that it's exploitable, please contact us privately using [email protected].

@otaviojacobi
Copy link
Contributor

Hello @oskarwilliams even though the dependencies above were not exploitable on the CLI, I agree that there are improvements to be done. After a very long chain of dependencies fixes and bumps (see #2771, #2790, #2791, #2797, #2796, #2799) and finally #2800 the latest version of the CLI when installed yields 11 moderate severity vulnerabilities down from 39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)

I know this is still not great, but the remaining 11 vulnerabilities will probably take a bit longer to be replaced (or at least the 10 that depend on request module) - The reason for that is first, request is used to communicate with our builders and replacing it with other http client (either got or fetch) is not as trivial as expected as not all the clients have all the same features, and got which is the more complete one would require also moving the entire project to ESM. Moving the project to ESM requires us moving to @oclif/core v4 which has several breaking changes on the ux module that we need to replace (see oclif/core#1059)

I am keeping this issue open until we (or someone on the community, as PRs are welcomed) gets to trackle these.

@oskarwilliams
Copy link
Contributor Author

Thank you for working your way through these vulnerabilities! I understand the issues you would have going through them so thank for the perseverance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants