Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decompress security warning means gatsby-plugin-sharp and gatsby-source-contentful fail audit #21791

Closed
galvogalvo opened this issue Feb 27, 2020 · 22 comments · Fixed by #22797
Closed
Labels
type: bug An issue or pull request relating to a bug in Gatsby type: upstream Issues outside of Gatsby's control, caused by dependencies

Comments

@galvogalvo
Copy link

There is an NPM high severity warning for kevva/decompress which means yarn audit fails when using gatsby-plugin-sharp and gatsby-source-contentful plugins.

See: https://www.npmjs.com/advisories/1217
Issue here: kevva/decompress#71

@galvogalvo galvogalvo added the type: bug An issue or pull request relating to a bug in Gatsby label Feb 27, 2020
@pieh pieh added the type: upstream Issues outside of Gatsby's control, caused by dependencies label Feb 27, 2020
@pieh
Copy link
Contributor

pieh commented Feb 27, 2020

Thanks for the notice!

Unfortunately there is not much we can do in gatsby directly to address it yet as decompress is dependency of dependency type scenario:

gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-build#decompress
gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-build#download#decompress
gatsby-plugin-sharp#imagemin-mozjpeg#mozjpeg#bin-wrapper#download#decompress

There is open pull request in decompress repository to address the vulnerability: kevva/decompress#73

So please watch that pull request, once this is handled there and published, then it will be matter of updating this package in your lock files as bin-build package already allow range version in dependencies: ("decompress": "^4.0.0" - via https://unpkg.com/browse/[email protected]/package.json)

@jimmyandrade
Copy link

Also encountering this issue:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build │
│               │ > decompress                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-build > decompress                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin > bin-build  │
│               │ > decompress                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg > bin-build │
│               │ > download > decompress                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-build > download > decompress                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin > bin-build  │
│               │ > download > decompress                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-mozjpeg > mozjpeg >           │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-pngquant > pngquant-bin >     │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > imagemin-webp > cwebp-bin >            │
│               │ bin-wrapper > download > decompress                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Write                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decompress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ netlify-cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ netlify-cli > gh-release-fetch > download > decompress       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1217                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@ghost
Copy link

ghost commented Mar 1, 2020

Yeah, I'm receiving the Arbitrary File Write vulnerability in my npm audit as well. Is there a patch scheduled for that separately, or is related to the path traversal mentioned earlier in this bug thread?

@sr1ch1
Copy link

sr1ch1 commented Mar 1, 2020

The path traversal fix is for the decompress-tar package which is used by decompress and it is the cause of this issue. After fixing the decompress-tar, the decompress package should be updated to use the fixed decompress-tar package. That would solve issue.
I do not know when a patch will be scheduled. I made the PR to speed things up.

beatthat added a commit to mentorpal/mentor-client that referenced this issue Mar 3, 2020
* switch client to yarn
* fixes peer dependencies in client
* temp disable yarn audit until
gatsbyjs/gatsby#21791
@joshcummingsdesign
Copy link

@pieh That project looks abandoned. Is there another package that can be used in its place? Also, is gatsby-plugin-sharp a devDependency since it's only used in the build, or should I be worried about my production site having this vulnerability?

@jordanlesich
Copy link

@vladar Sorry, this is mostly for my own understanding, but how is this related to the error that I had? I hadn't installed either of these plugins.

@pieh
Copy link
Contributor

pieh commented Mar 6, 2020

@pieh That project looks abandoned. Is there another package that can be used in its place?

Possibly. All of those affected deps of deps are for minimizing images.

Also, is gatsby-plugin-sharp a devDependency since it's only used in the build, or should I be worried about my production site having this vulnerability?

gatsby-plugin-sharp is not included in result bundles, but images it produce, are.

The decompress there is used to decompress image processing archives, etc and later on compile them to binaries. It doesn't accept arbitrary payload - only what imagemin-x package have hardcoded, that it's needed to build. In other words - decompress vulnerability doesn't impact it (if those imagemin-x package accept arbitrary input for binaries, then it could be affected).

Btw. Those audit advisories provide lot of worry, but you do have to inspect them and affected packages to see if you are really affected or not. And there is lot of nuance in those matter that those advisories do not explain

@mikhail-shishov
Copy link

So what should we do as Gatsby users? I'm kinda worried about this vulnerability.

@jordanlesich
Copy link

I was able to workaround this by installing WSL (Windows Subsystem Linux) and Ubuntu on a freshly formatted hard drive (i'm not sure if this was necessary; it might work by just removing existing node modules). I then installed nvm by cURL. I'm guessing that by installing npm through linux I was able to avoid the problems with decompress.

TBH, I don't really know why this worked for me, but I am now running gatsby-source-filesystem without reciveing the security warnings. It also doesn't crash my project when I run Gatsby develop, which is a big plus. I'll post back if anything changes.

@olegchursin
Copy link

It is really hard to sell Gatsby to the rest of the dev team with this npm audit warnings.

@danielmgzzg
Copy link

danielmgzzg commented Mar 12, 2020

this error is now happening in all our gatsby projects, has anyone found a workaround yet?

@pieh
Copy link
Contributor

pieh commented Mar 12, 2020

We are waiting for few more days for response of decompress maintainers and if there won't be any, we will likely fork imagemin-x packages and replace usage of decompress there

@jimmyandrade
Copy link

jimmyandrade commented Mar 12, 2020

@pieh thanks for the answer. An issue reporting this was created by @medikoo two weeks ago in kevva/download#189 and another by @simotae14 in kevva/decompress#76, and we've had no response from maintainers so far.

The last commit on decompress repo was on Aug 22, 2017 (kevva/decompress@74a462a) and, unless they choose to open repo access for more ones, my bet is that we will not have any news.

So, how long do you think we could wait longer for an answer to replace usage of decompress?

@danielmgzzg
Copy link

danielmgzzg commented Mar 12, 2020

kind petition to replace usage of decompress Who's with me?

@jimmyandrade
Copy link

There is a joint effort by the community to address this vulnerability directly in decompress (see kevva/decompress#73) and related repositories. I believe they are waiting for a timely response from the maintainers to make the decision to fork the project 😄

@bybyers
Copy link

bybyers commented Mar 26, 2020

Want to see if there are any updates on this?

@jimmyandrade
Copy link

@byebyers I was taking a look to kevva/decompress#73 and noticed that the repo maintainer has not yet responded on the pull request 😢

@bybyers
Copy link

bybyers commented Mar 28, 2020

Thank you for checking 😄

@mrpickles3rd
Copy link

mrpickles3rd commented Mar 31, 2020

I have just gone though all the forks and one is getting updated with security patches. Atomic-Reactor/decompress. It may be worth having a quick look.

@preshetin
Copy link

preshetin commented Apr 2, 2020

The latest version of decompress should resolve this issue. The NPM advisory has been updated as well: https://www.npmjs.com/advisories/1217

I'll try to create the PR (it will be my first one here)

@preshetin
Copy link

I think now, however, that this dependency would be updated automatically. So no need to make it manually

@pieh
Copy link
Contributor

pieh commented Apr 4, 2020

I think now, however, that this dependency would be updated automatically. So no need to make it manually

Lock files might pin decompress version so you might need to update those in your projects:

  • npm:
    You can use npm audit fix which should take care of it automatically. Alternatively you can run npm audit again, and it should provide you with commands like npm update decompress --depth 8 (but depth might vary depending on your setup (i.e. do you use gatsby-plugin-sharp directly or use plugins/themes that use under the hood)
  • yarn:
    yarn doesn't really have nice option to bump indirect/transitive dependencies ( How to upgrade indirect dependencies? yarnpkg/yarn#4986 ), but you can do something like yarn remove gatsby-plugin-sharp && yarn add gatsby-plugin-sharp (again you might need to remove and re-add more packages if those depend on gatsby-plugin-sharp). You might also try just deleting yarn.lock and yarn install to regenerate it (just keep it mind it will unpin any other unrelated deps and it might cause weird problems, so if you do this, make sure you do some manual Q/A if everything works as expected on your site if you don't have some automated testing)

I will be updating starters that we maintain today, so gatsby new (when using one of those) will just start with this taken care of.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug An issue or pull request relating to a bug in Gatsby type: upstream Issues outside of Gatsby's control, caused by dependencies
Projects
None yet
Development

Successfully merging a pull request may close this issue.