Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Project Dependencies] Vulnerability in the unset-value dependency #382

Open
1 task done
priyaramu opened this issue Apr 21, 2022 · 5 comments
Open
1 task done

[Project Dependencies] Vulnerability in the unset-value dependency #382

priyaramu opened this issue Apr 21, 2022 · 5 comments
Labels
state: triaged This issue has been triaged type: bug Something isn't working

Comments

@priyaramu
Copy link

Is There An Existing Issue

What Are You Seeing

There is a high vulnerability reported by prisma while using newmna-reporter-htmlextra. The vulnerability is in unset-value 1.0.0 package which is a transitive dependency of @budibase/handlebars-helpers in newman-reporter-htmlextra. This is fixed in the unset-value 2.0.1 version.

Impacted versions: <2.0.1
Discovered: less than an hour ago
Published: 59 days ago
unset-value package versions before 2.0.1 are vulnerable to Prototype Pollution. unset() function in index.js files allows for access to object prototype properties. An attacker can exploit this to override the behavior of object prototypes, resulting in a possible Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.

Steps To Reproduce The Issue

Run a prisma scan against a docker image which contains newman-reporter-htmlextra package (latest version)

Full Newman Command Or Node Script

newman run postman_collection.json -e env.environment.json \
      -r cli,htmlextra --reporter-htmlextra-export ./smoke-test-report.html

HTMLEXTRA Version

1.22.8

Newman Version

5.3.2

Additional Context

No response
@priyaramu priyaramu added state: needs-triage This issue needs to be triaged type: bug Something isn't working labels Apr 21, 2022
@DannyDainton
Copy link
Owner

I don't know what primsa is @priyaramu - can you provide more context here.

@DannyDainton DannyDainton added state: triaged This issue has been triaged and removed state: needs-triage This issue needs to be triaged labels May 2, 2022
@w4dd325
Copy link
Contributor

w4dd325 commented Jun 15, 2022

It sounds like it is this reported vulnerability with the NPM 'unset-value' package;
https://snyk.io/vuln/npm:unset-value#:~:text=Direct%20Vulnerabilities,and%20provides%20fixes%20for%20free.

The full paper is here;
https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

From the bits I have read, it appears a few of the dependencies used (eg; lodash/handlebars) would be vulnerable. The fix would be to ensure all dependencies are updated to the latest releases. (Which from a quick glance, they are).

@priyaramu
Copy link
Author

I don't know what primsa is @priyaramu - can you provide more context here.

@DannyDainton Prisma tool is used to scan docker images and find the vulnerabilities if any -> https://prisma.pan.dev/docs/cloud/
https://prisma.pan.dev/docs/cloud/cwpp/twistcli_gs#scan-container-images-with-twistcli

@ackris
Copy link

ackris commented Jan 23, 2024

@DannyDainton - this is still coming even after upgrading newman-reporter-htmlextra to 1.23.0. Is there any resolution to this?

unset-value is one of the transitive dependencies of newman-reporter-htmlextra.

=> Found "unset-value@1.0.0"
info Reasons this module exists
   - "=> Found "unset-value@1.0.0"
info Reasons this module exists
   - "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base" depends on it       
   - Hoisted from "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base#unset-value"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "236KB"
info Number of shared dependencies: 6
Done in 1.92s.#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base" depends on it       
   - Hoisted from "newman-reporter-htmlextra#@budibase#handlebars-helpers#micromatch#snapdragon#base#cache-base#unset-value"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "132KB"
info Disk size with transitive dependencies: "236KB"
info Number of shared dependencies: 6
Done in 1.92s.

the above is the output yarn why unset-value.

Please let us know if a fix is planned for this. This is becoming a blocker of sorts in our organization.

@DannyDainton
Copy link
Owner

It's not something I'm working on, this project is not my day job and unfortunately those things will always take priority.

If this is some that you can fix or you want to contribute to the project - PRs are very welcome.

This goes without saying but your organisation has chosen to use a 3rd party tool that they basically have no control over, there is never any guarantees that it will continue to work forever...that's the nature of software.

@DannyDainton DannyDainton changed the title Vulnerability in unset-value dependency [Project Dependencies] Vulnerability in the unset-value dependency Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state: triaged This issue has been triaged type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DannyDainton @ackris @priyaramu @w4dd325