Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[$250] Fix security vulnerabilities in Expensify App #48327

Closed
hurali97 opened this issue Aug 30, 2024 · 19 comments
Closed

[$250] Fix security vulnerabilities in Expensify App #48327

hurali97 opened this issue Aug 30, 2024 · 19 comments
Assignees
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. Daily KSv2 External Added to denote the issue can be worked on by a contributor

Comments

@hurali97
Copy link
Contributor

hurali97 commented Aug 30, 2024

Problem

Currently in Expensify App we have around 34 vulnerabilities in our dependencies of Critical, High and Moderate priorities. Even though, our App works fine but there's always a chance of some exploit in the future. Since Expensify is a FinTech App, the security vulnerabilities should be avoided and mitigated as much as possible.

Some examples of the vulnerabilities found via npm audit are:

Screenshot 2024-08-30 at 4 59 14 PM

Solution

The links for the vulnerabilities also suggests the version that we can bump for that dependency in order to fix the vulnerability. Since most of the vulnerabilities are originating from transitive dependencies, we can use overrides property in package.json to use that pinned version for the specific dependency. For example, consider ws transitive dependency which can be bumped to 8.17.1 in order to fix the vulnerability. Below is how we can achieve this:

"devDependencies": {
  ....
},
"overrides": {
   "ws": "8.17.1"
}

Once we add the patched versions of the security vulnerabilities in overrides property, we need to do a QA to make sure there are no regressions introduced by the patched versions.


Apart from this, upgrading to newer versions can sometimes be useful as they come with bug fixes and performance improvements. For example, react-pdf comes with lots of improvements like optimized CPU and memory usage, see here. There's one edge case that I am not aware of and would like to discuss:

  • We now don't have pdfjs-dist/legacy/build instead we have pdfjs-dist/build as react-pdf has dropped support for older browsers. In react-fast-pdf, which is maintained by Expensify here and in Expensfiy App, we have references to pdfjs-dist/legacy/build, which we can just change to pdfjs-dist/build. After this change, on my testing, I was able to send and view the PDF correctly, so everything looks correct but a QA in this area might come handy.

Edit: react-pdf update is already being tracked here. We have to make sure to verify updates to react-fast-pdf

Edit: I missed it the first time but we do have pdfjs-dist/legacy/build but we have .mjs instead of .js, so we still have to update react-fast-pdf to include the .mjs extension.

Upwork Automation - Do Not Edit
  • Upwork Job URL: https://www.upwork.com/jobs/~021843732810666984794
  • Upwork Job ID: 1843732810666984794
  • Last Price Increase: 2024-10-08
Issue OwnerCurrent Issue Owner: @
@CyberAndrii
Copy link
Contributor

react-pdf upgrade is being tracked in #48124

@hurali97
Copy link
Contributor Author

hurali97 commented Sep 2, 2024

react-pdf upgrade is being tracked in #48124

@CyberAndrii wow, nice. So does it mean when your PR to react-pdf is merged, you'll be bumping it in Expensify App? Because if that happens we will have to take care of react-fast-pdf as well.

@CyberAndrii
Copy link
Contributor

Yes I guess. Thanks for pointing this out

@melvin-bot melvin-bot bot added the Monthly KSv2 label Sep 2, 2024
@melvin-bot melvin-bot bot added Reviewing Has a PR in review Weekly KSv2 and removed Monthly KSv2 labels Sep 6, 2024
Copy link

melvin-bot bot commented Sep 10, 2024

Triggered auto assignment to @grgia, see https://stackoverflow.com/c/expensify/questions/7972 for more details.

@szymonrybczak
Copy link
Contributor

Hey I’m Szymon from Callstack - can take this over from Hur!

Copy link

melvin-bot bot commented Sep 17, 2024

📣 @szymonrybczak! 📣
Hey, it seems we don’t have your contributor details yet! You'll only have to do this once, and this is how we'll hire you on Upwork.
Please follow these steps:

  1. Make sure you've read and understood the contributing guidelines.
  2. Get the email address used to login to your Expensify account. If you don't already have an Expensify account, create one here. If you have multiple accounts (e.g. one for testing), please use your main account email.
  3. Get the link to your Upwork profile. It's necessary because we only pay via Upwork. You can access it by logging in, and then clicking on your name. It'll look like this. If you don't already have an account, sign up for one here.
  4. Copy the format below and paste it in a comment on this issue. Replace the placeholder text with your actual details.
    Screen Shot 2022-11-16 at 4 42 54 PM
    Format:
Contributor details
Your Expensify account email: <REPLACE EMAIL HERE>
Upwork Profile Link: <REPLACE LINK HERE>

@hungvu193
Copy link
Contributor

Hey I’m Szymon from Callstack - can take this over from Hur!

Ty. Can you update the PR with latest main?

@szymonrybczak
Copy link
Contributor

@hungvu193

@szymonrybczak
Copy link
Contributor

#48532 was merged, and currently, there are no security vulnerabilities on main! 🎉

❯ npm audit
found 0 vulnerabilities

@hungvu193
Copy link
Contributor

@grgia PR went to prod 2 weeks ago, can you add a BZ to handle payment here? Ty

@mallenexpensify mallenexpensify added Daily KSv2 Bug Something is broken. Auto assigns a BugZero manager. and removed Reviewing Has a PR in review labels Oct 8, 2024
Copy link

melvin-bot bot commented Oct 8, 2024

Triggered auto assignment to @zanyrenney (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

@melvin-bot melvin-bot bot removed the Weekly KSv2 label Oct 8, 2024
@mallenexpensify mallenexpensify added the External Added to denote the issue can be worked on by a contributor label Oct 8, 2024
@melvin-bot melvin-bot bot changed the title Fix security vulnerabilities in Expensify App [$250] Fix security vulnerabilities in Expensify App Oct 8, 2024
Copy link

melvin-bot bot commented Oct 8, 2024

Job added to Upwork: https://www.upwork.com/jobs/~021843732810666984794

@melvin-bot melvin-bot bot added the Help Wanted Apply this label when an issue is open to proposals by contributors label Oct 8, 2024
@mallenexpensify mallenexpensify added Awaiting Payment Auto-added when associated PR is deployed to production and removed Help Wanted Apply this label when an issue is open to proposals by contributors labels Oct 8, 2024
Copy link

melvin-bot bot commented Oct 8, 2024

Current assignee @hungvu193 is eligible for the External assigner, not assigning anyone new.

@mallenexpensify
Copy link
Contributor

Contributor+: @hungvu193 due $250 via NewDot.

Do we need/want any regression tests here? My gut says no but I'm new to the issue so erring on the safe side by asking.

@hungvu193
Copy link
Contributor

Do we need/want any regression tests here? My gut says no but I'm new to the issue so erring on the safe side by asking.

Yes, I don't think we need regression test here, as we only see the security vulnerabilities through the command line.

@zanyrenney
Copy link
Contributor

i agree we don't need a regression test here.

@zanyrenney
Copy link
Contributor

Payment summary

$250 owed to @hungvu193 for this work. @hungvu193 is paid via ND requests so closing this issue and they can request payment via ND.

Thanks!

@mallenexpensify
Copy link
Contributor

@zanyrenney for auditing purposes, so we know who's paid/due payment and where they're paid, can you plz use the format from the payment SO? Thx.

Contributor: @username paid $250 via Upwork
Contributor+: @username due $250 via NewDot

@garrettmknight
Copy link
Contributor

$250 approved for @hungvu193

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Awaiting Payment Auto-added when associated PR is deployed to production Bug Something is broken. Auto assigns a BugZero manager. Daily KSv2 External Added to denote the issue can be worked on by a contributor
Projects
None yet
Development

No branches or pull requests

8 participants