Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability in chownr introduced through tar #201

Closed
imtbl opened this issue Nov 18, 2018 · 2 comments
Closed

Vulnerability in chownr introduced through tar #201

imtbl opened this issue Nov 18, 2018 · 2 comments

Comments

@imtbl
Copy link

imtbl commented Nov 18, 2018

chownr has a TOCTOU vulnerability that apparently can't be fixed without an addition to Node.js itself.

It's introduced to better-sqlite3 through tar.

As far as I can see it, tar is only used here to extract sqlite3 itself that's bundled here.

Do you see any way to get rid of tar and therefore the vulnerability (maybe not bundling it into a tarball but a different format – if there is any that can be used in Node.js without requiring a different library that depends on chownr, that is)?

Edit: To clarify, I realize the vulnerability probably couldn't be exploited in this use case anyway, but if there was an easy way to get rid of it, I would prefer that. If only so that projects depending on better-sqlite3 don't have the vulnerability showing up on Snyk or other platforms and don't have to manually ignore them for builds to succeed.

@JoshuaWise
Copy link
Member

JoshuaWise commented Nov 19, 2018

I can't think of an easy alternative in the moment, but I'll look into this.

For others reading this, note that there's no real vulnerability since the tar package is only used for installation purposes.

@imtbl
Copy link
Author

imtbl commented Jan 19, 2019

Quick heads up: Snyk no longer considers this a vulnerability of chownr, likely due to this explanation.

Therefore, it also no longer shows up as vulnerability when using better-sqlite3.

Closing this issue.

@imtbl imtbl closed this as completed Jan 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants