Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sails@1.5.8 captains-log dependency introduces ReDoS Vulnerability #7315

Open
kconut opened this issue Dec 18, 2023 · 5 comments
Open

sails@1.5.8 captains-log dependency introduces ReDoS Vulnerability #7315

kconut opened this issue Dec 18, 2023 · 5 comments
Labels

Comments

@kconut
Copy link

kconut commented Dec 18, 2023

Node version: 16
Sails version (sails): 1.5.8


We're encountering the following security finding for our sails application:

Issues with no direct upgrade or patch:
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
    introduced by sails@1.5.8 > captains-log@2.0.4 > chalk@1.1.3 > has-ansi@2.0.0 > ansi-regex@2.1.1 and 3 other path(s)
  This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1

Is there any plan to update the chalk version for captains-log?

@sailsbot
Copy link

@kconut Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

  • look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
  • tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
  • make sure you've provided clear instructions on how to reproduce the bug from a clean install.
  • double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
  • read the code of conduct.
  • if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
  • let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

@DominusKelvin
Copy link
Contributor

Hey @kconut thanks for reporting, we will have a look into resolving this. :)

@eashaw
Copy link
Member

eashaw commented Dec 21, 2023

Hi @kconut, for some reason, this vulnerability is not showing up in npm audit reports. Would you happen to have any idea why that is? Where did your security finding come from?

@kconut
Copy link
Author

kconut commented Dec 22, 2023

Hi @kconut, for some reason, this vulnerability is not showing up in npm audit reports. Would you happen to have any idea why that is? Where did your security finding come from?

Hi @eashaw, thank you for looking into this!

We have Snyk integrated into our pipeline for static code analysis and dependency scanning, and the vulnerability on ansi-regex only started showing up in our scans roughly 3 weeks ago.

Additional information from the generated report file:

Regular Expression Denial of Service (ReDoS)
Package Manager: npm
Vulnerable module: ansi-regex
Introduced through: sails@1.5.8 and others

Detailed paths
Introduced through: sails@1.5.8 › captains-log@2.0.4 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Introduced through: sails@1.5.8 › sails-generate@2.0.8 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Introduced through: sails@1.5.8 › whelk@6.0.1 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1
Introduced through: sails@1.5.8 › sails-generate@2.0.8 › reportback@2.0.2 › captains-log@2.0.4 › chalk@1.1.3 › has-ansi@2.0.0 › ansi-regex@2.1.1

Remediation
Upgrade ansi-regex to version 3.0.1, 4.1.1, 5.0.1, 6.0.1 or higher.

Also providing here the attached references regarding the finding:
GitHub Commit
GitHub Commit
GitHub Commit
GitHub PR

@mikermcneil
Copy link
Member

@kconut Publishing patches now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

5 participants