List security issues

[dougwilson]

From #220 (comment) we should come up with some method to responsibly list express versions and security issues somewhere. I don't know a lot about how security disclosures are done, so need input from an expert.

[dougwilson]

Per @elliotf my input is not required in this repo.

[dougwilson]

I'll reopen this, as I made my point :)

[hacksparrow]

👍 we really need this.

[crandmck]

I'd like to begin addressing this. Ideally, we could summarize known security issues (and fixes, if applicable) to each version: 2.x, 3.x, and 4.x. This could potentially be a time-sink, so I'd like to just make a start and clearly state that it's a partial/working list as a starting point.

[hacksparrow]

One "vulnerability" which was intrinsic to Express is express.bodyParser in 3.x. Everything else I can think of is either a Node vulnerability or standard web development vulnerability - XSS, CSRF etc.

@dougwilson, any suggestions?

[dougwilson]

I don't think we should list vulnerabilities introduced by bad usage patterns or we'll be here forever. bodyParser is an example of this, just like csurf, et. al.

I was originally talking about intrinsic vulnerabilities that has no way to work-around except to upgrade code because the code itself is just broken.

[hacksparrow]

OK, pointers on where to look for intrinsic vulnerabilities? History.md mentions only "Rosetta Flash JSONP abuse".

[dougwilson]

It mentions that we were not vulnerable to it :) I never listed vulnerability fixed in history, as it would bring attention to them. No list exists anywhere, which was the point of this issue; someone needs to research through every commit and all dependency commits to determine where security issues were fixed.

[hacksparrow]

Harrrr, that's gonna be one heck of a task. Wouldn't listing the vulnerabilities here defeat the practice of not listing them in history?

[dougwilson]

Apparently people want them listed for whatever reason, as "use the latest version" is not a good enough reason to upgrade or whatever. There was no security policy before, and since I know how people never upgrade and people have web servers running on express, my policy before was to not bring attention to things until there was something in the wild.

[hacksparrow]

OK, makes sense.

[hacksparrow]

Ok, so here is the first attempt at it. If it looks good, please close the issue. We can keep adding stuff to it as we progress.

[dougwilson]

Cool, though the following need to be removed: 4.7.0, 4.6.0, 3.15.0, 3.14.0, 3.11.0 as none of those are security-related. I'm not sure what the 3.3.0 change is, though.

[dougwilson]

We should probably also word them so people can understand what exactly the issue is, which would make this page neater :) For example:

• 4.8.4
  • Node.js 0.10 can leak fds in certain situations that affect express.static and res.sendfile. Malicious requests can cause fds to leak and eventually leak to EMFILE errors and server unresponsiveness.

[dougwilson]

And we can even link to nodejs/node-v0.x-archive#8178 in the 4.8.4 note.

[rlidwka]

CVE database lists all vulnerable versions, not a version where it was fixed. Maybe it'll make sense to do the same.

[rlidwka]

Also, there are guys who specialize on this sort of thing in node: https://nodesecurity.io/

I have no idea who they are, but it might make sense to offload all this work there, and just link to https://nodesecurity.io/advisories/module/express from readme.

[dougwilson]

@rlidwka I've spoken with them before, and we can list thing there, but we have to tell them what to list.

[hacksparrow]

Thanks for the suggestions, guys. I have removed 4.7.0, 4.6.0, 3.15.0, 3.14.0, 3.11.0.

3.3.0 fixed this - http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html.

Agreed, the list could be a little less cryptic. I will be working on it.

[dougwilson]

Ah. So the 3.3.0 http://blog.nibblesec.org/2014/05/nodejs-connect-csrf-bypass-abusing.html is not fixed in any version--the issue is just people using it wrong. Even then, that article was published before anything was "fixed" in May 2014, but express 3.3.0 came out June 2013. The csrf -> express 3.3.0 correlation definitely seems off just from the timeline.

[hacksparrow]

Errr, I mixed things up. Actually, it fixed senchalabs/connect#831 with senchalabs/connect@126187c.

[dougwilson]

Ah, that makes sense, then 👍

[crandmck]

IMHO, for now we should have our own list of know issues, since https://nodesecurity.io/advisories/module/express is empty.
When they put something there, we can link there or even (possibly) just delegate to that site.

[crandmck]

Hage has updated http://expressjs.com/advanced/security-updates.html and I think it's a reasonable start. If there are additional specific security-related items, then we can open issues for them.

[rlidwka]

Maybe it's worth to explicitly specify a module where the bug has occured? Maybe people want to update that dependency without updating express. Also, link to a github issue. It's just a suggestion to make a patch easier to find.