Security Issues in dicer package

[Uzlopak]

Hi,

we forked busboy and fixed two critical bugs in the package, which could cause the node-process to crash or to hang. Those bugs originated in the dicer package, which we integrated in our busboy fork and, as I already mentioned, fixed. Is there any interest in a separate @fastify/dicer package, were we only ship the bugfixed dicer package?

for tracking reasons:
fastify/busboy#68

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lahirumaramba]

Hi @Uzlopak Thank you for reaching out. Apologies for not responding to this earlier. Do you know if fastify is still interested in shipping a bug fixed dicer package?

[harshagarwal00]

@lahirumaramba :
I am also getting stuck because of snyk issues with dicer..
If we can migrate to fastify/busboy or fastify/dicer will be great!!

fastify/busboy team is v open to create a fastify/dicer if we need it...
Reference: kibertoad comment in mscdex/dicer#22

busboys fix: fastify/fastify-multipart#297

[samarpanB]

We are also facing the same issue. We are blocked for deployment on production environment because of npm audit failing and snyk also failing. Reason is this issue only. How soon can we fix it ?

[Uzlopak]

We did not plan to create a separate fork of dicer. But I could export dicer class from our busboy-fork.

[lahirumaramba]

@Uzlopak thank you! I think that would be the fastest way to address this issue. Do you know what your current release schedule is? I am also looking into replacing dicer with busboy, though I am not sure if that would be an overkill for the current use case we have in the admin sdk.

[Uzlopak]

@kibertoad
Can we tomorrow do this?

[kibertoad]

@Uzlopak sure, I don't see why not.

[samschurter]

We are running into this security warning on several of our repos. Thanks for working on this!

[rafaelmaeuer]

any news on this?

[Uzlopak]

Exports dicer from fastify busboy

fastify/busboy#90

As busboy is already default import, it would be necessary to use the named export Dicer

[harshagarwal00]

brilliant! :D

[samschurter]

@lahirumaramba Now that there is a fixed fork of Dicer available, do you need someone to open a PR with a fix here or are you planning on doing that?

[Uzlopak]

@kibertoad
Can you please make a release?

[kibertoad]

will do tomorrow

[lahirumaramba]

Thank you @Uzlopak , @kibertoad !
Once the new release is out we will update the dependencies and release firebase-admin with the fix.

[kibertoad]

@lahirumaramba @fastify/busboy 1.1.0 with exported fixed Dicer is out

[lahirumaramba]

Many thanks to @Uzlopak and @kibertoad ! This should be fixed in firebase-admin v10.3.0. Thank you for your patience, everyone!