Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability with adal-node dependency in botframework-connector #4188

Closed
Mitko-Kerezov opened this issue Apr 14, 2022 · 3 comments · Fixed by #4194 or #4213
Closed

Security Vulnerability with adal-node dependency in botframework-connector #4188

Mitko-Kerezov opened this issue Apr 14, 2022 · 3 comments · Fixed by #4194 or #4213
Assignees
@JuanAr
Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-replied-to Indicates that the team has replied to the issue reported by the customer. Do not delete. customer-reported Issue is created by anyone that is not a collaborator in the repository. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report. needs-triage The issue has just been created and it has not been reviewed by the team. P0 Must Fix. Release-blocker
Milestone
R16.1

Comments

@Mitko-Kerezov
Copy link

Mitko-Kerezov commented Apr 14, 2022
edited by tracyboehrer
Loading

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Versions

What package version of the SDK are you using.
botbuilder@4.15.0
botframework-connector@4.15.0
What nodejs version are you using
v14.19.1
What browser version are you using
N/A
What os are you using
Linux

Describe the bug

Give a clear and concise description of what the bug is.
botframework-connector requires adal-node@0.2.3. adal-node@0.2.3 requires the async library version 2. All versions of async < 3.2.2 are vulnerable to prototype pollution.

Potential Fix

Unaware if adal-node is even maintained - maybe it could be replaced with something like @azure/msal-node? See #2782
@Mitko-Kerezov Mitko-Kerezov added bug Indicates an unexpected problem or an unintended behavior. needs-triage The issue has just been created and it has not been reviewed by the team. labels Apr 14, 2022
@stevkan stevkan added customer-reported Issue is created by anyone that is not a collaborator in the repository. Bot Services Required for internal Azure reporting. Do not delete. Do not change color. labels Apr 14, 2022
@tracyboehrer tracyboehrer added this to the R16.1 milestone Apr 14, 2022
@tracyboehrer tracyboehrer added the P0 Must Fix. Release-blocker label Apr 14, 2022
@tracyboehrer
Copy link
Member

@Mitko-Kerezov Thanks! This also showed up in our security checks. We will need to schedule this for a patch release after 4.16.0 which is about to come out. The fix is to migrate to MSAL since adal-node is deprecated. This will be a larger change, but we'll prioritize it.

@tracyboehrer tracyboehrer added customer-replied-to Indicates that the team has replied to the issue reported by the customer. Do not delete. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report. labels Apr 14, 2022
@tracyboehrer
Copy link
Member

@JuanAr @ceciliaavila Can we research this, in light of the comments in #2782 about incompatibility of MSAL with older versions of TypeScript.

This was referenced Apr 15, 2022
Closed
Merged
@sw-joelmut
Copy link
Collaborator

@JuanAr @ceciliaavila Can we research this, in light of the comments in #2782 about incompatibility of MSAL with older versions of TypeScript.

Hi @tracyboehrer, we've been reviewing and testing this specific case, and we consider that the PR #4194 provided by @BruceHaley will address this security vulnerability as a temporary solution before migrating adal-node to @azure/msal-node.

This was referenced Apr 19, 2022
Closed
Merged
@BruceHaley BruceHaley mentioned this issue Apr 28, 2022
Closed
This was referenced Apr 28, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JuanAr JuanAr

Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-replied-to Indicates that the team has replied to the issue reported by the customer. Do not delete. customer-reported Issue is created by anyone that is not a collaborator in the repository. ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report. needs-triage The issue has just been created and it has not been reviewed by the team. P0 Must Fix. Release-blocker
Projects
None yet
Milestone
R16.1
5 participants
@JuanAr @tracyboehrer @Mitko-Kerezov @stevkan @sw-joelmut