Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency CVE-2021-32708 in league/flysystem #27768

Closed
markuman opened this issue Jul 2, 2021 · 9 comments
Closed

dependency CVE-2021-32708 in league/flysystem #27768

markuman opened this issue Jul 2, 2021 · 9 comments
Assignees
@icewind1991
Labels
1. to develop Accepted and waiting to be taken care of bug security

Comments

@markuman
Copy link

markuman commented Jul 2, 2021 

usr/src/nextcloud/3rdparty/composer.lock
========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| league/flysystem | CVE-2021-32708   | HIGH     | 1.1.3             | 2.1.1, 1.1.4  | Time-of-check Time-of-use (TOCTOU)    |
|                  |                  |          |                   |               | Race Condition in league/flysystem    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-32708 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+

You should consider to include trivy into your pipeline for php/js dependency scan.

trivy fs --ignore-unfixed .
@markuman markuman added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Jul 2, 2021
@kesselb
Copy link
Contributor

kesselb commented Jul 2, 2021

cc @nextcloud/security 👋

@nickvergessen
Copy link
Member

nextcloud/3rdparty#697

@LukasReschke
Copy link
Member

LukasReschke commented Jul 5, 2021
edited
Loading

@icewind1991 I do not see this dependency being used anywhere in the Nextcloud code base. Can we remove it?

PHPStorm shows only usages in our consumer file itself https://github.com/nextcloud/server/blob/master/lib/private/Files/Storage/Flysystem.php:

Screenshot 2021-07-05 at 11 37 04

Sourcegraph shows no usages in the org:

See https://sourcegraph.com/search?q=context:global+repo:github.com/nextcloud/+Flysystem&patternType=literal&case=yes

@LukasReschke LukasReschke added 1. to develop Accepted and waiting to be taken care of security and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Jul 5, 2021
@LukasReschke
Copy link
Member

@icewind1991 Ping

LukasReschke added a commit that referenced this issue Jul 12, 2021
@LukasReschke
Remove Flysystem storage class
2835957 
This seems unused as per #27768
and may allow us to get rid of one more dependency.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
@LukasReschke LukasReschke mentioned this issue Jul 12, 2021
Merged
@markuman
Copy link
Author

It is still present in 21.0.4 and also in 22.1.0

@markuman markuman mentioned this issue Aug 11, 2021
Closed
@stp-bsh
Copy link

stp-bsh commented Oct 16, 2021

It is present in 22.2.0 as well.

@jqiuyin
Copy link

jqiuyin commented May 23, 2022

some applications will use it.
like this: hevelius/files_external_onedrive#66
Is there a better solution?
@LukasReschke

@markuman
Copy link
Author

some applications will use it. like this: hevelius/files_external_onedrive#66 Is there a better solution? @LukasReschke

the external app must ship the dependency itself - IMO.

@nickvergessen
Copy link
Member

Yes, as per above the app should ship the dependency itself.

Since the package is removed on our end I will also close this issue as the update is not needed anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@icewind1991 icewind1991

Labels
1. to develop Accepted and waiting to be taken care of bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@nickvergessen @LukasReschke @icewind1991 @kesselb @markuman @jqiuyin @stp-bsh