Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Regular Expression Denial of Service" security issues on dependencies #4266

Closed
c3s4r opened this issue Oct 19, 2017 · 4 comments
Closed

"Regular Expression Denial of Service" security issues on dependencies #4266

c3s4r opened this issue Oct 19, 2017 · 4 comments

Comments

@c3s4r
Copy link

c3s4r commented Oct 19, 2017

Issue Description

Running nsp check using parse-server 2.6.3 launches "Regular Expression Denial of Service" security warnings.

Steps to reproduce

Create a new express application with the parse-server dependency
Add nsp dependency
Run nsp check

Expected Results

Not to show any security warning.

Actual Outcome

The following warnings are displayed:

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > mime@1.4.0
https://nodesecurity.io/advisories/535

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > express@4.15.3 > send@0.15.3 > mime@1.3.4
https://nodesecurity.io/advisories/535

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > express@4.15.3 > fresh@0.5.0
https://nodesecurity.io/advisories/526

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > express@4.15.3 > debug@2.6.7
https://nodesecurity.io/advisories/534

Regular Expression Denial of Service
@0.0.1 > parse-server@2.6.3 > parse-server-simple-mailgun-adapter@1.0.0 > mailgun-js@0.7.15 > debug@2.2.0
https://nodesecurity.io/advisories/534

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) : 2.6.3
    • Operating System: MacOSX 10.12.6
    • Hardware: MacBookPro 2013
    • Localhost or remote server? Local

  • Database

    • MongoDB version: 3.4
    • Storage engine: WiredTiger
    • Hardware: MacBookPro 2013
    • Localhost or remote server? Localhost

Logs/Trace

See above in the actual outcome.
@c3s4r c3s4r changed the title "Regular Expression Denial of Service" security issue on dependencies "Regular Expression Denial of Service" security issues on dependencies Oct 19, 2017
@montymxb
Copy link
Contributor

@c3s4r am I correct in saying that it looks like all the potential issues you've found are in dependent projects, rather than parse-server itself?

@c3s4r
Copy link
Author

c3s4r commented Oct 20, 2017

@montymxb yes, that's right. Anyways, since parse-server uses those modules, it will probably "inherit" the security issues. The fix should be simple: just need to upgrade the modules to their patched versions, which are:

  • mime >= 2.0.3
  • express >= 4.15.5

The mailgun-js dependency used in the parse-server-simple-mailgun-adapter package has also to be fixed, but it can't be upgraded because it doesn't have a published version with the fix yet (but it's fixed in their github repo, so I guess they should publish it soon).

I would also recommend to add nsp module (or similar) and add nsp check to posttest or pretest script to automatically verify that the dependencies used by the project don't have vulnerabilities.

flovilmart added a commit that referenced this issue Oct 21, 2017
@flovilmart
Bumps mime, express, closes #4266
475a30d
This was referenced Oct 21, 2017
Merged
Merged
@montymxb
Copy link
Contributor

@c3s4r thanks for the recommendation! We're looking into adding this (or an equivalent like snyk) into the flow as part of our CI. This will stay open until we've settled on a solution.

@montymxb
Copy link
Contributor

Closing as #4285 has been merged in to resolve this. Thanks again!

@snyk-bot snyk-bot mentioned this issue Feb 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flovilmart @c3s4r @montymxb