Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

potential security vulnerability via an outdated version of static-module@1.5.0 > static-eval@0.2.4 #19

Open
alhugot opened this issue Feb 20, 2018 · 15 comments · May be fixed by #21
Open

Comments

@alhugot
Copy link

alhugot commented Feb 20, 2018

Hi,
this is perhaps not the place to report it, please feel free to close the issue, but the version of static-module specified in the package.json is affected by this security vulnerability:
https://nodesecurity.io/advisories/548
cwise@1.0.10 > static-module@1.5.0 > static-eval@0.2.4

I have tried to update static-module to version ^2.0.0 which fixes the issue:
browserify/static-module#34

...but the tests are failing. I do no know this code enough to fix it, any help is welcome.

This is part of making plotly.js pass security tests:
plotly/plotly.js#2386

Would also be good to have a security badge with:
snyk: https://github.com/snyk/snyk#badge
or
nsp: see https://github.com/dwyl/repo-badges
Thx
Alex

@etpinard
Copy link
Contributor

Unfortunately, bumping static-module to the unvulnerable 2.x series won't be trivial.

Changes from PRs browserify/static-eval#18 and browserify/static-module#38 appear to be incompatible with cwise.

From my findings, static-module fails (i.e. does not transform cwise({args: [], body: () => {}}) expressions) whenever body() mutates one if its input arguments.

For example, with

// cmd.js
var fs = require('fs')
var sm = require('./lib/cwise-transform')()

process.stdin.pipe(sm).pipe(process.stdout)
// works.js
var cwise = require('cwise')
var f = cwise({
  args: ["array"],
  body: function() {
      return 'yo'
  },
})
// fails.js
var cwise = require('cwise')
var f = cwise({
  args: ["array"],
  body: function(a) {
      ++a
  },
})

then, node cmd.js < works.js works just fine (but doesn't do anything 😏 ), and node cmd.js < fails.js outputs:


var f = cwise({
  args: ["array"],
  body: function(a) {
      ++a
  }
})

that is, it correctly removes the require statement, but ignores the cwise call.

@alhugot
Copy link
Author

alhugot commented Feb 22, 2018

Thanks for looking at it. I tried to update the dependency but the tests are failing (I am on windows and not familiar with these libs).
But I am able to run the examples which are in the example dir.

@michal-rad
Copy link

+1

@etpinard
Copy link
Contributor

etpinard commented Mar 5, 2018

@alhugot I believe your patch in https://github.com/alhugot/cwise/commit/39b4ad8a1c67d94903bdc139e59bc764e59bad6f defeats the purpose of browserify suite where cwise is used as a transform.

To double-check, would you mind comparing the output of browserify -t cwise test/fill.js using old and new static-module versions?

@alhugot
Copy link
Author

alhugot commented Mar 5, 2018

@etpinard I am sorry I don't know much about browserify. Do you mean changing
var cwise = require("cwise") to var cwise = require("../cwise") in the unit test?

@alhugot
Copy link
Author

alhugot commented Mar 5, 2018

ok I see, I have look at https://github.com/scijs/ndarray-fill module which use cwise and indeed the transform is wrong, as in your example. Sorry a bit slow on this one.

@etpinard
Copy link
Contributor

etpinard commented Mar 5, 2018

. Sorry a bit slow on this one.

No worries. Thanks for the help!

@dutscher
Copy link

dutscher commented Mar 9, 2018

+1

@hakandilek
Copy link

@etpinard browserify -t cwise test/fill.js outputs are the same with static-module@2.2.5

@etpinard
Copy link
Contributor

@hakandilek thanks for the headsup, but npm test fails for me with static-module@2.2.5.

@hakandilek
Copy link

hakandilek commented May 30, 2018 via email

@etpinard
Copy link
Contributor

Check out my linked pull request.

Ha. Sorry I missed that. Thanks for the PR.

@srinivasrk
Copy link

any update on this issue ?

@elf-mouse
Copy link

potential security vulnerability +1

@k-sai-kiranmayee
Copy link

Hello! Is there any update on this one...Is this #21 successfully merged?

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants