Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(protect): only patch when version on disk satisfies vuln #652

Merged
merged 7 commits into from
Jul 10, 2019
Merged

fix(protect): only patch when version on disk satisfies vuln #652

merged 7 commits into from
Jul 10, 2019

Conversation

lirantal
Copy link
Member

@lirantal lirantal commented Jul 10, 2019
edited by adrukh
Loading

  • Ready for review
  • Follows CONTRIBUTING rules
  • Reviewed by Snyk internal team

What does this PR do?

Updates the logic for checking whether to apply patch A on dep B to fix vuln C.

Prior to this change, our logic would sometime lead to a misdetection of the following kind:
Patch A is applicable to pkg@1.0.0
Dep B is located in node_modules as pkg@2.0.0
Vuln C was detected on pkg@1.0.0, which was then resolved on the disk as dep B.

This would cause a clash and fail when applying the patch due to version incompatibility.

The fix is a stop-gap measure that validates the version of the dep located in node_modules prior to applying a patch.

@lirantal lirantal requested review from adrukh, lili2311 and miiila July 10, 2019 17:36
@lirantal lirantal self-assigned this Jul 10, 2019
adrukh
adrukh reviewed Jul 10, 2019
View reviewed changes
src/lib/protect/apply-patch.js Outdated
try {
const packageJson = fs.readFileSync(path.resolve(relative, 'package.json'));
const pkg = JSON.parse(packageJson);
pkg = JSON.parse(packageJson);
debug('package at patch target location: %s@%s', pkg.name, pkg.version);
} catch (err) {
debug('Failed loading package.json of package about to be patched', err);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's return here too, if the package.json is not ok, maybe we cannot trust the dependency data?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, if we don't return, pkg.version on line 32 will 💥 because pkg is undefined.

adrukh
adrukh reviewed Jul 10, 2019
View reviewed changes
src/lib/protect/apply-patch.js Outdated
debug('package at patch target location: %s@%s', pkg.name, pkg.version);
} catch (err) {
debug('Failed loading package.json of package about to be patched', err);
}

const versionOfPackageToPatch = pkg.version;

const vulnerableVersions = vuln.semver.vulnerable;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What matters here is not the vuln's affected semver range (vuln.semver.vulnerable), but the dep version on which the vuln was detected (vuln.version) - please change

miiila
miiila approved these changes Jul 10, 2019
View reviewed changes
src/lib/protect/apply-patch.js Outdated
}

const versionOfPackageToPatch = pkg.version;
const patchableVersionsRange = vuln.patches.version;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does the patchableVersionRange look like? I remember some issues with strings, I had to run something like semver.coalesce or something like that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing this out! Indeed we will not assume the version ranges are pure semver notation, and will use semver.coerce.

@adrukh adrukh merged commit 1b3745a into master Jul 10, 2019
@adrukh adrukh deleted the lirantal-fix-patch-strategy branch July 10, 2019 19:33
@snyksec
Copy link

snyksec commented Jul 10, 2019

🎉 This PR is included in version 1.192.6 🎉

The release is available on:

Your semantic-release bot 📦🚀

@snyk-bot snyk-bot mentioned this pull request Mar 31, 2023
Closed
This was referenced Apr 20, 2023
Open
Open
@romathur romathur mentioned this pull request Dec 6, 2023
Open
@allRounderWiser allRounderWiser mentioned this pull request Dec 6, 2023
Open
@RyanPHigh RyanPHigh mentioned this pull request Dec 6, 2023
Open
This was referenced Dec 6, 2023
Open
Open
This was referenced Dec 7, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrukh adrukh adrukh approved these changes

@miiila miiila miiila approved these changes

@lili2311 lili2311 Awaiting requested review from lili2311

Assignees

@lirantal lirantal

Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lirantal @snyksec @adrukh @miiila