Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit reveals vulnerabilities #686

Closed
garbados opened this issue Sep 4, 2019 · 5 comments
Closed

npm audit reveals vulnerabilities #686

garbados opened this issue Sep 4, 2019 · 5 comments
Labels
bug

Comments

@garbados
Copy link

garbados commented Sep 4, 2019

Installing ssb-server in a project, npm makes a lot of noise:

$ npm i ssb-server
...
+ ssb-server@15.1.0
added 1097 packages from 772 contributors and audited 9992 packages in 10.028s
found 81 vulnerabilities (5 low, 1 moderate, 75 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit fix only fixes some of these vulnerabilities. I invite you to take a look at the npm audit output yourself -- it's significant, and doesn't gist well.
@christianbundy
Copy link
Contributor

Hey @garbados! 👋

Thanks for opening this issue. Running npm audit fix seems to resolve most of the potential problems for me, but I'm still seeing these:

click to expand 
───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ bl                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.9.5 <1.0.0 || >=1.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ssb-invite                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ssb-invite > level-sublevel > levelup > bl                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/596                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mdmanifest                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mdmanifest > remark > chokidar > anymatch > micromatch >     │
│               │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ssb-db                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ssb-db > mdmanifest > remark > chokidar > anymatch >         │
│               │ micromatch > braces                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ssb-gossip                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ssb-gossip > mdmanifest > remark > chokidar > anymatch >     │
│               │ micromatch > braces                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ssb-invite                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ssb-invite > mdmanifest > remark > chokidar > anymatch >     │
│               │ micromatch > braces                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ssb-plugins                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ssb-plugins > mdmanifest > remark > chokidar > anymatch >    │
│               │ micromatch > braces                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

I don't think the regex DoS problems will have any effect on us, but I don't know enough about the memory exposure problem to conclusively say it's fine. It looks like we're inheriting that from @dominictarr's level-sublevel, which is unmaintained, so we may need to fix ssb-invite so that it's not running on unmaintained code anymore.

@christianbundy christianbundy mentioned this issue Sep 6, 2019
Merged
@mixmix mixmix mentioned this issue Sep 6, 2019
Closed
@austinfrey
Copy link
Contributor

levelup might only be a devDependency in level-sublevel? it would still be good to keep it up to date though. subleveldown is another option, but i don't think it has some key features that level-sublevel is using, like hooks.

does unmaintained mean, the module is finished so no need to change, or does it mean that this module should be phased out when possible?

@christianbundy
Copy link
Contributor

does unmaintained mean, the module is finished so no need to change, or does it mean that this module should be phased out when possible?

I think the module should be removed when possible, replaced with subleveldown if we actually need sub-databases in level. See this issue for some more info, it looks like were conflicting bugfixes that caused other bugs so the changes were rolled back and the module was deprecated.

@dominictarr
Copy link
Contributor

These are all false positives. to be vulnerable to a regexp DoS, you'd have to run a user provided regular expression, which we don't. Also to get the memory exposure, you'd have to have a user request for some size of memory and return it, which we also don't do.

@stale
Copy link

stale bot commented Dec 7, 2019

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

@stale stale bot added the stale label Dec 7, 2019
@stale stale bot closed this as completed Jan 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dominictarr @christianbundy @garbados @austinfrey