search

Azure / api-management-developer-portal

Developer portal provided by the Azure API Management service.
MIT License
489 stars 319 forks source link

`npm audit` throws 6 vulnerabilities (1 moderate, 5 high) #1286

Closed venura9 closed 3 years ago

venura9 commented 3 years ago

Bug description

npm audit throws 6 vulnerabilities (1 moderate, 5 high) (Effectively 3)

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install @paperbits/azure@0.1.412, which is outside the stated dependency range
node_modules/axios
  @azure/ms-rest-js  <=1.9.0
  Depends on vulnerable versions of axios
  node_modules/@azure/ms-rest-js
    @azure/storage-blob  <=10.3.0
    Depends on vulnerable versions of @azure/ms-rest-js
    node_modules/@paperbits/azure/node_modules/@azure/storage-blob
      @paperbits/azure  0.1.296 - 0.1.376
      Depends on vulnerable versions of @azure/storage-blob
      node_modules/@paperbits/azure

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix`
node_modules/ssri
node_modules/webpack/node_modules/ssri

y18n  <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1654
fix available via `npm audit fix`
node_modules/y18n

6 vulnerabilities (1 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force

Reproduction steps

npm install and/or npm audit

Expected behavior

Report Should ideally have no entries.

Is your portal managed or self-hosted?

Self-hosted

Release tag or commit SHA (if using self-hosted version)

2.8.0

API Management service name

N/A

Environment

N/A

Additional context

N/A

ghost commented 3 years ago

@venura9, thank you for opening this issue. We will triage it within the next few business days.

azaslonov commented 3 years ago

Hi @venura9, thanks, we'll take care of it.

ghost commented 3 years ago

@venura9, thank you for reporting the bug.

ghost commented 3 years ago

By adding this issue to the Backlog project, we have prioritized it for development. You can monitor its status in the project's board.

azaslonov commented 3 years ago

I have to close this issue because it is nearly impossible to bring the number of security audit warnings to zero. There is always a "dependency of a dependency of a dependency" that has some reported issues. However, this doesn't always mean that your users are vulnerable. For example, the current audit brings up an issue in meow library which is a dependency of saas-loader which used for the styles compilation in build time:

node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    node-sass  >=3.5.0-beta.1
    Depends on vulnerable versions of meow
    node_modules/node-sass
      sass-loader  5.0.0 - 6.0.7 || >=8.0.0
      Depends on vulnerable versions of node-sass
      node_modules/sass-loader

Since it's build time, there is no threat for end-users of the portal, because meow is not executed in the runtime at all.

Of course, we still keep an eye on audit reports and fix whatever can be fixed right away. Besides that, we have automated tools in place that check our services/portals for vulnerabilities, and we have a bounty-hunting program. All these measures help us identify and mitigate actual security issues.

Hope that makes sense.