search

Leonidas-from-XIV / node-xml2js

XML to JavaScript object converter.
MIT License
4.87k stars 601 forks source link

High Severity Vulnerability #560

Closed markibanez closed 4 years ago

markibanez commented 4 years ago

Installing this package via npm resulted in a high severity vulnerability. Result of npm audit are as follows:

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  High            Arbitrary File Write

  Package         decompress

  Patched in      No patch available

  Dependency of   download

  Path            download > decompress

  More info       https://npmjs.com/advisories/1217

found 1 high severity vulnerability in 1042 scanned packages
  1 vulnerability requires manual review. See the full report for details.
Omega-Ariston commented 4 years ago

May I ask which version of xml2js are you using? Cuz i couldn't find decompress in my dependencies, which are:

 xml2js@0.4.23 C:\OpenSource\node-xml2js
+-- coffee-script@1.12.7
+-- coveralls@3.0.6
| +-- growl@1.10.5
| +-- js-yaml@3.13.1
| | +-- argparse@1.0.10
| | | `-- sprintf-js@1.0.3
| | `-- esprima@4.0.1
| +-- lcov-parse@0.0.10
| +-- log-driver@1.2.7
| +-- minimist@1.2.0
| `-- request@2.88.0
|   +-- aws-sign2@0.7.0
|   +-- aws4@1.8.0
|   +-- caseless@0.12.0
|   +-- combined-stream@1.0.8
|   | `-- delayed-stream@1.0.0
|   +-- extend@3.0.2
|   +-- forever-agent@0.6.1
|   +-- form-data@2.3.3
|   | +-- asynckit@0.4.0
|   | +-- combined-stream@1.0.8 deduped
|   | `-- mime-types@2.1.24 deduped
|   +-- har-validator@5.1.3
|   | +-- ajv@6.10.2
|   | | +-- fast-deep-equal@2.0.1
|   | | +-- fast-json-stable-stringify@2.0.0
|   | | +-- json-schema-traverse@0.4.1
|   | | `-- uri-js@4.2.2
|   | |   `-- punycode@2.1.1
|   | `-- har-schema@2.0.0
|   +-- http-signature@1.2.0
|   | +-- assert-plus@1.0.0
|   | +-- jsprim@1.4.1
|   | | +-- assert-plus@1.0.0 deduped
|   | | +-- extsprintf@1.3.0
|   | | +-- json-schema@0.2.3
|   | | `-- verror@1.10.0
|   | |   +-- assert-plus@1.0.0 deduped
|   | |   +-- core-util-is@1.0.2
|   | |   `-- extsprintf@1.3.0 deduped
|   | `-- sshpk@1.16.1
|   |   +-- asn1@0.2.4
|   |   | `-- safer-buffer@2.1.2 deduped
|   |   +-- assert-plus@1.0.0 deduped
|   |   +-- bcrypt-pbkdf@1.0.2
|   |   | `-- tweetnacl@0.14.5 deduped
|   |   +-- dashdash@1.14.1
|   |   | `-- assert-plus@1.0.0 deduped
|   |   +-- ecc-jsbn@0.1.2
|   |   | +-- jsbn@0.1.1 deduped
|   |   | `-- safer-buffer@2.1.2 deduped
|   |   +-- getpass@0.1.7
|   |   | `-- assert-plus@1.0.0 deduped
|   |   +-- jsbn@0.1.1
|   |   +-- safer-buffer@2.1.2
|   |   `-- tweetnacl@0.14.5
|   +-- is-typedarray@1.0.0
|   +-- isstream@0.1.2
|   +-- json-stringify-safe@5.0.1
|   +-- mime-types@2.1.24
|   | `-- mime-db@1.40.0
|   +-- oauth-sign@0.9.0
|   +-- performance-now@2.1.0
|   +-- qs@6.5.2
|   +-- safe-buffer@5.2.0
|   +-- tough-cookie@2.4.3
|   | +-- psl@1.3.0
|   | `-- punycode@1.4.1
|   +-- tunnel-agent@0.6.0
|   | `-- safe-buffer@5.2.0 deduped
|   `-- uuid@3.3.3 deduped
+-- diff@4.0.1
+-- docco@0.8.0
| +-- commander@3.0.0
| +-- fs-extra@8.1.0
| | +-- graceful-fs@4.2.2
| | +-- jsonfile@4.0.0
| | | `-- graceful-fs@4.2.2 deduped
| | `-- universalify@0.1.2
| +-- highlight.js@9.15.10
| +-- marked@0.7.0
| `-- underscore@1.9.1
+-- nyc@14.1.1
| +-- archy@1.0.0
| +-- caching-transform@3.0.2
| | +-- hasha@3.0.0
| | | `-- is-stream@1.1.0
| | +-- make-dir@2.1.0 deduped
| | +-- package-hash@3.0.0
| | | +-- graceful-fs@4.2.2 deduped
| | | +-- hasha@3.0.0 deduped
| | | +-- lodash.flattendeep@4.4.0
| | | `-- release-zalgo@1.0.0
| | |   `-- es6-error@4.1.1
| | `-- write-file-atomic@2.4.3
| |   +-- graceful-fs@4.2.2 deduped
| |   +-- imurmurhash@0.1.4
| |   `-- signal-exit@3.0.2 deduped
| +-- convert-source-map@1.6.0
| | `-- safe-buffer@5.1.2
| +-- cp-file@6.2.0
| | +-- graceful-fs@4.2.2 deduped
| | +-- make-dir@2.1.0 deduped
| | +-- nested-error-stacks@2.1.0
| | +-- pify@4.0.1
| | `-- safe-buffer@5.2.0 deduped
| +-- find-cache-dir@2.1.0
| | +-- commondir@1.0.1
| | +-- make-dir@2.1.0 deduped
| | `-- pkg-dir@3.0.0
| |   `-- find-up@3.0.0 deduped
| +-- find-up@3.0.0
| | `-- locate-path@3.0.0
| |   +-- p-locate@3.0.0
| |   | `-- p-limit@2.2.1
| |   |   `-- p-try@2.2.0
| |   `-- path-exists@3.0.0
| +-- foreground-child@1.5.6
| | +-- cross-spawn@4.0.2
| | | +-- lru-cache@4.1.5
| | | | +-- pseudomap@1.0.2
| | | | `-- yallist@2.1.2
| | | `-- which@1.3.1 deduped
| | `-- signal-exit@3.0.2 deduped
| +-- glob@7.1.4
| | +-- fs.realpath@1.0.0
| | +-- inflight@1.0.6
| | | +-- once@1.4.0 deduped
| | | `-- wrappy@1.0.2
| | +-- inherits@2.0.4
| | +-- minimatch@3.0.4
| | | `-- brace-expansion@1.1.11
| | |   +-- balanced-match@1.0.0
| | |   `-- concat-map@0.0.1
| | +-- once@1.4.0
| | | `-- wrappy@1.0.2 deduped
| | `-- path-is-absolute@1.0.1
| +-- istanbul-lib-coverage@2.0.5
| +-- istanbul-lib-hook@2.0.7
| | `-- append-transform@1.0.0
| |   `-- default-require-extensions@2.0.0
| |     `-- strip-bom@3.0.0
| +-- istanbul-lib-instrument@3.3.0
| | +-- @babel/generator@7.5.5
| | | +-- @babel/types@7.5.5 deduped
| | | +-- jsesc@2.5.2
| | | +-- lodash@4.17.15
| | | +-- source-map@0.5.7
| | | `-- trim-right@1.0.1
| | +-- @babel/parser@7.5.5
| | +-- @babel/template@7.4.4
| | | +-- @babel/code-frame@7.5.5
| | | | `-- @babel/highlight@7.5.0
| | | |   +-- chalk@2.4.2
| | | |   | +-- ansi-styles@3.2.1 deduped
| | | |   | +-- escape-string-regexp@1.0.5
| | | |   | `-- supports-color@5.5.0
| | | |   |   `-- has-flag@3.0.0 deduped
| | | |   +-- esutils@2.0.3 deduped
| | | |   `-- js-tokens@4.0.0
| | | +-- @babel/parser@7.5.5 deduped
| | | `-- @babel/types@7.5.5 deduped
| | +-- @babel/traverse@7.5.5
| | | +-- @babel/code-frame@7.5.5 deduped
| | | +-- @babel/generator@7.5.5 deduped
| | | +-- @babel/helper-function-name@7.1.0
| | | | +-- @babel/helper-get-function-arity@7.0.0
| | | | | `-- @babel/types@7.5.5 deduped
| | | | +-- @babel/template@7.4.4 deduped
| | | | `-- @babel/types@7.5.5 deduped
| | | +-- @babel/helper-split-export-declaration@7.4.4
| | | | `-- @babel/types@7.5.5 deduped
| | | +-- @babel/parser@7.5.5 deduped
| | | +-- @babel/types@7.5.5 deduped
| | | +-- debug@4.1.1 deduped
| | | +-- globals@11.12.0
| | | `-- lodash@4.17.15 deduped
| | +-- @babel/types@7.5.5
| | | +-- esutils@2.0.3
| | | +-- lodash@4.17.15 deduped
| | | `-- to-fast-properties@2.0.0
| | +-- istanbul-lib-coverage@2.0.5 deduped
| | `-- semver@6.3.0
| +-- istanbul-lib-report@2.0.8
| | +-- istanbul-lib-coverage@2.0.5 deduped
| | +-- make-dir@2.1.0 deduped
| | `-- supports-color@6.1.0
| |   `-- has-flag@3.0.0
| +-- istanbul-lib-source-maps@3.0.6
| | +-- debug@4.1.1
| | | `-- ms@2.1.2
| | +-- istanbul-lib-coverage@2.0.5 deduped
| | +-- make-dir@2.1.0 deduped
| | +-- rimraf@2.7.1 deduped
| | `-- source-map@0.6.1
| +-- istanbul-reports@2.2.6
| | `-- handlebars@4.1.2
| |   +-- neo-async@2.6.1
| |   +-- optimist@0.6.1
| |   | +-- minimist@0.0.10
| |   | `-- wordwrap@0.0.3
| |   +-- source-map@0.6.1
| |   `-- uglify-js@3.6.0
| |     +-- commander@2.20.0
| |     `-- source-map@0.6.1
| +-- js-yaml@3.13.1 deduped
| +-- make-dir@2.1.0
| | +-- pify@4.0.1 deduped
| | `-- semver@5.7.1
| +-- merge-source-map@1.1.0
| | `-- source-map@0.6.1
| +-- resolve-from@4.0.0
| +-- rimraf@2.7.1
| | `-- glob@7.1.4 deduped
| +-- signal-exit@3.0.2
| +-- spawn-wrap@1.4.3
| | +-- foreground-child@1.5.6 deduped
| | +-- mkdirp@0.5.1
| | | `-- minimist@0.0.8
| | +-- os-homedir@1.0.2
| | +-- rimraf@2.7.1 deduped
| | +-- signal-exit@3.0.2 deduped
| | `-- which@1.3.1
| |   `-- isexe@2.0.0
| +-- test-exclude@5.2.3
| | +-- glob@7.1.4 deduped
| | +-- minimatch@3.0.4 deduped
| | +-- read-pkg-up@4.0.0
| | | +-- find-up@3.0.0 deduped
| | | `-- read-pkg@3.0.0
| | |   +-- load-json-file@4.0.0
| | |   | +-- graceful-fs@4.2.2 deduped
| | |   | +-- parse-json@4.0.0
| | |   | | +-- error-ex@1.3.2
| | |   | | | `-- is-arrayish@0.2.1
| | |   | | `-- json-parse-better-errors@1.0.2
| | |   | +-- pify@3.0.0
| | |   | `-- strip-bom@3.0.0 deduped
| | |   +-- normalize-package-data@2.5.0
| | |   | +-- hosted-git-info@2.8.4
| | |   | +-- resolve@1.12.0
| | |   | | `-- path-parse@1.0.6
| | |   | +-- semver@5.7.1 deduped
| | |   | `-- validate-npm-package-license@3.0.4
| | |   |   +-- spdx-correct@3.1.0
| | |   |   | +-- spdx-expression-parse@3.0.0 deduped
| | |   |   | `-- spdx-license-ids@3.0.5
| | |   |   `-- spdx-expression-parse@3.0.0
| | |   |     +-- spdx-exceptions@2.2.0
| | |   |     `-- spdx-license-ids@3.0.5 deduped
| | |   `-- path-type@3.0.0
| | |     `-- pify@3.0.0
| | `-- require-main-filename@2.0.0
| +-- uuid@3.3.3
| +-- yargs@13.3.0
| | +-- cliui@5.0.0
| | | +-- string-width@3.1.0 deduped
| | | +-- strip-ansi@5.2.0
| | | | `-- ansi-regex@4.1.0
| | | `-- wrap-ansi@5.1.0
| | |   +-- ansi-styles@3.2.1
| | |   | `-- color-convert@1.9.3
| | |   |   `-- color-name@1.1.3
| | |   +-- string-width@3.1.0 deduped
| | |   `-- strip-ansi@5.2.0 deduped
| | +-- find-up@3.0.0 deduped
| | +-- get-caller-file@2.0.5
| | +-- require-directory@2.1.1
| | +-- require-main-filename@2.0.0 deduped
| | +-- set-blocking@2.0.0
| | +-- string-width@3.1.0
| | | +-- emoji-regex@7.0.3
| | | +-- is-fullwidth-code-point@2.0.0
| | | `-- strip-ansi@5.2.0 deduped
| | +-- which-module@2.0.0
| | +-- y18n@4.0.0
| | `-- yargs-parser@13.1.1 deduped
| `-- yargs-parser@13.1.1
|   +-- camelcase@5.3.1
|   `-- decamelize@1.2.0
+-- sax@1.2.4
+-- xmlbuilder@11.0.1
`-- zap@0.2.9
markibanez commented 4 years ago

@Omega-Ariston I'm using 0.4.23. I'm assuming this is the latest published version in npm.

Omega-Ariston commented 4 years ago

@Omega-Ariston I'm using 0.4.23. I'm assuming this is the latest published version in npm.

Then we're using the same version. Would you mind providing the dependency list so that we can do a comparison? You can acquire it through the command npm list :)

markibanez commented 4 years ago

Oh my bad. It was from another package I installed before this. I incorrectly thought this package had it as well. Sorry.